GDPR Compliance

Last updated: 2025

At GPTUK, we're committed to ensuring full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines our approach to data protection and our compliance measures.

1. Our Commitment to Data Protection

We have built our platform with privacy and data protection as core principles. Our commitment includes:

• Processing personal data lawfully, fairly, and transparently
• Collecting and processing data only for specified, explicit, and legitimate purposes
• Minimising data collection to what is necessary for our stated purposes
• Ensuring data accuracy and keeping it up to date
• Storing data only for as long as necessary
• Maintaining appropriate security to protect against unauthorised processing, loss, or damage

2. UK Data Sovereignty

A key aspect of our GDPR compliance is our commitment to UK data sovereignty:

• All data is processed, stored, and transmitted exclusively within UK data centres
• We do not transfer personal data outside the UK unless explicitly required and permitted by law
• When international transfers are necessary, we implement appropriate safeguards as required by the UK GDPR
• Our infrastructure is designed to maintain territorial data boundaries

3. Legal Basis for Processing

Under the UK GDPR, we ensure that all personal data processing has a lawful basis, including:

• Contract: Processing necessary for the performance of our contract with you
• Legitimate Interests: Processing necessary for our legitimate interests, such as improving our services or preventing fraud
• Consent: Processing based on your explicit consent, which you can withdraw at any time
• Legal Obligation: Processing necessary to comply with our legal obligations

4. Data Subject Rights

We respect and facilitate your rights under the UK GDPR, including:

• The right to be informed about how we use your personal data
• The right to access your personal data
• The right to rectification of inaccurate data
• The right to erasure ('right to be forgotten')
• The right to restrict processing
• The right to data portability
• The right to object to processing
• Rights related to automated decision making and profiling

To exercise any of these rights, please contact our Data Protection Officer using the details provided below.

5. Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments whenever we implement new technologies or processing activities that may pose high risks to individuals' privacy. These assessments help us identify and minimise data protection risks.

6. Data Breach Procedures

We have robust procedures in place to detect, report, and investigate personal data breaches. In the event of a breach that may affect your rights and freedoms, we will notify the Information Commissioner's Office (ICO) and the affected individuals in accordance with UK GDPR requirements.

7. Data Protection Officer

We have appointed a Data Protection Officer who is responsible for overseeing our data protection strategy and implementation. Our DPO ensures that we meet our GDPR obligations and acts as a point of contact for data subjects and supervisory authorities.

8. Staff Training

All our staff receive regular training on data protection principles and practices. This ensures that everyone in our organisation understands their responsibilities when handling personal data.

9. Technical and Organisational Measures

We implement appropriate technical and organisational measures to ensure the security of personal data, including:

• Encryption of personal data
• Regular testing and evaluation of security measures
• Access controls and authentication procedures
• Data backup and recovery protocols
• Regular security audits

10. Contact Information

If you have any questions about our GDPR compliance or wish to exercise your data protection rights, please contact our Data Protection Officer at:

Back to Home