You are here: GDPR

What is the GDPR?

The GDPR will apply in the UK from 25 May 2018

The General Data Protection Regulation (GDPR) is a piece of EU legislation that will supersede the Data Protection Act. The aim is to keep individual’s data safe and provide individuals with the ability to identify how their personal information is being used.

The GDPR applies to all organisations established in the EU or the processing of personal data of the person residing in the EU. 


iPipeline already has strong data security processes in place however we’ve reviewed what we do to ensure our technology solutions help meet advisers' requirements.

Our GDPR team have assessed the impact of the GDPR and with GDPR removing uncertainty about who is responsible for privacy, we’ve implemented updates to address the following 6 key principles:

  1. Lawful, transparent and fair handling and processing of personal data.
  2. Limit the processing of personal data for specific, legitimate purposes.
  3. Minimise the collection and storage of personal data to what is necessary.
  4. Ensure personal data is accurate with the ability to erase or correct.
  5. Limit the storage of personal data.
  6. Ensure security, integrity and confidentiality of personal data.


All iPipeline employees are bound by a comprehensive set of security policies and processes which contain clear information about their responsibilities. These policies and processes ensure iPipeline employees understand the likely impact of the GDPR. By doing so, this contributes to keeping the iPipeline business secure for all our stakeholders including advisers and their customers the ‘clients’.

Polices and processes are based on the ISO27001 framework, informed by the requirements of European Data Protection laws as well as the SANS Top 20 critical security controls and the OWASP top 10 critical web application security risks.


We’ve reviewed our technology solutions, data processes and procedures analysing how we manage personal data. Addressing the GDPR, we can:

  • delete personal data – ability to delete individual clients, client benefits in bulk and case detail.
  • implement the right to erasure – an individual’s personal data can be identified across iPipeline systems and removed if requested.
  • control the creation, management and access of personal data – all personal data is held securely, for only as long as is necessary and is protected.


We’ve reviewed our existing policies to ensure we are transparent about how we handle your personal data and that of advisers' clients.


We've reviewed how our customers subscribe to our marketing communications. As a result, we’ve created new options to opt-in/opt-out of, creating transparency and fairness.


We’ve revisited the due diligence that we carry out with our suppliers ensuring they remain compliant under the GDPR. Where necessary, our contractual arrangements have been updated.

Information Security

We operate an Information Security Management System (ISMS) built on ISO27001 principles, managed by the iPipeline Security Team and directed by the iPipeline UK Security Committee. 

Available under NDA, our Security Overview paper provides additional information on how we take measures concerning the security of data. The paper covers common questions regarding our multi-layered approach to security:

  • Information System Management System (ISMS)
  • Risk Management
  • Compliance Program
  • Infrastructure
  • Security Operations Centre (SOC)
  • Application & Data Security
  • Security Audit.

International Transfers

iPipeline within the UK does not transfer or process any customer client data outside of the UK. All client data is securely housed in EU data centres which are located in the UK. More information relating to our data centres can be viewed in the security overview paper which is available under NDA.

Data Protection Contact & Registration Details

Should you wish to contact us, and for future reference, our DPO can be reached at the following email address:

iPipeline are registered with the ICO under the following registration number and address:

  • Registration Number: Z8170147
  • Address: Third Floor, Montpellier House, Montpellier Drive, Cheltenham, Gloucestershire, GL50 1TY

Please note: for purposes of GDPR, where we refer to iPipeline, we refer to the UK operation only.

Further Information

For further information on GDPR, visit the Information Commissioners Office website