Woodruff Sawyer’s Commitment to GDPR

The EU General Data Protection Regulation (“GDPR”) is a comprehensive data protection regulation that comes into force across the European Union on May 25, 2018, updating the myriad national data protection laws currently in place with a cohesive set of rules which are directly enforceable by each EU member state. It is the most significant change to data protection law in two decades.

The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardize data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.

Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

Our Commitment

Woodruff Sawyer (‘we’ or ‘us’ or ‘our’) is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognize our obligations in updating and expanding this program to meet the demands of the GDPR.

Woodruff Sawyer is dedicated to safeguarding the personal information we process and in developing a data protection regime that is effective, fit for purpose, and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and objectives for GDPR compliance have been summarized in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.

How We are Preparing for the GDPR

Woodruff Sawyer already has a consistent level of data protection and security across our organization, however it is our aim to be compliant with the GDPR by May 25th, 2018, recognizing that our data protection efforts will be continuous and ongoing.

Our preparation for the GDPR to protect the personal data of EU data subjects includes:

  • Information Audit– carrying out a company-wide information audit to identify and assess what personal information of data subjects we hold, where it comes from, how and why it is processed and if and to whom it is disclosed.
  • Policies & Procedures– implementing new data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
    • Data Protection– a new policy and procedure document for data protection has been drafted to meet the standards and requirements of the GDPR, with a dedicated focus on privacy by design and the rights of individuals.
    • Data Retention & Erasure– we are updating our retention policy and schedule to ensure that we meet the ‘data minimization and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically.
    • Data Breaches– our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and will be disseminated to all employees, making them aware of the reporting lines and steps to follow.
    • International Data Transfers & Third-Party Disclosures– where Woodruff Sawyer stores or transfers personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data.
    • Subject Access Request (SAR)– we have revised our SAR procedures to accommodate the revised 30-day timeframe for providing the requested information and for making this provision free of charge
  • Legal Basis for Processing – we are reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.
  • Privacy Notice/Policy– we have revised our Privacy Notice to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
  • Obtaining Consent– we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to use mechanism to withdraw consent at any time.
  • Direct Marketing– we have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
  • Processor Agreements– where we use any third-party to process personal information on our behalf or that of our clients, we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they meet and understand their GDPR obligations. These measures include initial and ongoing reviews of the services provided, the necessity of the processing activity, the technical and organizational measures in place and compliance with the GDPR.

Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, individuals can contact us via email, phone, or in person to request access to any personal information that Woodruff Sawyer processes about them.

Information Security & Technical and Organizational Measures

Woodruff Sawyer takes the privacy and security of individuals and their personal information very seriously and we take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures.

GDPR Roles and Employees

Woodruff Sawyer has designated our cybersecurity committee to develop and implement our roadmap for complying with the new data protection Regulation. The team is responsible for promoting awareness of the GDPR across the organization, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.

Woodruff Sawyer understands that continuous employee awareness and understanding is vital to the continued compliance with the GDPR and have involved our employees in our preparation plans. We are implementing an employee training program specific to the GDPR and which will be provided to all employees, forming part of our induction and annual training program.


Compliance with the GDPR requires a partnership between Woodruff Sawyer and our clients in their use of our services. Generally, we will act as a data processor and our clients will act as data controllers. If you are client or a prospective client, we look forward to working with you to meet your GDPR obligations. In the meantime, we encourage our clients to independently familiarize themselves with the requirements of the GDPR.


As your insurance broker, we recognize that you turn to us for your insurance and risk consulting needs. We have a dedicated cyber liability practice that focuses on the very risks posed by the GDPR and similar data protection regulations. If you are unsure whether your insurance covers liabilities associated with GDPR, consider this recent article, and reach out to us to discuss.

What’s Next?

We will continue to make additional required operational changes resulting from the new legislation, and will keep our clients, partners and regulatory authorities informed throughout this process. We have an internal cross-functional team who continue to monitor GDPR and who will continue to inform our strategy for GDPR.

If you have any questions about our preparation for the GDPR, please contact us at


Updated May 23, 2018