The GDPR (or General Data Protection Regulation, formally Regulation (EU) 2016/679), is a European (EU) regulation  which unifies and strengthens the data protection rights of people in the EU. It replaces the current European data protection framework (formally Directive 95/46/EC), and became enforceable from 25 May 2018.

From this time, a number of additional expectations apply to organisations that process the personal data of people in the EU, including EU-based employees or customers.

For more on the GDPR, you are encouraged to speak to your own data protection or compliance team. Or refer to the website of the supervisory authority responsible for ensuring GDPR-compliance in your primary operating country.

For example, the Data Protection Commissioner in Ireland (DPC), the Information Commissioner’s Office in the UK (ICO), the Commission Nationale de l’Informatique et des Libertés in France (CNIL), etc.

In short: GDPR is a new European data privacy directive, which came into force from May 2018, and will likely impact your decisions on processing personal data such as email addresses.

While the GDPR builds upon and ultimately replaces the Data Protection Act of 1990’s, there are notable enhancements to keep up with the latest technological developments over the past two decades. A few key highlights are noted below, but organisations should read the complete General Data Protection Regulation to fully understand the differences.

  • Right to Erasure – An individual will have the right to be forgotten, which means an individual can request all data with their information be permanently deleted. In high education, this has implications of the individual’s transcript/academic records.
  • Right to Access – An individual has the right to request the details of what personal information is being stored about them at any point in time.
  • Data Portability – The organisation must be able to provide individuals with a copy of their personal data in machine readable format upon request.
  • Express Explicit Consent – You are required to inform individuals how their personal information will be processed and provide them with an easy way to withdraw consent.
  • Breach Notification – A breach must be reported within 72 hours of becoming aware of the breach to the regulation authorities, and when applicable, the respective individual who has been compromised.
  • Privacy Impact Assessments – Organisations are required to conduct Privacy Impact Assessments (PIAs) to identify and minimize privacy risks.


To best of our understanding there is no requirement in the GDPR that personal data must stay in the EU as long as there is a legal framework in place to validate the data transfer.

GDPR recognises several frameworks including the Privacy Shield.

Within our business, the data controller is the party who determines the purposes and means of the processing of personal data; which in this case is the client.

Any time data is collected the controller is the individual making the data request.

The processor in this scenario, is SGA.

While the controller is the vehicle for requesting said data, the processor processes the personal data on behalf of the controller.

Personal data can include, but is not limited to, an individual’s name, contact information, email address, date of birth, and IP address.


SGA’s compliance team, along with the data subject experts supported by external business, technical and legal advisors with practical experience in data protection and wider security aspects, have implemented controls that fulfil GDPR requirements.

We ensure that our customers continuously benefit from our attention to information security and data protection.

SGA is proud of the robust security measures that are already in place and we do not expect any significant changes in these measures as a result of our GDPR readiness.

Kindly note that SGA’s information security management system is based on ISO 27001:2013 which is a globally accepted data security standard.


SGA’s class-leading services will operate as usual.

SGA will keep Customers informed of updates that refer to the GDPR, as these become available.


There is no accredited third-party certification for GDPR at present. This may change in the future for example, the European Commission may take forward a “Data Protection Seal”. SGA will keep watch on developments in this area.

  • We provide secure online self-service access to account information for our customers via telephone.

United States: 1 646 701 0092 (New York), 1 425 681 1911 (Seattle)
United Kingdom: 44 800 029 4645
Switzerland: 41 79 576 15 86
India: 91 20 6730 7200

  • If you have a specific request for personal information the SGA’s Compliance team ( who will pass on your request to our Data Protection Officer
  • If you are in regular contact with SGA Sales or Enterprise Business teams, they will be pleased to assist with a general enquiry or will pass on your request to our Compliance and Data Protection teams as appropriate. Kindly note, we will need to authenticate your identity to ensure we handle any request securely

No functional change is anticipated in SGA’s services. Kindly note as part of our GDPR readiness we have updated our Privacy Policy and Cookie Policy.

SGA’s Privacy Notices have updated to contain wording that aligns with the requirements of GDPR

SGA’s clients, vendors, partners are being notified via email, telephone, in-service alerts

Where users have already consented to receiving material such as the SGA Email, we have provided the ability for users to change or withdraw consent, for example adapting the frequency of Email or unsubscribing

As part of our service roadmap we review the business purpose for using personal information and as such there may be future changes to Privacy Notices and potentially consent aspects

Yes. A draft DP Agreement will be made available to the customers on request.

Please feel free to submit additional questions about the GDPR to our team using this link [contact us] and we will do our best to respond in a timely fashion. Please remember that questions specific to your organisation should be addressed directly to your internal Data Protection Officer and/or legal team.