IRATA’s Data Privacy Commitment en


The General Data Protection Regulation (GDPR) is the new data protection law that takes effect on May 25, 2018. GDPR embodies the privacy principles of transparency, fairness, and accountability. The new regulation replaces the existing data protection directives and national legislation, bringing consistency to the data protection requirements across the European Economic Area (EEA). GDPR is setting an international benchmark and many countries are following suit with equivalent regulation.

The GDPR focus is the protection, collection and management of personal data, (i.e. data about living individuals) and it applies to all businesses who hold or process personal data of people in the EEA, however, the GDPR has wide implications for every business worldwide. IRATA is required to comply, by law, with the GDPR requirements and this will have implications for all IRATA members, whether based in the EEA or otherwise.

As an organisation providing certification services worldwide, we have a responsibility to protect all personal information that is entrusted to us, regardless of where the holders or processors of such information are located. We are committed to helping our service users and members by protecting and respecting personal data, no matter where it is from or where it flows.

What is IRATA doing
to be GDPR-ready?

As part of our continued focus on information security and data privacy, we are preparing for GDPR compliance through a managed programme of activities in the following areas:

Information Security

IRATA has information security measures in place, however, we will be working closely with our partners to ensure that our security framework is effective by reviewing the mechanisms that assure data confidentiality, integrity and availability; and how we respond to security breaches.

Privacy by Design

We are updating our manual and digital systems and integrating data protection, privacy and security standards, where required. Our IRATA Operating System (IOS) is undergoing improvements and users can expect to see changes in the way the system is used.

In future, IRATA candidates will need to supply their personal information directly to IRATA electronically. We are also working on a system that will enable our Assessors to submit assessment records online. This should not only improve the security of the information but also speed up the certification process by reducing the time it takes to transfer information. We aim to make the new interfaces user friendly and will communicate clear instructions to those who use our systems.

Policies and Procedures

We are reviewing all of our policies, processes and records, and defining the personal information lifecycle in order to ensure transparency, accuracy, accessibility, completeness, security and consistency.

We will review and publish our Privacy Policy, ensuring that it reflects the GDPR requirements and provides information on how we obtain, store and use information relating to personal data.

Extended Information Management

We will need to work closely with our members, suppliers and other partners who help us deliver our services, to ensure that our joint obligations, with respect to data privacy, are met. Transparent arrangements will need to be established through information sharing and data protection agreements. We all have an important role to play!

Information Governance

We are mapping our data workflows and identifying what we have, what we do with it, where it is, where it flows and who has access to it. We classify data based on risk and sensitivity in context. In order to act on our findings without delay, we will need to implement some short-term measures until long term solutions are developed. We will be communicating these changes to all relevant parties shortly.


As data controllers we are responsible for complying with the relevant requirements under the GDPR in respect of the personal data that we hold in connection with our members, suppliers and other partners. We are taking steps to meet the GDPR requirements and as our work progresses we will provide updates with key information, including:

  • Updates to our privacy policy.
  • Refinements to our IOS, the related processes and restriction of access to certain information.
  • Changes to how we obtain personal information e.g. personal data directly from Technicians.
  • Changes to the assessment record form (Form 025) which will involve some short-term changes followed by phase in of a digital system to collect this data.
  • Changes to the way we collect and manage medical information (Form 014).
  • Instructions on how and when to remove historic records that contain personal data.
  • Contracts to ensure 3rd parties look after your data too.
  • Request to reconfirm, update and gain consent to use personal data, where appropriate.
  • Changes to the membership requirements (Form 039), which is currently under review, the updated version will incorporate provisions for data protection.