Q&A – GDPR Compliance - ITM
Q&A – GDPR Compliance

Q&A – GDPR Compliance

May 24, 2018

GDPR has finally arrived. Are ITM ready?

We have been working hard over the last two years to ensure our already strong approach to data security aligns with the new General Data Protection Regulation (GDPR).  Although we are pleased that we are now fully GDPR compliant, the road doesn’t end there.  We will regularly being review our processes, procedures and security measures to ensure that we continually improve and develop.

What has ITM done to prepare for GDPR?

To prepare for the GDPR, ITM established a working party with representatives from all our business units. The aim of the working party has been to ensure we fully understand the implications of GDPR for both ourselves and our customers. Given the nature of ITM’s business the security of client’s data is a priority.


The working party have travelled a long and winding road completing tasks such as data mapping, updating and issuing appropriate communications, considering how to deal with data subjects’ rights, updating data breach procedures, determining lawful bases for processing data and updating contracts.  We have had to think about both client data and our own internal data such as HR data in respect of employees.

What did the data mapping exercise involve?

As a data business we hold large amounts of data. Mapping the data we hold and documenting it has therefore been an important job and essential to give us a full understanding of the data that we process.  We have reviewed all the data we hold, considering exactly what data we require, how long we need to keep each data item, who we share it with and, where we are the data controller, the lawful basis for holding the data.  We have recorded all this information in our Record of Processing Activities and associated data retention schedules.


Part of this exercise has included carrying out due diligence on all our suppliers to ensure we are satisfied that they are holding our data securely. We have also completed questionnaires from our customers providing assurance that we are holding their data securely and in line with the requirements under GDPR.

What have been the legal implications?

GDPR requires specific clauses to be included in data processing agreements. A big part of the project has therefore been updating contracts with both our clients and suppliers to ensure these meet the new requirements under GDPR.

What security measures are in place to keep data safe?

ITM have an established information security management framework which is audited and complemented by the achievement of ISO27001 and Cyber Essentials Plus.   Several technical and physical controls have been implemented and are maintained to ensure the ongoing confidentiality, integrity and availability of all data stored and processed and resilience of processing systems and services.


ITM are satisfied that our technical and organisational security measures meet the relevant requirements of the GDPR.

Have you appointed a Data Protection Officer?

Yes.  ITM’s business is all about data and we consider it essential that we have a Data Protection Officer. Should you have any questions on ITM’s approach to data protection or specific queries on the security of your data please contact either our Data Protection Officer (by email at DPO@itm.co.uk) or your usual contact.

Do you know any GDPR jokes?

  • Do you know a good GDPR consultant?
  • Yes
  • Can you give me his contact details?
  • No


PDP confirms Altus and ITM as first Alpha participants in next Pensions Dashboards development stage PDP confirms Altus and ITM as first Alpha participants in next Pensions Dashboards development stage Apr 25, 2022 Pensions data and platform technology specialist ITM and financial services software specialist Altus have been confirmed as the first Alpha...
ITM and Altus join forces in first ground-breaking Pensions Dashboards connection ITM and Altus join forces in first ground-breaking Pensions Dashboards connection Nov 23, 2021 Today Altus and ITM announced they're joining forces to become the industry’s first commercial ISP. The two independent technology leaders...
Thank you! Your subscription has been confirmed. You'll hear from us soon.