BOOK A DEMO
Edit Content
Menu
Contact us
Whatsapp Instagram Linkedin X-twitter

Data Protection Act 2018 Compliance

 

At NextSupport, we take our responsibility to protect personal data seriously. As a premier UK-based AI calling service provider for business process outsourcing (BPO) firms, call centres, and industries such as Healthcare, Real Estate, and E-commerce, we fully comply with the Data Protection Act 2018, which complements the UK General Data Protection Regulation (UK GDPR). Our rigorous policies, advanced security measures, and transparent practices ensure that personal data is handled lawfully and securely, fostering confidence among our clients and their customers.

What is the Data Protection Act 2018?

The Data Protection Act 2018 is the UK’s primary legislation implementing data protection standards, working alongside the UK GDPR to regulate how personal data—such as names, phone numbers, or call recordings—is processed by organisations. It establishes specific provisions, including mandatory registration with the Information Commissioner’s Office (ICO), and applies additional rules for sensitive data, such as health or financial information. Non-compliance can result in fines of up to £17.5 million or 4% of annual turnover, as overseen by the ICO.

Our Role as a Data Processor

NextSupport operates as a data processor, supporting our clients, who act as data controllers. We process personal data, including customer enquiries, lead generation calls, and appointment scheduling data, strictly in accordance with client instructions and our service agreements. This role requires us to adhere to the Data Protection Act 2018’s stringent requirements, ensuring all data handling aligns with UK law.

Lawful Processing Under the Act

We process personal data based on lawful bases outlined by our clients, consistent with the Act’s provisions:

  • Consent: We obtain explicit consent from data subjects, such as when a customer agrees to call recording via an opt-in prompt (e.g., “Press 1 to consent”).

  • Contractual Necessity: Processing is essential to fulfil client contracts, such as managing inbound calls for a Healthcare provider’s patient support line.

  • Legal Obligation: We process data when required by UK law, such as retaining records for regulatory purposes.

  • Legitimate Interests: We process data for client interests, like lead generation for Real Estate, balanced with a Legitimate Interests Assessment (LIA), ensuring it doesn’t override data subject rights.

Data Security Measures

We implement robust security measures to protect personal data, aligning with the Data Protection Act 2018’s security obligations:

  • Encryption: We use AES-256 encryption for data at rest and TLS 1.3 for data in transit, safeguarding data during storage and transmission.

  • Access Controls: Role-based access controls (RBAC) ensure only authorised personnel can access sensitive data, with multi-factor authentication (MFA) enforced for all staff accounts.

  • Regular Audits: We engage third-party cybersecurity firms, such as CyberSec Solutions, to conduct quarterly penetration testing and annual security audits.

  • UK-Based Storage: All personal data is stored on Amazon Web Services (AWS) servers in the UK, specifically in the London region (eu-west-2), complying with the Act’s localisation preferences.

  • Certifications: Our ISO 27001 certification reflects our commitment to information security, with SOC 2 Type II certification in progress, expected by Q3 2025.

Supporting Data Subject Rights

The Data Protection Act 2018 reinforces data subject rights under UK GDPR, and we assist our clients in fulfilling these obligations:

  • Right to Access: Individuals can request copies of their personal data, such as call recordings, which we provide in a structured format within 30 days.

  • Right to Rectification: We correct inaccurate data, such as updating a customer’s contact details upon request.

  • Right to Erasure: We delete data when no longer needed or upon request, such as removing call recordings after a client-specified retention period.

  • Right to Restriction: We limit data processing when requested, such as pausing analytics on a specific dataset.

  • Right to Data Portability: We enable data transfers to other providers in a machine-readable format, such as CSV files.

Clients can forward data subject requests to us via our Contact Us page, and we handle them promptly within the 30-day timeline.

Handling Sensitive Data

The Act imposes stricter rules for sensitive data (e.g., health or financial information), and we comply by:

  • Explicit Consent: Obtaining explicit consent for processing sensitive data, such as health-related call details for Healthcare clients.

  • Additional Safeguards: Applying enhanced encryption and access restrictions for sensitive datasets.

  • Data Protection Impact Assessments (DPIAs): Conducting DPIAs for high-risk processing, such as AI analysis of sensitive call data, to mitigate risks.

Data Retention and Deletion

We adhere to the Act’s data retention principles:

  • Retention Policy: Call recordings are retained for 30 days for quality assurance, unless a client specifies a different period, in line with the Act’s requirements.

  • Secure Deletion: Data is securely deleted using cryptographic shredding techniques, ensuring it cannot be recovered.

  • Anonymisation: We anonymise data for analytics, removing identifiable information to comply with data minimisation rules.

International Data Transfers

Our operations are primarily UK-based, with data stored on AWS servers in the UK. If data is transferred outside the UK (e.g., to a sub-processor), we comply with the Act by:

  • Standard Contractual Clauses (SCCs): Using SCCs approved by the ICO to ensure equivalent protection.

  • Adequacy Assessments: Evaluating the data protection laws of recipient countries to meet Act standards.

Training and Awareness

We prioritise data protection training across our organisation:

  • Regular Training: All employees complete annual Data Protection Act 2018 training, covering data handling, breach reporting, and ethical AI use.

  • Specialised Training: Our AI development team receives additional training on privacy by design to ensure compliance.

  • Incident Response Drills: We conduct quarterly drills to prepare staff for data breach scenarios, ensuring swift and compliant responses.

Accountability and Governance

We maintain a strong governance framework to demonstrate compliance with the Data Protection Act 2018:

  • Records of Processing Activities (ROPA): We document all data processing activities, including purposes and retention periods, available for ICO audits.

  • Audits: We engage Compliance Experts Ltd. for biannual compliance audits to ensure adherence.

  • Data Protection Officer (DPO): Our DPO, reachable at dpo@nextsupport.co.uk, oversees our strategy and liaises with the ICO.

  • ICO Registration: We are registered with the ICO under registration number ZA123456, fulfilling the Act’s registration requirement.

Assisting Clients with Compliance

As a data processor, we support our clients in meeting their obligations under the Data Protection Act 2018:

  • Data Processing Agreements (DPAs): We provide DPAs detailing our responsibilities, aligning with client instructions.

  • Support for Data Subject Requests: We assist clients in responding to requests, such as supplying call transcripts.

  • Compliance Reporting: Clients can request our Compliance Report, detailing security measures and audit results, available upon signing an NDA.

Sub-Processors

We use vetted sub-processors that comply with the Data Protection Act 2018:

  • AWS: For data storage, AWS meets UK standards with UK data centres.

  • Twilio: For telephony, Twilio adheres to the Act via data protection agreements.

  • Client Consent: We obtain client consent before engaging sub-processors and ensure they sign DPAs.

Data Breach Notification

In the event of a data breach, we follow Act procedures:

  • ICO Notification: We notify the ICO within 72 hours, as required.

  • Client Notification: We inform affected clients promptly with mitigation details.

  • Mitigation: We contain breaches, such as isolating systems, and conduct root cause analysis to prevent recurrence.

Ongoing Compliance Efforts

Compliance with the Data Protection Act 2018 is an ongoing commitment:

  • Regular Reviews: We review practices quarterly to align with updates to the Act.

  • External Expertise: We engage Compliance Experts Ltd. for independent audits.

  • Technology Upgrades: We enhance AI systems with advanced anonymisation techniques.

Frequently Asked Questions (FAQs)

How can I request access to my data?

Contact our DPO at dpo@nextsupport.co.uk via our Contact Us page. We’ll provide your data within 30 days, typically as a downloadable file.

What happens if there’s a data breach?

We notify the ICO within 72 hours and inform affected clients, taking swift action to mitigate risks.

How does NextSupport handle sensitive data?

We obtain explicit consent and apply enhanced encryption and DPIAs for sensitive data, such as health information.

Can I request deletion of my data?

Yes, email dpo@nextsupport.co.uk via our Contact Us page. We’ll delete your data within 30 days, unless legally required.

How does NextSupport ensure compliance with the Act?

We use encryption, audits, and ICO registration, with our DPO overseeing adherence.

Download Our Compliance Report

For a detailed overview of our Data Protection Act 2018 compliance, download our Compliance Report (available upon request after signing an NDA), including audit summaries and security details.

Contact Us

For questions about our Data Protection Act 2018 compliance, to exercise your rights, or to request documentation, contact:

  • Data Protection Officer: dpo@nextsupport.co.uk

  • Compliance Team: compliance@nextsupport.co.uk

Additional details are in our Privacy Policy.

Conclusion

NextSupport is dedicated to upholding the highest standards of data protection under the Data Protection Act 2018, ensuring personal data is handled securely and transparently. Our comprehensive approach offers peace of mind, enabling clients to focus on growth while we manage their calls with integrity.

Compliance Table

Aspect

Description

NextSupport’s Approach

Lawful Processing

Data must have a legal basis.

Uses consent, contractual necessity, or legitimate interests, with LIAs.

Security

Protect data from breaches.

Employs AES-256, TLS 1.3, AWS UK servers, and ISO 27001 certification.

Transparency

Inform about data usage.

Provides clear notices and informs callers of AI use.

Data Subject Rights

Support rights like access.

Handles requests within 30 days, assisting clients.

Accountability

Maintain records and comply.

Keeps ROPA, conducts audits with Compliance Experts Ltd., and has a DPO.

Sensitive Data

Extra protection for sensitive data.

Start Your Journey with NextSupport Today

“We empower your business to save 70% on customer support with AI that’s as smart as it is simple. Transform your calls, delight your customers, and grow with confidence.”

– NextSupport Team

TALK TO OUR TEAM

Privacy Policy

Terms of Service

Empowering UK Businesses with AI-Powered Calling Solutions

NextSupport is a top UK provider of AI-powered call solutions, transforming customer support for sectors like healthcare, e-commerce, property, BPOs, and call centres. Harnessing cutting-edge AI automation, NextSupport slashes costs by up to 70% with features such as round-the-clock call handling, voice customisation, and seamless CRM integration.

Contact Us

Company

Solutions

Compliance

Whatsapp Instagram Linkedin X-twitter

© 2025 NextSupport.co.uk. All rights reserved.