top of page

Updated Data Protection & Security Statement (2026‑Compliant)

Your Data Security

Your data is protected through multiple secure systems and platforms. We safeguard your information using:

  • Enterprise‑grade Dell systems

  • Remote Desktop Services

  • Microsoft Intune for device compliance and enforcement

  • Windows Server & Active Directory

  • Microsoft Defender

  • BitLocker drive encryption

These tools meet modern UK security expectations for robust organisational and technical security.

Introduction

The EU GDPR became law in 2018, and after Brexit continues to apply in the UK as the UK GDPR, alongside the Data Protection Act 2018.
However, major updates took effect in 2026 under the Data (Use and Access) Act 2025 (DUAA), which amends parts of the UK GDPR and PECR to update UK data‑protection practices. 

Our Commitment to Compliance

Taylor Organisation Ltd is committed to protecting all personal information we process.
We continuously review our policies in line with the UK GDPR and the new obligations set out under the DUAA reforms (active from 5 February 2026). 

Our data‑processing partners and affiliates follow the same standards.

Security Measures

Secure Hosting

Our servers are hosted through ABC Cloud, using OVH Cloud Data Centres — one of Europe’s largest and most secure hosting providers — operating under the highest data‑centre security and resilience standards.

Server Performance & Redundancy

  • Hosted in Tier 4 data‑centres (fault‑tolerant with full redundancy)

  • RAID‑based, high‑performance storage to minimise outages

Data Security Certifications

The data centres operate under:

  • ISO 27001

  • ISO 27017

  • ISO 27018

  • ISO 27701

All of which remain best‑practice data‑security standards for UK organisations.
These are fully compatible with obligations under UK GDPR and DUAA. 

Cyber‑Security Protection

  • Advanced firewalls

  • Industry-leading anti‑DDoS

  • 24/7 physical security

  • Fire suppression

  • UPS backup power

  • Cooling redundancy

Data Backups & Disaster Recovery

  • Encrypted daily server & file‑level backups

  • Retention policy: 14 days

  • Backup copies stored on two off‑site servers

  • Full server replication every 30 seconds to a secondary data centre

These measures support “security of processing” obligations under the updated UK GDPR & DUAA framework. 

High Availability

We target 99.9% uptime, excluding scheduled maintenance.
Our hosting infrastructure is continuously monitored to ensure fast detection and resolution of issues.

How We Meet 2026 UK GDPR + DUAA Requirements

Below are your updated compliance areas including the newly introduced DUAA obligations (effective 5 February 2026):

1. Updated Lawful Basis Under DUAA

The DUAA introduced a new lawful basis: Recognised Legitimate Interests.
This basis does not require a balancing test for certain approved purposes, such as safeguarding, crime prevention, emergency response, and network security.

We have updated our internal Records of Processing Activities (ROPAs) and privacy notices accordingly.

2. Automated Decision‑Making (ADM)

The DUAA reforms change ADM rules from prohibition‑based to permissive with safeguards, allowing more automated decisions provided:

  • Individuals can challenge decisions

  • Human intervention is available

  • Clear explanations are provided

We have updated our processes even though we currently do not use automated decision‑making for core operations.

3. Subject Access Requests (SARs)

The DUAA clarifies that SAR searches must be reasonable and proportionate, reducing burdens on organisations.

Our SAR handling procedures have been updated accordingly.

4. New “Right to Complain to Controller First”

Individuals now have a new direct right to complain to us before escalating to the regulator (the “Information Commission”).

We have implemented this new mandatory complaints procedure in line with the June 2026 commencement schedule.

5. Children’s Data Protection Updates

Where services could involve children, we now account for “children’s higher protection matters,” as required under DUAA (e.g., age‑appropriate design, enhanced risk assessments).

6. Updated Cookie & Tracking Rules

PECR penalties have been increased to GDPR levels (max £17.5m / 4% global turnover).
New DUAA rules relax certain cookie‑consent scenarios.

We have amended our cookie notice accordingly.

7. Data Protection Policies & Procedures

We have fully updated the following documents to incorporate DUAA updates:

✔ Data Protection Policy

Updated for DUAA’s new lawful basis, new ADM rules, and complaints-handling duties.

✔ Data Retention & Erasure Policy

Updated to reflect relevance, minimisation, and new SAR proportionality rules.

✔ Data Breach Procedures

Aligned with current ICO expectations, DUAA amendments, and stricter enforcement powers.

✔ International Data Transfers

Updated to follow DUAA’s new “data protection test” for assessing transfer safeguards.

✔ Privacy Notices

Revised to include new rights, new lawful bases, and updated transparency requirements.

✔ Consent & Marketing Notices

Updated for clarity, explicit opt‑in rules, and DUAA-compliant explanations.

✔ DPIAs (High‑Risk Processing)

Updated methodology now includes DUAA requirements and strengthened children’s protections.

✔ Third‑Party Processor Agreements

Revised to ensure all suppliers meet the new UK regulatory requirements.

Data Subject Rights (Updated for DUAA)

Individuals may request:

  • Access to their personal data

  • Explanation of purposes

  • Storage periods

  • Recipients of data

  • Correction/Completion of inaccurate data

  • Erasure (where permitted)

  • Restriction of processing

  • Objection to direct marketing

  • Explanation and human review of automated decisions

  • The new right to lodge a complaint directly with us

Information Security & Organisational Measures

We maintain robust policies to protect personal information from:

  • Unauthorised access

  • Alteration

  • Disclosure

  • Loss or destruction

These measures reflect updated UK GDPR and DUAA security expectations.

GDPR Roles & Responsibilities

Taylor Organisation Ltd has a designated Data Protection Officer (DPO).
We continue to train staff so that GDPR and DUAA compliance is maintained and understood at all levels.

If you have questions, contact:
📧 compliance@taylororganisation.org

bottom of page