GDPR & Data Protection

GDPR Compliance


The General Data Protection Regulation 2016 (‘GDPR’) was brought into UK law as part of the Data Protection Act 2018 and became effective on 25th May 2018.  The purpose of the GDPR is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge and, wherever possible, that it is processed with their consent.

The GDPR applies to the processing of personal data wholly or partly by automated means (i.e. by computer) AND to the processing other than by automated means of personal data (i.e. paper records) that form part of a filing system or are intended to form part of a filing system.

Our Commitment

We are committed to compliance with all United Kingdom and relevant EU and Member State laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR).  Ongoing compliance is embedded into the fabric of our organisation.

Our Current Position

The Safeguarding Company is registered with the UK Information Commissioner’s Office both as a Data Processor for our customers’ data and as a Data Controller for our own company’s data.

We have already been awarded two specific accreditations for information management, the first of which is ISO27001:2013, the latest version of this internationally recognised information security standard. ISO27001 requires us to comply with 114 individual controls covering every aspect of information management and security.

We also hold the UK Government’s ‘Cyber Essentials Plus’ certification, against which we are independently audited on an annual basis.  Part of this audit involves external penetration testing of our own network and systems to prove that data is held securely.

As a result of our own assessment and the independent inspections that we have undergone we are confident that our systems and operations are fully compliant with current Data Protection Act legislation and that we are already compliant with the GDPR.

How we ensured compliance

To ensure that we are fully GDPR compliant well in advance of the ‘go live’ date of 25th May 2018 we undertook a comprehensive, structured programme of work including:

  • A GDPR gap analysis on all of our policies, procedures, work instructions and records;
  • A formal review of how GDPR impacts on all of our products and services;
  • Implementation of a GDPR Compliance Framework;
  • An assessment of the potential impact of GDPR on our customers;
  • Gaining confirmation from our suppliers regarding their commitment to GDPR;
  • Review of our processes, procedures and contracts by a qualified solicitor with expertise in data protection legislation;
  • A training and development programme for every member of our team.

Need more information?

Our Senior Information Risk Officer (SIRO) is Darryl Morton, our Chief Technology Officer. Darryl has Board-level responsibility for all of our security and data protection arrangements. He is supported by a full-time Systems Administrator and Data Protection Officer who has direct responsibility for ensuring that we comply with the GDPR.

For further information please contact us at

Data Protection


The Data Protection Officer for The Safeguarding Company (TSC) is Steve Gibson, an independent data protection and information security specialist.

You can contact our data protection officer directly by email at

Our privacy notice is available on this website at


Data subjects are able to complain to TSC about:

  • how their personal data has been processed
  • how their request for access to data has been handled
  • how their complaint has been handled
  • how to appeal against any decision made following a complaint

All complaints should be directed to our Data Protection Officer at

If the complaint is against a decision made by our Data Protection Officer it will be forwarded to our Director of Safeguarding Services to independently investigate the complaint.

Complaints are to be resolved within one month.

Appeals on the handling of complaints are to be resolved within one month.

If TSC fails to act on a data subject’s access request within the appropriate timeframe, or refuses the request, TSC will set out in clear and plain language the reasons why it took no action/refused the request.

Data subjects also have the right to complain directly to the Information Commissioner’s Office (ICO). The ICO’s website is at The ICO can be contacted by phone, email, live chat and by post. The postal address of the ICO is:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113

For general contact with the ICO, please use

Data subjects also have the right to seek judicial remedy.