Skip to content

GDPR Compliance Statement


The General Data Protection Regulation or GDPR has been much discussed in recent months. This regulation was devised in response to concerns about the use of personal data, in particular electronic personal data, by those in business. Its purpose is to provide the means by which individuals retain control of their personal data and to ensure better governance of that data by businesses. The Data Protection Act 2018 is the UK Government’s implementation of GDPR. This act is a close copy of GDPR and demands the same standards of data care as the regulation.

Personal Data at Critchleys

The team at Critchleys has always taken the care of personal data very seriously and understands the importance of its protection. The new more rigorous standards of data management and protection demanded by GDPR are timely and we have welcomed the opportunity to scrutinise all aspects of data processing at the firm. We have involved all members of the team in achieving compliance and we have policies and procedures in enable Critchleys achieve Privacy by Design.

To ensure GDPR compliance our team has undertaken the following:

  • Information Audit – we have held a company-wide information audit to identify and assess the personal data we hold, where it comes from, how and why it is processed and if and to whom it is disclosed

  • Policies & Procedures – these have been revised to meet the requirements and standards of the GDPR and relevant data protection laws

  • Legal Basis for Processing - we have reviewed all processing activities to identify the legal basis for processing and to ensure that each basis is appropriate for the activity it relates to. We now also maintain detailed records of our processing activities, ensuring that our obligations under Article 30 of the GDPR.

  • Privacy Notice – we have revised our Privacy Notice to comply with the GDPR ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information

  • Direct Marketing - we have updated our processes for direct marketing and have included clear opt-in mechanisms for marketing subscriptions for private clients. We also have a clear method for opting out included in all subsequent marketing correspondence. All such correspondence with corporate clients includes clear opt out mechanisms

  • Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, or when we process such information in a new way requiring new tools, full assessments are carried out to comply with the Article 35 requirements of GDPR. These assessments allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce those risks.

  • Processor Agreements – GDPR compliant Data Processor Agreements are in place with third-parties that process personal information on our behalf. These detail the responsibilities of the third-parties to reach the demands of Article 28 in full.

  • Special Categories Data - Special category data is only processed where necessary and where we have first identified the appropriate Article 9(2) basis.

Data Subject Rights

We provide easy to access information via our the Privacy Notice on our website to ensure clients are fully informed about the processing of personal data and the rights they hold with respect to that processing. Our staff Privacy Notice is available on our firm intranet.

Information Security & Technical and Organisational Measures

Critchleys has a suite of security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and we have several layers of security measures. These are under frequent review to confirm we are able to respond appropriately to contemporary threats.

Data Privacy Officer

Katherine Wilkes is the Data Privacy Officer at Critchleys. Katherine is our Regulation and Compliance Manager and has overseen the training of all staff. She leads the firm-wide personal data audits and has developed our GDPR policies and protocols. Katherine will monitor processing activities to make sure our team, our processing and our infrastructure continues to adhere to the highest standards of personal data protection.

If you have any questions about GDPR or the processing of your personal data, please email Katherine at: