General Data Protection Regulation (GDPR)

On 25 May, 2018, the General Data Protection Regulation (GDPR) will take effect in the European Union (EU). GDPR will impose strict controls on how all organisations collect and process personal data within the EU and/or personal data of EU citizens.

Chameleon-i will be fully compliant with GDPR when it becomes enforceable on 25 May, 2018.

The regulation outlines six key points for organisations that process individuals’ personal information.

Data must be:

  • Processed lawfully, fairly and transparently
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary for processing
  • Accurate and kept up to date
  • Retained only for as long as necessary
  • Processed in an appropriate manner to maintain security

As part of the Chameleon-i product we have a number of tools available to help you keep track and  stay compliant including:

GDPR module

Streamlines and automates the process of candidates communications. This can be used for confirming consent with regards to GDPR regulations.


Prevent users from deleting notes once they have been created, ensuring the integrity of your database. This stops unauthorised users from deleting important information – such as GDPR consent.

Document History

Easily track documents which have been sent from the system, including when and who they were sent to. If you receive a SAR (subject access request) you will have the data easily available.

Right to be Forgotten

When records are deleted, all associated data is also permanently removed (inc documents, notes and emails etc). A record of the action is also added to the system log providing an audit trail.

Processing of Data

Chameleon-i acts as a data processor on behalf of our customers. As a customer of Chameleon-i you are entering into an agreement which gives us a legitimate basis to process your data (in line with GDPR requirements).

The security of customer data has, and always will be, taken extremely seriously. Our Hosting provider for Live Products and Services is a Tier 1 ISO who provides industry-leading security and has a long list of internationally recognised certifications and accreditation’s including: ISO 27001 for information security, ISO 9001 for quality management systems, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI Level 1, The Crown Commercial Service (CCS) and multiple Microsoft accreditation’s plus many others. Their identity is available on request to registered clients.

All customer data is backed up at regular intervals and stored in two alternative locations within the EU at all times, as per AWS recommended guidelines. Finally, security and performance tests are carried out at regular intervals to ensure the smooth running of the service.

Along with a username and password, all customer databases can be secured with additional layers of security including: Access Control and use of the in-built Permissions System. All customer data can be exported at any time from within the system by an authorised user. Finally, there is a system log which provides an overview of activity on the database for auditing records and security purposes.

Chameleon-i operates a support ticket system. All account enquiries require a support ticket to be opened by an authorised user. The ticket system is used to confirm the authenticity of the request and to protect your account and data.

In the unlikely event of a data breach, Chameleon-i has strict procedures in place to report this to customers, and the ICO within 72 hours of discovery.

Chameleon-i does not share customer data with any third parties without your express written permission.