RiskMelder
  • Home
  • About RiskMelder LLP
  • Business Lines
  • CyberPrivacyPro
  • ESG Pillar
  • OpSecure
  • ReguSafe
  • StratSecure
  • Our Business Premise
  • Terms Of Business
  • Privacy Policy
  • .
  • More
    • Home
    • About RiskMelder LLP
    • Business Lines
    • CyberPrivacyPro
    • ESG Pillar
    • OpSecure
    • ReguSafe
    • StratSecure
    • Our Business Premise
    • Terms Of Business
    • Privacy Policy
    • .
RiskMelder
  • Home
  • About RiskMelder LLP
  • Business Lines
  • CyberPrivacyPro
  • ESG Pillar
  • OpSecure
  • ReguSafe
  • StratSecure
  • Our Business Premise
  • Terms Of Business
  • Privacy Policy
  • .

Privacy Policy

Privacy Policy


Introduction

1. The UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018, protects the rights of individuals by setting out certain rules as to what organisations can and cannot do with personal data. The meaning of ‘personal data’ is set out in section 4 below.

2. A key element to protecting personal data is the principle to process individuals’ data lawfully and fairly. This means we need to provide information on how we process personal data and we should only process the personal data if there is a legal basis specified in the (UK GDPR) for doing so. The term ‘processing’ refers to any operations performed on personal data, whether these operations are automated, or not. Common examples of processing are collecting, sharing, recording, organising, structuring, storing, modifying, consulting, using, publishing, combining, erasing and destroying personal data.

RiskMelder LLP takes its obligation under the UK GDPR very seriously and will always ensure personal data are collected, handled, stored and shared in a secure manner.

3. This Privacy Notice outlines how your personal data will be processed, in relation to engagements carried out at RiskMelder LLP. It will also provide guidance on your individual rights and how to make a complaint to the Information Commissioner's Officer (ICO), the regulator for data protection in the UK.

Personal data

4. Personal data means any information that relates to or is capable of identifying you, the engagement co-party, as an individual. This can include direct identifiers such as your name, address/postcode, and biometric data (e.g., voice). It also includes indirect identifiers such as your gender, date of birth, place of work, or other information such as your opinions or thoughts, that can be combined to identify you.

5. It is unlikely, but we may also collect and use personal data which is referred to as 'special category' personal data in the UK GDPR. Special category personal data are data relating to: race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where this is used for identification purposes), health data, sex life or sexual orientation.

Collecting and using your personal data

6. All consultancy engagements are different and the information collected will vary. You will be shown a Privacy Notice (before taking part in the engagement) that will provide details of how any personal data will be collected and the specific purpose for which they will be used. RiskMelder LLP will only collect information that is essential for the purpose of the engagement.

Legal basis for processing your personal data

7. The UK GDPR requires us to have a valid legal reason to process and use personal data about you. This is often called a ‘legal basis’. The UK GDPR requires us to be explicit with you about the legal basis upon which we rely in order to process information about you.

8. In the context of a management consultancy engagement, the lawful basis upon which we will process your personal data is usually "Consent" or "Performance of an existing contract" (Article 6 of UK GDPR).

9. It is unlikely, but conceivable, that we may also process personal data as permitted by Article 9 of the UK GDPR which permits processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

10. Where we need to rely on consent, we will inform you of this in the Privacy Notice at the start of an engagement.

Data sharing

11. It is unlikely that client personal data will be shared by us, in the course of a client engagement. We will inform you if we think this is necessary.

12. Responsible members of RiskMelder LLP may also be given access to personal data used in a client engagement for monitoring purposes and/or to carry out an audit of the engagement. Individuals from engagement partner organisations may require access to your records. Any such people will have a duty to observe and respect the confidentiality of personal data in line with legal requirements, including requirements under the UK GDPR requirements.

13. If we are working with other organisations and individuals and information is shared about you, we will inform you in the Privacy Notice given to you. Information shared will be on a 'need to know' basis relative to achieving the engagement's objectives, and with all appropriate safeguards in place to ensure the security of your information. We will enter into appropriate data sharing agreements with such organisations.

Transferring data outside Europe

14. In the majority of instances, your personal data will be processed by RiskMelder LLP staff only, and in Europe, but engagements may involve collaboration with staff at other institutions. Where we will process personal data in collaboration with staff at other UK or European Union (EU) institutions, we will enter into appropriate data processing agreements which will specify the safeguards that have to be in place to comply with UK data protection law, and if applicable, EU data protection law in cases where personal data will transfer to countries of the EU. You will be informed if data is to be processed by RiskMelder LLP staff only or in collaboration with staff at other UK or EU institutions.

15. In any instances in which your personal data might be used as part of a collaboration with business partners based outside the EU, we will enter into appropriate data processing agreements with those organisations, which will specify all necessary safeguards that have to be in place to comply with the UK GDPR requirements for safeguarding personal data that are processed in territories outside of the UK and the EU on the basis of rights and protections that apply to the processing of personal data in the UK. You will be informed if your personal data are to be processed by staff outside of the EU.

Storage and security

16. RiskMelder LLP takes a robust approach to protecting the information it holds with dedicated storage areas for research data with controlled access.

17. Alongside these technical measures, there are comprehensive and effective policies and processes in place to ensure that users and administrators of RiskMelder LLP information are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining RiskMelder LLP, existing staff regularly undergo re-training and expert advice is also available.

Storage and security

18. Your information will not be kept for longer than is necessary and will usually be kept in an anonymised or pseudonymised format. The length of time for which we keep your data will depend on a number of factors, including the importance of the date and the nature of the engagement. Details will be given in the Privacy Notice.

Your rights under data protection

19. Under the UK GDPR you have the following rights:

- to obtain access to, and copies of, the personal data that we hold about you;

- to require that we cease processing your personal data if the processing is causing you damage or distress;

- to require us to correct the personal data we hold about you if it is incorrect;

- to require us to erase your personal data;

- to require us to restrict our data processing activities;

- to receive from us the personal data we hold about you which you have provided to us, in a reasonable format specified by you, including for the purpose of you transmitting that personal data to another data controller;

- to object, on grounds relating to your particular situation, to any of our particular processing activities where you feel this has a disproportionate impact on your rights.

20. Your rights to access, change (rectify), or remove your information (erasure) may be limited, as we need to manage your information in specific ways in order for the engagement output to be reliable and accurate.  We must comply with a request to erase personal data, or to rectify personal data that are inaccurate unless there are grounds for refusing the request specified in the UK GDPR. To safeguard your rights, we will use the minimum personally-identifiable information possible. 

21. If you submit a request for access to your own personal data (Subject Access Request) RiskMelder LLP will disclose to you your personal data, which you are entitled to receive on the basis of your request. This will take place within one month of your request, unless there is a justification for extending the response time by a further two months.

22 If you are not satisfied with how RiskMelder LLP has handled your information or dealt with any request for your information, you have the right to complain (See section 26 below).

Contact us

23. If you have any questions about personal data collected in the course of a consulting engagement, please contact the lead member of staff conducting the engagement, using the contact details supplied below.

Exercising your rights including the right to complain

24. If you want to exercise any of the rights specified in section 19 above, or to complain if you are unhappy with the way your information has been used, you should contact RiskMelder LLP's Data Protection Officer (contact details  below)

Henry Morris

Managing Partner and Chief Privacy Officer

henry.morris@riskmelder.com

25. RiskMelder LLP will seek to deal with your request without undue delay, and in any event in accordance with the requirements of the UK GDPR. Please note that we will keep a record of your communications to help us resolve any issues which you raise. Records retained will be in accordance with our retention schedule.

How to Make a Complaint to the Regulator

26. If you are dissatisfied with how we have dealt with a request you make relating to your personal data, or you believe that your data protection or privacy rights have been infringed, you should contact the UK Information Commissioner's Office (ICO), which oversees data protection compliance in the UK. Details of how to do this can be found at: (https://ico.org.uk/make-a-complaint/).

Copyright © 2024 RiskMelder LLP - All Rights Reserved.

Powered by GoDaddy

  • Privacy Policy

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept