General Data Protection Register (GDPR) Policy 


The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will affect every organisation which holds or processes personal data. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.

HydroCo is committed to high standards of information security, privacy and transparency. We place a priority on protecting and managing data in accordance with accepted standards including ISO 9001. The company will comply with applicable GDPR regulations when they take effect in May 2018.

HydroCo carries very little personal information, the data it holds is primarily personnel information. HydroCo request from its clients that any personal information be removed or anonymised prior to it being sent.


HydroCo has a robust ISO-based Integrated Management System (IMS) and in order to ensure compliance will implement additional controls to meet GDPR requirements within the IMS using internal and external advisors.

Updated information security policies and procedures will build on existing management systems (including ISO 9001) and the Information and Confidentiality policy, data risk assessments and supported by communication and training programmes.

Compliance will be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.

In many areas the services provided by HydroCo already conform. The company has undertaken risk assessments to include more detailed consideration of the data types we hold and a data protection impact analysis of personal information stored.

HydroCo will not pass on any personal information to third parties in any form (e.g. electronically or physically) and will retain any information securely (Password controlled and encrypted where applicable) and will not hold on to any such information for longer than is necessary or required to be held.

Accountability lies with the Directors.

If a breach involving personal information takes place we will establish the likelihood and severity of the resulting risk to the individuals rights and freedoms. If its likely that there will be a risk arising then we will notify the ICO as soon as possible, seeking to do this within 72 hours of the breach occurring. If such breach/loss is likely to result in a high risk to individual rights and freedoms we will directly notify any individuals that have been affected.

David Acres – Managing Director