GDPR Privacy Notice

The EU General Data Protection Regulation (“GDPR”) is a comprehensive data protection regulation that came into force across the European Union on May 25, 2018, updating the myriad national data protection laws currently in place with a cohesive set of rules which are directly enforceable by each EU member state.

Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

Who Does this Notice Apply To?

This notice applies to all EU “Data Subjects” as defined in the GDPR who may access our website or communicate with our company as a customer or prospective customer.  This also applies to any prospective employee Data Subjects.

Our Commitment

Woodruff-Sawyer (‘we’ or ‘us’ or ‘our’) is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognize our obligations in updating and expanding this program to meet the demands of the GDPR.

Woodruff-Sawyer is dedicated to safeguarding the personal information we process and in developing a data protection regime that is effective, fit for purpose, and demonstrates an understanding of, and appreciation for the new Regulation. Our GDPR compliance is summarized in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.  Further, we have reviewed and adopted our new Privacy Policy in line with procedural protections in accordance with the GDPR guidelines for appropriate safeguards taking into account the sensitivity of the respective data provided by our clients.

Our continued compliance with GDPR to protect the personal data of EU data subjects includes:

  • Information Audit– carrying out a company-wide information audit to identify and assess what personal information of data subjects we hold, where it comes from, how and why it is processed and if and to whom it is disclosed.
  • Policies & Procedures– implementing new data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
  • Data Protection– a new policy and procedure document for data protection has been drafted to meet the standards and requirements of the GDPR, with a dedicated focus on privacy by design and the rights of individuals.
  • Data Retention & Erasure– we have updated our retention policy and schedule to ensure that we meet the ‘data minimizationand ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically.
  • Data Breaches– our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and will be disseminated to all employees, making them aware of the reporting lines and steps to follow.
  • International Data Transfers & Third-Party Disclosures– where Woodruff-Sawyer stores or transfers personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. We will use appropriate methods of ensuring that Woodruff-Sawyer is in compliance with applicable GDPR requirements including if applicable, utilization of the Standard Contractual Clauses (SCCs) with any controllers and processors in order to accomplish extra territorial transfer of EU Data Subject data.
  • Subject Access Request (SAR)– we have revised our SAR procedures to accommodate the revised 30-day timeframe for providing the requested information and for making this provision free of charge. Please utilize our data request portal link to make any appropriate SAR.
  • Direct Marketing– we have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
  • Processor Agreements– where we use any third-party to process personal information on our behalf or that of our clients, we have drafted compliant Processor Agreements and due diligence procedures for ensuring that they meet and understand their GDPR obligations. These measures include initial and ongoing reviews of the services provided, the necessity of the processing activity, the technical and organizational measures in place and compliance with the GDPR.

Legal Basis for Processing

We have identified the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Bill are met.

If you request that we perform a service for you then our legal basis is based on Article 6, Section 1(a) to perform the service you have requested from us.

If you are a visitor to the website then we will only process such data as is necessary to provide the website to you in accordance with Article 6, Section 1(a).

If you are a potential candidate for employment at Woodruff-Sawyer then we will process your data in order to consider you for employment as requested by yourself in accordance with Article 6, Section 1(a).

How this Notice Coincides with Our Privacy Notice/Policy

This notice and our Privacy Notice are intended to comply with the GDPR and should be read in conjunction with each other by ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.

How Do We Obtain Your Consent?

We request that you consent to our processing of personal data at the point of collection when you apply to use our services.  At the point of collection we ensure that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to use mechanism to withdraw consent at any time.

Confidentiality And Security Of Your Personal Information

We are committed to keeping the personal information provided to us secure and we will take reasonable precautions to protect personal information from loss, misuse or alteration.

We have implemented information security policies, rules and technical measures to protect the personal information that we have under our control from:

  • unauthorised access;
  • improper use or disclosure;
  • unauthorised modification; and
  • unlawful destruction or accidental loss.

All of our members, employees, workers and data processors (i.e. those who process your personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal information, are obliged to respect the confidentiality of the personal information of all visitors to the Site and all users of our Services.

Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, individuals can contact us via email, phone, or in person to request access to any personal information that Woodruff-Sawyer processes about them.

Information Security & Technical and Organizational Measures

Woodruff-Sawyer takes the privacy and security of individuals and their personal information very seriously and we take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures.

GDPR Roles and Employees

Woodruff-Sawyer has designated our cybersecurity committee to develop and implement our roadmap for complying with the GDPR. The team is responsible for promoting awareness of the GDPR across the organization, assessing our GDPR readiness, identifying any gap areas and implementing policies, procedures and measures consistent with the GDPR.

Woodruff-Sawyer understands that continuous employee awareness and understanding is vital to the continued compliance with the GDPR. We have implemented an employee training program specific to the GDPR which will be provided to all employees, forming part of our induction and annual training program.

Clients’ Commitment

Compliance with the GDPR requires a partnership between Woodruff-Sawyer and our clients in their use of our services. Generally, Woodruff-Sawyer will act as a data processor and our clients will act as data controllers. If you are client or a prospective client, we look forward to working with you to meet our respective GDPR obligations.


As your insurance broker, we recognize that you turn to us for your insurance and risk consulting needs. We have a dedicated cyber liability practice that focuses on the very risks posed by the GDPR and similar data protection regulations.

Our Use of Cookies and Similar Technologies

Our site uses certain cookies, pixels, beacons, log files and other technologies of which you should be aware. Please see our Privacy Notice to find out more about the cookies we use and how to manage and delete cookies.

Third Party Contractors and Other Controllers

We may appoint sub-contractor data processors as required to deliver the Services, who will process personal information on our behalf and at our direction. We conduct an appropriate level of due diligence and put in place necessary contractual documentation in relation to any sub-contractor to ensure that they process personal information appropriately and according to our legal and regulatory obligations.

Further, we may appoint external data controllers in common where necessary to deliver the Services (for example, but without limitation Woodruff-Sawyer entities). When doing so we will comply with our legal and regulatory obligations in relation to the personal information including but without limitation where necessary putting appropriate safeguards in place to ensure any personal information is processed according to our legal and regulatory obligations.

Collection Of Information by Third-Party Sites and Sponsors

The Site contains links to other sites whose information practices may be different than ours. Visitors should consult the other sites’ privacy notices as Woodruff-Sawyer has no control over information that is submitted to, or collected by, these third parties

Changes To This Privacy Notice

We may make changes to this Privacy Notice from time to time.

To ensure that you are always aware of how we use your personal information we will update this Privacy Notice from time to time to reflect any changes to our use of your personal information. We may also make changes as required to comply with changes in applicable law or regulatory requirements. We will notify you by e-mail of any significant changes. However, we encourage you to review this Privacy Notice periodically to be informed of how we use your personal information.

How to Access Your Information and Your Other Rights?

You have the following rights in relation to the personal information we hold about you.  To enforce any of these rights please see the end of this notice:

Your right of access.

If you ask us, we’ll confirm whether we’re processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.

Your right to rectification

If the personal information we hold about you is inaccurate or incomplete, you’re entitled to have it rectified. If you are entitled to rectification and if we’ve shared your personal information with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.

Your right to erasure

You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we’ve shared your personal information with others, we’ll let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.

Your right to restrict processing.

You can ask us to ‘block’ or suppress the processing of your personal information in certain circumstances such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we’ve shared your personal information with others, we’ll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.

Your right to data portability.

With effect from 25 May 2018, you have the right, in certain circumstances, to obtain personal information you’ve provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.

Your right to object.

You can ask us to stop processing your personal information, and we will do so, if we are:

relying on our own or someone else’s legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing; or

processing your personal information for direct marketing.

Your rights in relation to automated decision-making and profiling.

You have the right not to be subject to a decision when it’s based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.

Your right to withdraw consent.

If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.

Your right to lodge a complaint with the supervisory authority.

If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the UK Information Commissioner’s Office (ICO). You can find details about how to do this on the ICO website at or by calling their helpline on 0303 123 1113.

To Request Enforcement of Your GDPR Rights:

Please visit our Data Privacy Request PORTAL to enforce any of your GDPR rights as described in this notice:

Or you may email us: HERE