MBA Group is GDPR Ready

With the implementation of the GDPR just around the corner, we are pleased to announce that MBA Group is ready and compliant with all its key elements.


The below is an extract from our compliance team’s official GDPR Statement. It goes further than simply stating how we are compliant – it outlines our continued commitment to our clients.


MBA Group GDPR Statement

The EU General Data Protection Regulation (GDPR) comes into force on the 25th May 2018 and replaces the 1995 EU Data Protection Directive.


The GDPR strengthens the rights that individuals have regarding their personal data and seeks to unify data protection laws across Europe, regardless of where that data is processed.


We are committed to helping our clients with their GDPR compliance journey by providing robust privacy and security protections which have been built into our services and contracts over the years.


It is important to remember that the GDPR is only a part of the overall data protection framework. The Government has confirmed its plans to introduce a Data Protection Bill into Parliament. This should become law in 2018 replacing the current Data Protection Act.


It will:


  • Set out derogations from the GDPR (i.e. areas where Member States can decide provisions, such as around some exemptions);
  • Contain other national implementing measures, such as the ICO’s powers (see below);
  • Implement the Law Enforcement Directive, which covers processing by competent authorities such as police forces for law enforcement purposes;
  • Cover those areas of data processing that are not covered by either GDPR or the Directive and are outside the scope of EU law, so that there will be no gaps in the UK’s data protection regime.

Any legislation introduced into Parliament is open to change, so once the ICO (the UK's independent body set up to uphold information rights and the UK’s GDPR Supervisory Authority) have a clearer idea of its final form, they will develop the structure and the content of the guidance they provide.


The ICO aims to provide a suite of data protection guidance that is as comprehensive as possible by May 2018 (see below).


Where Does the Responsibility for Data Protection Reside?


Our Clients will typically act as the “Data Controller” for any personal data sent to MBA. The Data Controller determines the purposes and means of processing personal data, while the “Data Processor” processes data on behalf of the Data Controller. MBA is a Data Processor and may be asked to process personal data, store personal data or generate email alerts on behalf of the Data Controller.


Data Controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Data Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling the rights of “Data Subjects” with respect to their data.


Guidance related to the role of Data Controller under GDPR is available on the ICO website at:


Data Controllers should also seek independent legal advice relating to their status and obligations under the GDPR, specifically tailored to their situation.


Where to Start?


Current and prospective clients, as Data Controllers, should:


  • Familiarise themselves with the provisions of the GDPR, particularly how they may differ from their current data protection obligations
  • Create an updated inventory of personal data that they handle
  • Review their current controls, policies, and processes to assess whether they meet the requirements of the GDPR and build a plan to address any gaps
  • Understand their legal basis or legitimate interest for processing and where consent may be relevant
  • Monitor updated regulatory guidance as it becomes available and consult a lawyer to obtain legal advice specifically applicable to their business circumstances

MBA’s Commitments to the GDPR


Among other things, Data Controllers are required to only use Data Processors that provide sufficient assurances to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR.

According to the GDPR, the Data Controller and the Data Processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.


At MBA we have the expert knowledge, demonstrable experience and resources to fulfil our obligations as Data Processors – an obligation we have always undertaken in compliance with Principle 7 of the Data Protection Act.


Data Protection Commitments


MBA Group Ltd is certified to ISO 27001 – the internationally recognised Information Security Management System standard – further endorsing our commitment to protecting the information assets of the Company and its Clients.


Processing According to Instructions


Any data supplied by a Client, will only be processed in accordance with the Client’s written instructions.


Privacy by Default and Privacy by Design


MBA has always been fully committed to providing a secure environment for personal data and the ‘Privacy by Default’ obligation that requires the implementation of appropriate technical and organisation measures to be in place for all personal data, remains our highest priority.


Privacy Impact Assessments have been undertaken for key data flows and controls are in place for risks identified through our ISO 27001 Risk Assessment and Risk Treatment Plan. Privacy Impact Assessments are reviewed when any major changes occur, or new technology is implemented or provided as part of a service offering.


Personnel Confidentiality Commitments


All MBA employees are required to sign a confidentiality agreement, data protection agreement and sign acceptance of our Information Security guidelines, which specifically addresses responsibilities and expected behaviour with respect to the protection of information.


Data Deletion or Return


When MBA receives a written instruction from a Client to either return or delete data, data will be deleted securely from all our systems, unless overriding retention obligations apply.


Assistance to our Clients


Data Subject’s Rights


MBA will fulfil its obligations in assisting our Clients to respond to Subject Access Requests from Data Subjects in accordance with exercising their rights under the GDPR.


Incident Notifications


MBA will promptly inform our Clients of any incident involving their data as it becomes known, in-line with the requirements of the GDPR.


Audit Rights


Under the GDPR, audit rights must be granted to Data Controllers in their contracts with Data Processors. We expect the updated data processing contracts we receive before the GDPR comes into force, will include audit rights for our Clients and we are happy to enable our Clients to exercise their rights to audit with agreed durations for annual compliance surveillance audits.


Data Protection Officer


In-line with GDPR, MBA has appointed a dedicated Data Protection Officer:


Elaine Harris

Chief Compliance & Data Protection Officer

Tel No. 020 8376 4300



We hope all of the above provides you with a good level of insight in terms of MBA’s readiness for GDPR and our continued commitment to our many Clients, but if you have any questions, please use the contact form below.