GDPR and Information Security


Thrive welcomes the introduction of the General Data Protection Regulation (GDPR) on Friday 25th May 2018 and has been working on an implementation plan to ensure Thrive is compliant with the high demands of the new regulations.


Thrive have updated the relevant subscription service agreements as part of the GDPR preparation process:


Thrive also have a separate TOL SECURITY STATEMENT that has been reviewed as part of the GDPR implementation.


CyberEssential Plus

CyberEssentials Plus logo


Thrive has certified to the CyberEssentials Plus standard since 2016. The CyberEssentials Plus accreditation is audited and verified by an independent Certification Body (InteliSecure) and is re-certified every year.

CyberEssentials is a government backed scheme that aims to help organisations implement basic levels of protection against cyber-attack; demonstrating to their customers that they take cyber security seriously.

CyberEssentials Plus ensures Thrive has reached compliance across five technical control themes:

  • Firewalls – ensure that only safe and necessary network services can be accessed from the Internet.
  • Secure configuration – ensure that computers and network devices are properly configured to:
    • reduce the level of inherent vulnerabilities
    • provide only the services required to fulfil their role
  • User access control – Ensure user accounts:
    • are assigned to authorised individuals only
    • provide access to only those applications, computers and networks actually required for the user to perform their role
  • Malware protection – restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.
  • Patch management – ensure that devices and software are not vulnerable to known security issues for which fixes are available.

Backing for the Cyber Essentials accreditation from the government is strong. From 1st October 2014, Cyber Essentials became a minimum requirement for bidding for some government contracts which involve handling personal information and providing certain ICT products and services.

Control of processing

Thrive have carried out an exercise establishing a central register of all personal data held where Thrive are either the data controller or data processor, documenting the relevant details as required by the GDPR. Note that for Thrive-Online, Thrive is considered the Data Processor and the customer the Data Controller.

Policies and procedures

Thrive have performed an information audit to identify what personal data is held. Thrive have reviewed, are in the process of reviewing, or have produced new policies, procedures, contracts and agreements to address areas such as retention, security and data sharing and ensure compliance with the GDPR. These include, but are not limited to:

  • Privacy Policy
  • TOL Security Statement
  • TOL Consent Form
  • Security Policy
  • Business Continuity Plan
  • Subscription Agreements
  • Thrive membership terms and conditions
  • Retention Policy


The Thrive website has been updated to ensure that where data is collected, the processing reasons for collecting this data are clearly stated as are the ways of unsubscribing. Clear information has been provided about cookies on the Thrive website.

Any questions?

Please contact if you have any questions about Thrive and the GDPR.