GDPR Preparations and Compliance
May 2018


At The Morrisby Organisation, we have always taken data privacy and security very seriously. With the General Data Protection Regulations (GDPR) having come into effect on 25 May 2018, we undertook a programme to ensure that we were fully compliant. This document outlines some of the steps we have taken.


Someone who is using our services for career guidance purposes.


Someone who manages Candidate accounts on behalf of a school/centre.

Appointed a Data Protection Officer

As Morrisby processes a large volume of personal data it is our obligation under GDPR to appoint a data protection officer. We have appointed Steven Cole, the IT Director. He can be contacted for GDPR related matters at or +44(0)330 500 5000.

Personal Data Audit / Privacy Impact Assessment

We conducted a thorough personal data audit to establish:

  • All of the personal data that we hold;
  • Where all personal data is stored;
  • Whether it is necessary for us to process all the data that we collect;
  • The security procedures in place to protect personal data during transfer, processing and storage;
  • All data flows.

After the audit we made changes to our processes, policies and systems to ensure that all of our personal data processing is GDPR compliant.

Where do we store Personal Data?

We have ensured that all of our data storage locations are GDPR compliant. Most of our Candidate data is stored within the EEA on hosted servers and cloud services. For data that we store or transfer outside the EEA, we will take all reasonable steps to ensure that it is treated as safely and securely as it would be within the EEA and under the GDPR. Such steps may include, but not be limited to, the use of legally binding contractual terms between us and any third parties we engage and the use of the EU-approved Model Contractual Arrangements.

Updated Our Policies

We’ve updated our data policies to be GDPR compliant. These include:

  1. Privacy and Cookie Policy. The new policy can be found at:;
  2. Data Retention Policy:;
  3. Security policy: this is an internal document;
  4. Data Protection Policy:


All employees receive training on our privacy and data retention policies.

Established Our Lawful Basis for Processing Data

GDPR provides six lawful methods that can be used as the lawful basis for processing personal data. We have established our lawful basis for all of our data processing operations.

Our most important data processing operation is that of Candidate data, for which, we identified that legitimate interests, GDPR Article 6(1)(f), is our lawful basis. We conducted and documented a thorough necessity and balancing test to ensure that the legitimate interests are not outweighed by the fundamental rights of the the data subject (the Candidate). We concluded that the case was overwhelming due to the legitimate interests of the Candidate (the data subject), the school, and Morrisby all being strongly aligned.

Our Role as a Data Controller and Data Processor

We are data controller for candidate personal data because students register directly with our services themselves and we control which information is collected and processed. So, rather than being a data processor for the school, who would be acting as a data controller, we are a data controller instead.

Data Processing Agreements

We have ensured that we have GDPR compliant data processing agreements with all of our data processors.

Security review and update

We have taken a number of measures to enhance our security infrastructure. Publishing details of security measures can in itself pose a security risk, but we are able to give some example general guidelines on some of the measures we take:

  • Regular penetration testing;
  • Encrypting the hard drives of desktops, laptops, and servers.
  • Weekly automated vulnerability scans;
  • Patches and updates are applied promptly and regularly;
  • The use of of tightly configured Firewalls;
  • The use of virus and malware protection;
  • Strong password policy for all employees;
  • Website user accounts are locked out after too many login attempts;
  • We have achieved Cyber Essentials Plus certification.