1. We are a commercial consultancy and training provider offering a number of services.
  2. For the many firms, organisations and individuals which place booking requests with us this document provides information and assurance on how we will comply with the GDPR.
  3. Under the GDPR we are a Data Controller. We are not a Data Processor as we do not process data under the instructions of any third party Data Controller.

Processing Activities

  1. As a Data Controller we have reviewed the purposes of our processing activities and will always select the most appropriate lawful basis (or bases) for each activity.
  2. We will document our decision on which lawful basis applies to help us demonstrate compliance.
  3. We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy policy. Please see our Privacy Policy here.
  4. We do not process special category data, criminal offence data or data relating to children.
  5. We do not sell or rent any personal data.
  6. In relation to consent as a lawful basis for processing, we will ask people to positively opt in and we will not use pre-ticked boxes or any other type of default consent.
  7. We will tell individuals they can withdraw their consent at any time and we will never use consent a precondition of a service.
  8. In relation to legitimate interests as a lawful basis for processing, we have conducted a legitimate interests assessment (LIA) and on the balancing test are confident that the individual’s interests do not override those legitimate interests and we only use individuals’ data in ways they would reasonably expect.
  9. We include more information about our legitimate interests in our privacy policy.

The Rights of Individuals

  1. We will abide by all the rights contained within the GDPR concerning individuals including the following information which is contained within our privacy policy):
    1. How to contact us
    2. Purpose of the processing and the lawful bases for the processing
    3. The legitimate interests
    4. Categories of personal data
    5. Retention period
    6. Data subject’s rights
    7. The right to withdraw consent at any time
    8. The right to lodge a complaint with us and/or the ICO (the UK supervisory authority)
    9. The possible consequences of failing to provide personal data as part of entering into a contract


  1. We are committed to ensuring that personal data is processed in a manner that ensures its security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical and organisational measures.
  2. Our procedures are compliant with the GDPR requirements.

Data Breaches

  1. Whilst we do not process sensitive category data, we have breach detection, investigation and internal reporting procedures in place in order to facilitate decision-making about whether or not we need to notify the ICO and the affected individuals.
  2. A record is kept of any personal data breaches, regardless of whether we are required to notify.
  3. Where a notification is required processes are in place to comply with Article 33.