Privacy of individual visitor data is very important to The Waterdale Group. Waterdale works very hard to protect confidentiality and restrict the use of such data to necessary business activity.

Waterdale Statement: General Data Protection Regulation (GDPR)

The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will impact every organisation which holds or processes personal data relating to an EU citizen (including UK citizens). It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.

Waterdale is already committed to high standards of data security. However, over recent months Waterdale, as both a Data Controller and a Data Processor, has been working towards GDPR compliance to strengthen existing privacy policy. Our team of experienced business consultants and technical specialists will also help to support customers in meeting their obligations through the provision of our expert services and value-add solutions.

The Waterdale organisation, including CPiO Limited and eSpida Limited, has a Privacy First Strategy that has been rolled out across the organisation and to its wider ecosystem of customers, suppliers and other stakeholders. This extends the existing security and business continuity management systems we employ in our organisation. Waterdale has also reviewed its provision of hosted solutions to build an even stronger platform for its customers.

The Privacy First Strategy recognises that compliance is a shared responsibility and all organisations and employees will need to adapt and continuously review its business processes and data management practices.

Waterdale has appointed a Privacy First Steering Committee that will oversee the introduction, education, monitoring and reporting of compliance including the use of sub-contractors and third party organisations.

The Privacy First Strategy involves:

  • A comprehensive and demonstrable education programme regarding not only the fundamental changes to data protection law, but the wider context of protecting both personal and company-confidential information.
  • A stipulation that internal product and service development requires a Waterdale Privacy Impact Assessment prior to launch in order to anticipate and minimise privacy risk.
  • Instant management policy to provide fast, accurate and auditable reporting of incidents.
  • A comprehensive update of Waterdale policy to cover topics such as consent, privacy notices, processing of records, privacy impact assessments and third party sharing of data.
  • A comprehensive and demonstrable education programme to help all employees recognise and respond to subject access requests, checking identity, data portability both within the EU and outside of the EU and erasure of data records.

Waterdale customers

Customers should contact their Waterdale Account Manager to discuss how we can help to work towards GDPR compliance including the provision of additional application functionality, technical solution and services. We have developed a range of tools and services to help our customers to more effectively audit and secure their data.

Our promise to you

We will not sell your data to any third parties, but we may sometimes share your information with our subsidiaries, with trusted service providers and selected partners who work with us to service your organisation. We ensure that any third parties with access to your data are held to strict standards for data use and security.

Waterdale as a Data Controller and Data Processor is:

  • Waterdale Associates (registered 2488682);
  • CPiO Limited (registered 2488682);
  • eSpida Limited (registered 4021203);

We aren’t required to appoint a DPO under the GDPR but we have decided to do so voluntarily. We understand that the same duties and responsibilities apply had we been required to appoint a DPO. We support our DPO to the same standards.

Waterdale Associates collects information in a number of different ways for legitimate business purposes. For example, we hold information on data subjects within organisations where we can demonstrate a legitimate business interest. This information will include: name, business address, business email, business telephone contact information.

Waterdale’s Privacy First Strategy is compliant with the General Data Protection Regulation and the impending UK derogation and works to the principles of respect, responsibility and consent. The four legal grounds that are most relevant to Waterdale’s use of your personal information are:

  1. Consent
  2. Legitimate or vital interest
  3. Contract
  4. Legal Obligation

Waterdale will always ask for your consent before we communicate with you and we will explain why we would like to stay in touch. You can withdraw your consent at any time by phoning 0344 880 6140 or emailing [email protected]

We ask for your consent to contact you on the grounds of either legitimate interest; in the obligations of a contract or the service of a contract with Waterdale; legal or fiscal obligation.

This legal ground for processing means that organisations can process your personal information if they 1. They have a genuine and legitimate reason for doing so and 2. That use does not harm any of your rights and interests as an individual.

We have categorised legitimate interest as:

  1. Demonstrated an interest in the provision of software or software services
  2. Demonstrated an interest in Waterdale’s products and services
  3. Demonstrated an interest in employment or contracting with Waterdale.

If you have given us your consent, we will contact you with information and updates on our work, services and products such as Sage software, complementary solutions and infrastructure products and information relating to how we service your account such as support hotline. Where we have a contract and/or service obligation categorised under “legitimate interest” we will continue to communicate with you. This may be by post, email or telephone depending on your preferences. We will also continue to ask about your marketing preferences, to ensure that you are still happy to be contacted by us and by which means.

In extreme situations, such as an accident or medical emergency, we may share your personal details with the emergency services if it is essential for the preservation of life (yours or another persons’) for us to do so. This is the ‘vital interest’ ground for using your personal information. After the emergency, we will always try to inform you about how we had to use your information in that extreme situation.

We will not unduly prioritise our interests as a commercial business over your interests as an individual. We will always balance our interests with your rights. We will only use personal information in a way and for a purpose that you would reasonably expect in accordance with this Policy.

No personal information will be kept in perpetuity and we aim to be clear about what information we collect, to enable you to make meaningful choices about how it is used. It is always your choice. If you don’t think this is quite right for you, you can tell us to change your communication preferences and our use of your information. You can do this at any time by phoning 0344 880 6140 or emailing [email protected]

To help us communicate the work we are doing and provide these services we use trusted service providers including software authors, independent contractors and marketing agencies. We require all service providers to comply with strict rules to protect the information you have given us.

From time to time we may contact you to ensure that the information you have provided us with remains accurate and up to date. In some circumstances we may use external data lists to avoid misdirecting our communications with you, this includes FPS and TPS.

Like all organisations, we comply with requests for the disclosure of personal information where this is required or permitted by law. This could include requests from law enforcement or tax agencies. In these circumstances, the request must be specific and submitted in person and in accordance with the relevant legal requirements. Waterdale will require proof of identity before making any such disclosure.

If you believe your privacy rights have been violated, you may file a complaint with us or with the Information Commissioners office