GymAtomic GDPR Data Security Statement
GymAtomic takes data protection and people’s privacy very seriously and we are committed to our clients’ data security and to comply with GDPR data protection laws.
The General Data Protection Regulation (GDPR) creates consistent data protection rules across the EU. The GDPR become effective as of 25th May 2018 and applies to companies based in the EU, as well as companies around the world who provide or offer goods or services, and those who process data from or about people in the EU.
Preparations have been underway since March 2017 to ensure that our services comply with GDPR and to give you the peace of mind that your client data is safe and secure.
We are committed to transparency, control and accountability.
- Transparency: Our Data Sharing Agreement and data privacy policies will remain the single consolidated place that maps out the ways in which we process client personal data in accordance with GDPR legislation.
- Control: We undertake
Privacy Impact Assessments (PIA) for each of our processing operations on a
regular basis and provide in-depth data security training to all GymAtomic
employees. Service providers are required to sign our Data Sharing Agreement
and are subject to regular spot checks to ensure GDPR compliance.
- Accountability: We undertake quarterly risk assessments and are audited each year by the British Assessment Bureau, which includes updating our existing compliance program to ensure that we are adequately documenting our GDPR reviews and compliance procedures. We are also registered with the ICO the UK GDPR regulators.
In practical terms, we have implemented the following:
Data Transfer and Storage
- All personal customer data
transferred between ourselves and our clients or service providers is done
through ShareFile. ShareFile encrypts all data in transfer and at rest. They
use servers within the EU and are members of the US_EU Data Shield Agreement.
- Internally, all client personal data
is stored within an access restricted and encrypted environment. All personal
computers that require access to personal data to fulfil client processing are
- Client personal data is only shared
with service providers once they have signed our Data Sharing Agreement and are
happy for us to undertake spot checks on their data procedures to satisfy us
that they have adequate GDPR-compliant processes.
- All client personal data is systematically destroyed within 30 days following processing completion and recorded in the data transfer deletion log.
- All GymAtomic employees receive data
security training and regular GDPR updates to ensure a good working knowledge
of data risks and compliance procedures.
- No personal data can transfer
internally via email or memory stick.
- Any hard copies of personal data are securely
shredded by a registered document shredding service.
- Auto screen saver locks and forced password changes are in place on all computers.
What this means for business
You can continue to use GymAtomic as your supplier in the same way you do today, safe in the knowledge that we are committed to compliance with the laws that apply to data privacy and GDPR legislation.