The EU General Data Protection Regulation (“GDPR”) is a comprehensive data protection regulation that came into force across the European Union on May 25, 2018, updating the myriad national data protection laws currently in place with a cohesive set of rules which are directly enforceable by each EU member state. 

Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age. 

Who Does this Notice Apply To?

This notice applies to all EU “Data Subjects” as defined in the GDPR who may access our website or communicate with our company as a customer or prospective customer.  This also applies to any prospective employee Data Subjects. 

Our Commitment

Woodruff-Sawyer (‘we’ or ‘us’ or ‘our’) is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection.  

Our continued compliance with GDPR to protect the personal data of EU data subjects includes: 

  • Information Audit– carrying out a company-wide information audit to identify and assess what personal information of data subjects we hold, where it comes from, how and why it is processed and if and to whom it is disclosed. 
  • Policies & Procedures– implementing data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including: 
  • Data Protection– a policy for data protection including focus on privacy by design and the rights of individuals. 
  • Data Retention & Erasure– we have updated our retention policy and schedule to  include ‘data minimizationand ‘storage limitation’ principles  which require personal information to be stored, archived and destroyed compliantly and ethically. 
  • Data Breaches– our breach procedures include safeguards and measures in place to identify, assess, investigate and report a personal data breach at the earliest possible time. Our employees are made aware of our procedures. 
  • International Data Transfers & Third-Party Disclosures– where Woodruff-Sawyer stores or transfers personal information outside the EU, we have procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. We will use appropriate methods of ensuring that Woodruff-Sawyer is in compliance with applicable GDPR requirements including if applicable, utilization of the Standard Contractual Clauses (SCCs) in order to accomplish extra territorial transfer of EU Data Subject data. 
  • Subject Access Request (SAR)– our SAR procedures accommodate the timeframe for providing the requested information and for making this provision free of charge. Please utilize our data request portal link to make any appropriate SAR. 
  • Direct Marketing– we have compliant opt-in mechanisms for marketing subscriptions; and compliant notices and methods for opting out and providing unsubscribe features on our marketing materials. 
  • Processor Agreements– where we use any third-party to process personal information on our behalf or that of our clients, we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they meet and understand their GDPR obligations. These measures include initial and ongoing reviews of the services provided, the necessity of the processing activity, the technical and organizational measures in place and compliance with the GDPR. 

Legal Basis for Processing

We have identified the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met. 

If you request that we perform a service for you then our legal basis is based on Article 6, Section 1(a) to perform the service you have requested from us. 

If you are a visitor to the website then we will only process such data as is necessary to provide the website to you in accordance with Article 6, Section 1(a). 

If you are a potential candidate for employment at Woodruff-Sawyer then we will process your data in order to consider you for employment as requested by yourself in accordance with Article 6, Section 1(a). 

How this Notice Coincides with Our Privacy Notice/Policy

This notice and our Privacy Notice are intended to comply with the GDPR and should be read in conjunction with each other by ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information. 

How Do We Obtain Your Consent?

We request that you consent to our processing of personal data at the point of collection when you apply to use our services.  At the point of collection we ensure that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to use mechanism to withdraw consent at any time. 

Confidentiality And Security Of Your Personal Information

We are committed to keeping the personal information provided to us secure and we will take reasonable precautions to protect personal information from loss, misuse or alteration. 

We have implemented information security policies, rules and technical measures to protect the personal information that we have under our control from: 

  • unauthorised access; 
  • improper use or disclosure; 
  • unauthorised modification; and 
  • unlawful destruction or accidental loss. 

All of our members, employees, workers and data processors (i.e. those who process your personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal information, are obliged to respect the confidentiality of the personal information of all visitors to the Site and all users of our Services. 

Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, individuals can contact us via email, phone, or in person to request access to any personal information that Woodruff-Sawyer processes about them. 

Information Security & Technical and Organizational Measures

Woodruff-Sawyer takes the privacy and security of individuals and their personal information very seriously and we take every reasonable measure and precaution to protect and secure the personal data that we process. We have information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures. 

GDPR Roles and Employees

Our Cyber Strategy and Defense committee is responsible for promoting awareness of the GDPR across the organization, identifying any gap areas and implementing policies, procedures, training, and measures consistent with the GDPR. 

Clients’ Commitment

Compliance with the GDPR requires a partnership between Woodruff-Sawyer and our clients in their use of our services. Generally, Woodruff-Sawyer will act as a data processor and our clients will act as data controllers. If you are client or a prospective client, we look forward to working with you to meet our respective GDPR obligations. 


As your insurance broker, we recognize that you turn to us for your insurance and risk consulting needs. We have a dedicated cyber liability practice that focuses on the very risks posed by the GDPR and similar data protection regulations. 

Our Use of Cookies and Similar Technologies

Our site uses certain cookies, pixels, beacons, log files and other technologies of which you should be aware. Please see our Privacy Notice to find out more about the cookies we use and how to manage and delete cookies. 

Third Party Contractors and Other Controllers

We may appoint sub-contractor data processors as required to deliver the Services, who will process personal information on our behalf and at our direction. We conduct an appropriate level of due diligence and put in place necessary contractual documentation in relation to any sub-contractor to ensure that they process personal information appropriately and according to our legal and regulatory obligations. 

Further, we may appoint external data controllers in common where necessary to deliver the Services (for example, but without limitation Woodruff-Sawyer entities). When doing so we will comply with our legal and regulatory obligations in relation to the personal information including but without limitation where necessary putting appropriate safeguards in place to ensure any personal information is processed according to our legal and regulatory obligations. 

Collection Of Information by Third-Party Sites and Sponsors

The Site contains links to other sites whose information practices may be different than ours. Visitors should consult the other sites’ privacy notices as Woodruff-Sawyer has no control over information that is submitted to, or collected by, these third parties 

Changes To This Privacy Notice

We may make changes to this Privacy Notice from time to time. 

To ensure that you are always aware of how we use your personal information we will update this Privacy Notice from time to time to reflect any changes to our use of your personal information. We may also make changes as required to comply with changes in applicable law or regulatory requirements. We encourage you to review this Privacy Notice periodically to be informed of how we use your personal information. 

How to Access Your Information and Your Other Rights?

You have the following rights in relation to the personal information we hold about you.  To enforce any of these rights please see the end of this notice: 

Your right of access. 

If you ask us, we’ll confirm whether we’re processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee. 

Your right to rectification 

If the personal information we hold about you is inaccurate or incomplete, you’re entitled to have it rectified. If you are entitled to rectification and if we’ve shared your personal information with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly. 

Your right to erasure 

You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we’ve shared your personal information with others, we’ll let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly. 

Your right to restrict processing. 

You can ask us to ‘block’ or suppress the processing of your personal information in certain circumstances such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we’ve shared your personal information with others, we’ll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly. 

Your right to data portability. 

With effect from 25 May 2018, you have the right, in certain circumstances, to obtain personal information you’ve provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice. 

Your right to object. 

You can ask us to stop processing your personal information, and we will do so, if we are: 

relying on our own or someone else’s legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing; or 

processing your personal information for direct marketing. 

Your rights in relation to automated decision-making and profiling. 

You have the right not to be subject to a decision when it’s based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us. 

Your right to withdraw consent. 

If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time. 

Your right to lodge a complaint with the supervisory authority. 

If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the UK Information Commissioner’s Office (ICO). You can find details about how to do this on the ICO website at or by calling their helpline on 0303 123 1113. 

To Request Enforcement of Your GDPR Rights:

Please visit our Data Privacy Request PORTAL to enforce any of your GDPR rights as described in this notice: 

Or you may email us at