fbpx
loader image

Privacy Policy

Introduction

The General Data Protection Regulation (GDPR) is a new legal framework set up by the European Union in April 2016 to build upon existing data protection legislation. GDPR came into effect on 25th May 2018, and has introduced a range of fresh guidelines spelling out the rights of consumers and dictating how companies can store and share information.

As a hugely significant change to the global business landscape, it is critical that Self-Project Management Advisors Ltd embraces all aspects of GDPR to maintain full compliance.

Our obligations for GDPR compliance

Here at Self-Project Management Advisors Ltd, we fully appreciate and support the European Union’s focus on expanding upon digital rights. As a company, we strongly believe in the need for greater business transparency and accountability concerning the collection and handling of personal data.

That is why Self-Project Management Advisors Ltd is a firm advocate of GDPR and its many implications. These include among many other aspects:

  • The Right to Object to Processing
  • The Right to Be Forgotten
  • The Right to Data Portability
  • The Right to Withdraw Consent

As part of our commitment to GDPR and the rights of our customers and clients, Self-Project Management Advisors Ltd vows to ensure our organisation considers and actions all necessary changes surrounding data processing, data storage and the disposal of personal data.

This includes a commitment to fully fulfil Breach Disclosure Requirements by notifying authorities and concerned individuals of any compromise within 72 hours. Moreover, as part of our GDPR strategy, Self-Project Management Advisors Ltd will complete impact assessments wherever possible, to identify and deliver the best service possible, as well as to extend our customers a guarantee that data is being kept secure.

Furthermore, we pledge to uphold the following key values and responsibilities:

Self-Project Management Advisors Ltd’s strategic values and responsibilities

  • We vow to demonstrate full responsibility and dutiful respect as a keeper of customer, client and employee data.
  • We totally support GDPR and its requirements, and will do everything within our power to appropriately resource and fund any changes we must enforce to ensure Self-Project Management Advisors Ltd can meet its obligations.
  • We promise to maintain ownership and transparency concerning data protection and privacy across all elements of our company.
  • We pledge to create and maintain a purposeful data processing inventory documenting all data operations, including collection, processing and storage.
  • We guarantee to extend every possible show of support to individuals intent on exercising their rights as outlined under GDPR legislation.
  • We will conduct a regular review to assess the legality and purpose for the collection, processing and storage of personal data.
  • We vow to act upon identified gaps and develop robust processes to maintain full GDPR compliance.
  • We promise to clearly communicate the business purpose and legal grounds for any transfer of data – including transfer outside of the European Union.
  • We will contact all partner organisations, contractors or other third parties to identify their own GDPR commitments, establish relevant contract terms and solidify GDPR compliance controls.

Privacy statement and consent collection

Anna Pina  is the designated data controller for Self-Project Management Advisors Ltd and committed to upholding our commitments to protect the rights of individuals under legislation outlined within the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

Self-Project Management Advisors Ltd has an appointed data protection officer Anna Pina to assist us in upholding our commitment to individual rights. Our data protection officer can be contacted both through our website www.self-pma.co.uk, as well as by post 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

Self-Project Management Advisors Ltd must collect the following sensitive data about you so that we can deliver personalised project management advice:

  • Name
  • Surname
  • Address
  • Telephone number
  • Email address

Self-Project Management Advisors Ltd needs your explicit consent for processing this sensitive data. We must request your signature for this consent.

Self-Project Management Advisors Ltd only uses personal data for the reasons in which we have collected. We will only ever use your personal data for another reason if we reasonably consider another purpose in which to use that data which is compatible with the original reason in which the data was collected.

If we are required to make such a decision, we will always notify you. We may also at times be required by law to process your personal data without your knowledge.

To find out more about the reasoning behind any decision Self-Project Management Advisors Ltd has made to process your data for a new purpose, get in touch.

You may receive marketing communications from Self-Project Management Advisors Ltd if you have:

  • Requested information from us
  • Purchased goods or services from us
  • Provided us with explicit consent for us to send you marketing communications
  • Not opted out of receiving marketing communications

We will always ask for your consent before we share your personal data with any third-parties. You can ask us or any relevant third-parties to cease sending you marketing communications at any time, by emailing us. You should send relevant requests to hello@self-pma.co.uk.

Please note that if you opt out of receiving marketing communications from Self-Project Management Advisors Ltd, your personal data may still be retained as it relates to the provision or purchase of a product and/or service, warranty registration or other transactions.

Self-Project Management Advisors Ltd respects your rights. We fully observe your right to access your personal data, to object to the processing of personal data, or to erase, restrict, rectify or port your personal data. Relevant requests can be made to Self-Project Management Advisors Company Director at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

Self-Project Management Advisors Ltd has implemented a series of security measures to make sure that your personal data is protected from accidental loss, unauthorised access, alteration or disclosure. Self-Project Management Advisors Ltd limits access to your data only to those employees, agents, contractors or other third parties with a legitimate reason to access that information. Those individuals or organisations will only ever process or access your personal data upon our explicit instructions. They are subject to a duty of confidentiality.

If you are not happy with how your personal data has been processed, you should contact Self-Project Management Advisors Company Director in the first instance by using the contact details listed above. If Self-Project Management Advisors Company Director is unable to satisfy your concerns, you have the right to apply to the Information Commissioner’s Office for a resolution.

You can contact the Information Commissioner’s Office at the following address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

www.ico.org.uk

Privacy Notice

Date: 21 January 2024

Self-Project Management Advisors Ltd takes your privacy seriously. That is why we will only use your personal information to provide you with the products and services you have requested, as well as to administer your account. We will not sell or share your information with third-parties you grant us explicit permission to do so, and we will never use your personal data for any reason other than the reasons described within this policy.

About our privacy policy

Our privacy policy outlines your relationship with our company and explains in detail how we use the information that you provide us with.

About Self-Project Management Advisors Ltd

 

Self-Project Management Advisors Ltd is the trading name of Self-Project Management Advisors Ltd, which is registered in England and registered with the UK’s Information Commissioner’s Office under the Data Protection Act 2018. Our data controller is Anna Pina, and we encourage you to get in touch with any questions you may have about Self-Project Management Advisors Ltd.

You can reach us by:

  • Post: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
  • Telephone: 02080884262
  • Email: hello@self-pma.co.uk
  • Website: www.self-pma.co.uk

Changing your preferences

If you’d like to change your web, contact or marketing preferences, you can do so at any time. Simply contact us at hello@self-pma.co.uk to request the necessary amendments.

How we do business

Self-Project Management Advisors Ltd is committed to upholding and maintaining your personal rights. We operate our business in-line with the European Union’s General Data Protection Regulation and observe your rights to change or withdraw your opt-in options at any time. As part of our ongoing commitment to uphold your rights, Self-Project Management Advisors Ltd will also extend advice on how you can issue formal complaints to relevant authorities, such as the Information Commissioner’s Office.

Sensitive data

Self-Project Management Advisors Ltd does not collect any sensitive data about you. Sensitive data refers to (but is not limited to) information about your race or ethnic background, religious or political affiliations, trade union affiliations, sexual orientation, criminal background or health background.

Who our privacy policy applies to

This privacy policy has been developed to inform users of Self-Project Management Advisors Ltd how we use their data. Self-Project Management Advisors Ltd is an online project management consultancy firm, and we need to process the data of individuals to offer our products and/or services. Bearing that in mind, our privacy policy applies to any and all individuals registered with us as a user, customer, administrator or in any other capacity.

 

What information this policy applies to

There is a lawful basis for processing your data, and this section of our privacy policy outlines how this applies to the personal information you provide us with or allow us to collect.

The information this policy applies to includes information that you:

  • Provide as part of any registration process
  • Provide as part of any campaign creation activity
  • Provide in the form of numerical data, metadata or communications
  • Give us as part of our ongoing relationship

This policy also applies to information that we:

  • Collect relating to how you interact with our website
  • Must process to complete purchases and other transactions

 

How we collect your information

  • Cookies (Please refer to the links in the Cookies section)
  • Check-out Process
  • Newsletter Sign Up Form
  • User information collected at checkout

Consent

Please note that when you submit personal data on our website, you are giving Self-Project Management Advisors Ltd your explicit consent that we can use that data in line with our privacy policy.

Opting-out

After giving Self-Project Management Advisors Ltd your consent, you are free to amend your consent or withdraw your consent at any time. You have the right to object to the processing of your data. To opt-out, change your preferences or revoke your consent, simply contact us by emailing hello@self-pma.co.uk.

Data processing and storage

Self-Project Management Advisors Ltd collects and stores data in the UK. We will store your data for a period of 2 years after your last recorded login attempt unless otherwise noted and explicitly stated.

Self-Project Management Advisors Ltd stores data relating to transactions, payments and orders for a period of up to seven years. This period may be extended under certain circumstances as part of our ongoing commitment to comply with UK and international law.

We use carefully selected and recognised third-parties to help us take payments, provide commerce services and manage company accounts. Some of these third-parties may operate outside the European Union.

Self-Project Management Advisors Ltd may process your data based on more than one legal ground.

Circumstances under which we may be required to process your data under more than one legal ground may include:

Reason

Data type

Legal basis

Customer registration

Identity and contact information

To carry out a contract we’ve made with you

Processing and/or delivering your order

Identity, contact information, financial information, financial and transactional data

To carry out a contract we’ve made with you and to exercise our legitimate interests to recover debts owed

To manage our customer relationship with you

Identity, contact information, marketing and communications preferences

To carry out a contract we’ve made with you, to comply with legal obligations and to exercise our legitimate interests to keep our records updated

Marketing and communications

Self-Project Management Advisors Ltd may send you marketing communications if you have given us your contact details and opted-in to marketing communications.

You can opt-out of these marketing communications and manage your preferences at any time.

Our company obligations

As a data controller, Self-Project Management Advisors Ltd is legally responsible for the data you provide us with. In honouring that responsibility, we pledge to uphold our commitments under GDPR and the Data Protection Act 2018.

We will only ever use your data:

  • In ways that are both fair and legal
  • As described within this policy
  • In ways that are necessary for the purposes described

In addition, Self-Project Management Advisors Ltd processes the personal data you submit to us or we collect as a data processor. As part of this role, Self-Project Management Advisors Ltd takes all necessary precautions to secure the personal data we collect, process and store.

We may occasionally use the data you provide us with for marketing, relationship management or account management activities. These activities are designed to ensure you have adequate information about other products and/or services we offer, that we have reason to believe you may be interested in. You have the right to opt-out of these activities at any time.

 

Third-Parties

Self-Project Management Advisors Ltd never shares your personal data with third-parties unless those parties have been explicitly mentioned within our privacy statement.

Our security

As part of our ongoing commitment to GDPR, Self-Project Management Advisors Ltd will report any security breaches or attempted breaches to the relevant authorities within 24 hours. We will subsequently contact all those affected by the breach within 72 hours of its occurrence.

Legitimate interests

As part of the Data Protection Act 2018, Self-Project Management Advisors Ltd observes the right to share selected information with third-parties that use data for non-marketing purposes. This could include (but is not limited to) organisations that provide credit assessments, identification services and fraud prevention activities.

Contact us

Self-Project Management Advisors Ltd is committed to upholding your rights. If you have any questions, comments or concerns about this privacy policy or wish to exercise your rights in relation to your personal data, please contact Anna Pina at Self-Project Management Advisors Ltd.

We will process any request within 20 days. Subject Access Requests are normally performed free of charge, but we may need to charge individuals for excessive or unreasonable data requests.

DATA SECURITY POLICY

Introduction

Here at Self-Project Management Advisors Ltd, we collect, process and store personal data for a range of business purposes. Data subjects include customers, suppliers, partners, employees, clients and other stakeholders and individuals.

Bearing in mind Self-Project Management Advisors Ltd’s commitment to uphold the rights of the individual as enshrined in law, our data security policy is designed to protect all past, current and future employees, customers, or partners, from illegal or damaging activity conducted by others using their personal data.

Our data security policy outlines how Self-Project Management Advisors Ltd will endeavour to guard and protect all personal data. It also sets out to raise the awareness of staff members in relation to the ways in which GDPR impacts their use of individual’s personal data.

This policy applies to all data processing activities involving Self-Project Management Advisors Ltd, and includes activities or systems related to both internal business operations, as well as external relations and any third-party agreements.

Please note that Self-Project Management Advisors Ltd’s data security policy applies to all employees, and this policy may be subject to review and amendment on a regular basis. For more information about this policy and its overall implementation, consult our Data Protection Officer.

This document is subject to regular review to ensure ongoing regulatory compliance.

Data security policy definitions

Personal data

Personal data encompasses any type of information that relates to an identifiable individual. Various types of personal data {COMPANY NAME] may collect, store and process could include:

  • Contact details
  • Financial information
  • Educational background
  • Certifications
  • Skills
  • Nationality
  • Marital status
  • Job title

The above list is by no means exhaustive, and should be used merely as a point of reference from which a working definition of personal data can be established and further developed.

Sensitive personal data

Under GDPR, sensitive personal data is defined as encompassing any of the following:

  • Racial or ethnic origin
  • Political opinion
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health-related information
  • Sexual orientation

It is paramount that all sensitive personal data is kept under stringent control as part of the implementation of our data security policy.

Purposes of personal data

Self-Project Management Advisors Ltd uses personal data for a range of various purposes. These purposes may include:

  • Financial
  • Administrative
  • Human resources
  • Regulatory compliance
  • Payroll
  • Business development

Please note the above list is by no means exhaustive, and should merely be used as a reference point from which a working definition of purpose can be established.

Business purposes

Self-Project Management Advisors Ltd must carry out a range of functions and processes as part of our operational activity. Data kept in relation to these activities falls under the category of data for business purposes, which includes information of the following nature:

  • Operational
  • Compliance
  • Policy adherence
  • Human resources and personnel
  • Marketing

The above list is by no means exhaustive, and should be used merely as a point of reference from which a working definition of business purposes can be established and further developed.

Fair processing

At Self-Project Management Advisors Ltd, there will be occasions when employees will need to process personal data; however, processing activities must always be carried out in a fair and lawful manner that is compatible with the rights of each corresponding individual. Consequently, we should avoid processing the personal data of any individual who has not provided us with explicit consent.

Our company must strive to obtain explicit consent at all costs, and we must clearly identify to the individual what data is being processed, why we need to use it and who will have access to their data. These factors must be identified and clearly reiterated to the individual at the point of request for consent.

It’s worth noting there may be exceptional circumstances in which we are asked to process sensitive personal data without consent. An example of an exceptional circumstance could include legal obligations we may need to carry out to comply with health and safety regulations.

Self-Project Management Advisors Ltd endeavours to take all actions necessary to ensure that all personal data we obtain, process and store is accurate, relevant and adequate in relation to the reason in which we asked for that information. We should not hold excessive or irrelevant data on any individuals, and we will not process any personal data for a purpose unrelated to the purpose in which the relevant individual has consented to the processing of their data.

Our roles and responsibilities

Data security is a critical component of our business. It falls on everyone at Self-Project Management Advisors Ltd to take responsibility for data security, and all employees must familiarise themselves with our data security policy and do everything within their power to uphold that policy on a day-to-day basis.

Please note that Self-Project Management Advisors Ltd takes data protection incredibly seriously, and we expect all staff members to adhere to this data security policy. Any failure and refusal to comply with this policy could ultimately place our company at risk.

Bearing that in mind, personal non-compliance with this data security policy could lead to disciplinary action as they relate to ordinary personnel procedures. Please contact your line manager with any further questions concerning data protection at Self-Project Management Advisors Ltd.

As a staff member at Self-Project Management Advisors Ltd, you can expect to receive data protection training in line with our data security policy. All incoming employees will be provided training as an aspect of the wider staff induction process, and all staff members can anticipate the requirement to undergo additional training as a result of subsequent regulatory updates to GDPR or other relevant legislation as it relates to data security. 

Data security will inevitably encompass a range of additional responsibilities for various roles within the company. These roles and their responsibilities include (but are not limited to):

Data Protection Officer

GDPR stipulates our company must appoint a Data Protection Officer. It is our Data Protection Officer’s responsibility to:

  • Organise data security training for all employees not specifically referenced within this data security policy.
  • Review and analyse all existing data security protocols and processes on a regular basis.
  • Be a point of contact for all employees, clients and stakeholders to answer questions about data protection and data security.
  • Respond to internal or external queries from individuals wanting to know what data relating to them may have been obtained, processed or stored by our company.
  • Conduct due diligence and submit approval in relation to any contractual agreement with a third party involving the processing or storage of data.
  • Maintain constant contact with company directors, board members and stakeholders in relation to data security, company responsibilities and data risk management.

IT Manager

Information technology plays a crucial role in the way our company operates. Any processes relating to IT and the processing and storage of data must be carefully monitored, assessed and guided by an IT Manager.

It is the responsibility of Self-Project Management Advisors Ltd’s IT Manager to:

  • Conduct due diligence and appropriate levels of research into any third-party service that our company may call upon to store or process any data.
  • Make sure that all company software, IT systems, equipment and services meet changing levels of data security standards.
  • Carry out regular checks, audits and scans to ensure security hardware and security software are fully functional and optimised to manage and mitigate data security risks.

Marketing Manager

A significant proportion of our marketing activities involve the collection, storage and processing of data. Consequently, our Marketing Manager must oversee the following responsibilities:

  • Accept all queries relating to data security and data protection from leads, media outlets, clients or other individuals and oversee and deliver an adequate response.
  • Work alongside Self-Project Management Advisors Ltd’s Data Protection Officer to make sure that all of our marketing processes, campaigns and activities are compliant with all relevant data security and data protection laws – as well as our own company data security policy.
  • Review, draft and approve any relevant data security statements that must accompany emails, other messages or applicable marketing collateral.

Our data security policies

Self-Project Management Advisors Ltd takes data security extremely seriously, and we place the rights of the individual and regulatory adherence at the heart of everything we do as a company.

In light of our commitments, it is mandatory all staff members must observe and adhere to the following data security policies:

Data storage policy

  • All information or data that is collected and processed is subject to all of the applicable requirements as outlined and documented within this policy. This includes information collected electronically, by paper, telephone or data collected through any other means.
  • All data must be collected, stored and protected in a secure location appointed by Self-Project Management Advisors Ltd, for a retention period as predefined by corresponding legislature or company policy.
  • Staff members are strictly forbidden to retain confidential information or personal data not relating to themselves on their personal devices. Exceptions to this policy include information that is needed for a purpose that is work-related, temporary and specified and approved by a relevant manager.
  • Staff members should avoid downloading sensitive files or confidential information to local devices wherever possible. Information being necessarily processed for work purposes may be exempt from this policy.
  • Employees must install and use software and systems that have been licensed and approved by the company on devices while carrying out the duties of their role. Downloading or using any software, app or system that is not preapproved by the company will require prior approval from the company’s IT Manager.
  • All mobile and portable devices used by staff members should be approved by the company’s IT Manager and secured to prevent unauthorised access or breach. Personal devices could include a laptop, smartphone, tablet or any other handheld computing devices. This policy also applies to any shared cloud storage spaces.
  • All internet access and online operations carried out by employees could be subject to monitoring and filtering in accordance with relevant legislation and company policy. This monitoring should be carried out only by the IT Manager or an authorised member of staff.
  • Employees must adhere to all applicable elements of this policy when using personal devices to access company resources. Similarly, employees must observe and adhere to all applicable elements of this data security policy when using equipment provided by Self-Project Management Advisors Ltd to access information externally.
  • Employees are forbidden from using public access devices. This practice is allowed in some circumstances; however, prior and explicit approval from a line manager for regular public access must be obtained and recorded.
  • Employees must use access tools provided to them by a client or partner of Self-Project Management Advisors Ltd if access is granted to any third-party storage system or data storage facility.
  • It is forbidden to send, forward or submit any of the information or data referred to within this data security policy to a third-party unless deemed essential to complete approved processes.
  • If an employee needs to carry out an approved submission of data to any relevant third-party, that data must be made secure in accordance with company policy and any relevant third-party data protection protocols.

Please note that Self-Project Management Advisors Ltd will carry out regular system audits to monitor and ensure ongoing compliance with this data security policy and all regulatory requirements as outlined under GDPR.

Data retention policy

While Self-Project Management Advisors Ltd must routinely collect and store data, we are committed to the rights of individuals. That’s why we retain all information and personal data for no longer than we need to.

The necessary length of retention will often be decided on a case-for-case basis, bearing in mind the rationale and original purpose surrounding data collection and retention. Decisions of this nature must be made in a way that is compatible with our existing data retention guidelines under GDPR.

For additional guidance, consult the following corresponding documents:

  • Data retention and erasure policy document

International data transfer policy

Employees must observe a series of restrictions that apply towards the international transfer of data or personal information. Employees are not permitted to transfer personal information or data outside of the United Kingdom without having obtained explicit permission in the first instance from the company’s Data Protection Officer.

Data encryption and anonymisation policy

Self-Project Management Advisors Ltd deploys encryption to secure and protect data that is stored on devices from unlawful processing or unauthorised access. Encryption is also used to protect information that is in transit.

We also use the anonymisation of personal data wherever deemed prudent to ensure the rights of the individual are fully protected and observed.

In line with these principles, we are committed to the use both encryption and anonymisation as a risk management tool alongside existing systems, to protect the company from accidental loss, as well as from the damage or destruction of data or personal information.

Activities that are prohibited

Unless otherwise noted or informed, employees are strictly forbidden from using company equipment, tools or systems for any purpose unrelated to their role responsibilities, excluding any previously mentioned exceptions. This policy also relates to any relevant systems, tools or equipment belonging to a company client or partner.

Bearing that in mind, the following activities should be deemed forbidden with no exceptions:

  • Any unauthorised replication of copyrighted materials.
  • The violation of individual rights by way of the unnecessary collection, storage and processing of personal data or information.
  • The violation of rights of an individual or organisation protected under intellectual property law in any jurisdiction.
  • The use of any programme, command or interface designed to interfere with a user or corresponding user session.
  • The accessing of any data, user account or server for any purpose unrelated to the business function of an individual’s company role.
  • Issuing fraudulent product or service offers from a company account.
  • The allowed sharing or use of employee login credentials or company systems by anyone apart from the named individual.
  • The export of proprietary or confidential information as it relates to the company.
  • The export of any software or data that is in breach of regulation or the company’s data security policy.
  • Knowingly causing a network disruption or security breach.
  • An employee is not allowed to access data that is not intended for them by logging into a system or gaining access to a confidential or limited-access account. The only exception to this rule is if the employee is granted access as part of a specific company project.

Please note that any violation of this policy can lead to disciplinary action, alongside legal action where deemed prudent or necessary.

 

Reporting security issues

If you encounter any incidents or issues relating to the security or protection of information or data, you must report this immediately to company management. Management will subsequently take and record any action deemed necessary to prevent damage or loss in relation to a security threat.

If necessary, it is the responsibility of company management to report relevant incidents relating to a data breach or information security threat to regulators or the authorities. Under GDPR, it also falls upon management to contact the individuals involved in any breach or security threat.

DATA RETENTION AND ERASURE POLICY

 Our approach towards data retention

This policy is designed to ensure Self-Project Management Advisors Ltd does everything within its power to adequately protect, maintain and store data. This policy has also been developed to ensure that any data, documents or records that have no further use or value to Self-Project Management Advisors Ltd are disposed of in line with our regulatory obligations and relevant company policy.

Employees should consult our data retention and erasure policy, to develop an understanding of our company’s obligations relating to the ways in which we retain data or electronic documents. These documents may include, but are not limited to:

  • Emails
  • Word Documents
  • Spreadsheets
  • PDF documents
  • Web files
  • Sound files
  • Videos

Personal data must never be kept for longer than it is needed. Consequently, employees should utilise our company’s data retention schedule as a guide to understanding Self-Project Management Advisors Ltd’s general retention period time for various data categories that have been assigned based upon the purpose of the data. In line with our regulatory obligations, all data that is no longer necessary should be deleted and all copies must be destroyed in line with our data erasure schedule.

Data retention schedule administration

This data retention schedule documents the maintenance, retention and disposal guidelines relating to any and all records our company holds. It must be reviewed and accordingly amended on a regular basis to ensure data storage and erasure processes are adhering to Self-Project Management Advisors Ltd’s wider data retention policy approach.

There will be times when data may need to be retained longer than the pre-defined amount of time permitted. Circumstances in which our policy will need to be suspended may include, but are not limited to:

  • Legal proceedings
  • Regulatory investigations
  • If criminal activity is suspected or alleged
  • If relevant data concerns a company or organisation in receivership or liquidation
  • If the relevant data is of historical importance to the owner or controller

In the event of legal proceedings, criminal activity or investigations, Self-Project Management Advisors Ltd and its employees must retain data that relates to the situation and could serve to aid the company’s case or position, liability or amount involved. If such a situation may occur during the lifetime of this policy, Self-Project Management Advisors Ltd will inform all staff of the policy’s suspension as it relates to said situation.

Data retention schedule

Self-Project Management Advisors Ltd has developed its data retention policy in line with the following data retention schedule:

Department

Function

1

Accounting and finance data

2

Contract data

3

Corporate records

4

Correspondence and internal memoranda

5

Personal data

6

Electronic data

7

Insurance data

8

Legal data

9

Miscellaneous data

10

Personnel records and data

11

Tax records and data

  1. Accounting and finance data

Record

Retention period

Company financial statements and annual audit reports

Permanent

Annual audit records (including relevant documents)

7 years after audit completion

Company bank statements

7 years

Cancelled cheques

7 years

Employee expense reports

7 years

Interim company financial statements

7 years

Credit card records

2 years

Annual plans and company budgets

2 years

Any and all items that display customer bank details or credit card information must be kept under secure conditions when not in immediate use. This includes keeping printed records in a locked desk drawer or filing cabinet.

If Self-Project Management Advisors Ltd determines it is necessary to keep a document that displays customer financial details beyond a retention period of 2 years, all identifying details or financial information as it relates to any customer must be redacted or removed from the document in question.

  1. Contract data

Record

Retention period

All company contracts

7 years after expiration or termination

All correspondence relating to contracts

7 years after expiration or termination

  1. Corporate records

Record

Retention period

Corporate records

Permanent

Licenses and permits

Permanent

For the purpose of this schedule and corresponding policy, ‘corporate records’ should be defined to include anything relating to:

  • Meeting minutes
  • Signed minutes of the board
  • Signed minutes of any committees
  • Record of incorporation
  • Articles of incorporation
  • Annual corporate reports
  1. Correspondence and internal memoranda

The vast majority of correspondence and internal memoranda must be retained to match the period of time as the document or data to which they relate. Examples may include an email relating to a contract – in which case the email in question would be expected to be retained for a period of 7 years after the expiration of the corresponding contract.

Bearing this in mind, Self-Project Management Advisors Ltd recommends that all correspondence and internal memoranda as it relates to a company project be kept with said project as part of a project-wide file.

Company correspondence or internal memoranda unrelated to documents that have a defined retention period, should be securely destroyed at an earlier time depending upon which of the following two categories it corresponds:

Category 1

Category 1 correspondence or internal memoranda includes any and all data as it relates to routine processes. Category 1 correspondence and internal memoranda generally do not carry any significant consequences and should be disposed of with 2 years.

Examples of category 1 correspondence and internal memoranda may include (but are not limited to):

  • Notes of appreciation or thanks
  • Plans for meetings
  • Forms or letters that do not require a follow up
  • General enquiries that have been settled
  • Chronological correspondence data
  • Complaints requesting a specific action that have already been addressed and carry no further value
  • Correspondence relating to inconsequential subject matter

All copies of internal office correspondence should be read and destroyed as per this policy unless that correspondence includes data or content that must be retained as part of a wider project.

Category 2

Category 2 correspondence or internal memoranda includes non-routine information or correspondence that is likely to have a consequential impact upon the company or its employees. Category 2 correspondence and internal memoranda should be retained on a permanent basis.

  1. Personal data

There will be times when Self-Project Management Advisors Ltd and its employees must retain and/or delete personal data in line with its legal obligations.

For the purposes of this data retention and erasure policy, ‘personal data’ can be defined as any identifying information as it relates to an individual. We never keep personal data for longer than is necessary for the purpose in which that data was collected. All personal data as defined within the following categories should be deleted based upon this retention and erasure schedule:

Record

Retention period

Data relating to customer devices

2 years after the account is closed

Data relating to use of our company website

2 years after the account is closed

Any data collected when registering with our website

2 years after the account is closed

Data collected and submitted as part of any profile creation processes

2 years after the account is closed

Data submitted for the purpose of subscribing to email marketing activities

Indefinitely (or until customer unsubscribes)

Data submitted as part of online service delivery

Indefinitely

Data relating to any subscriptions

2 years after the account is closed

Data posted in a public area on our company website

2 years after the post

Data contained in communications sent through the website

2 years after contact

Any other personal data

2 years after contact

Self-Project Management Advisors Ltd reserves the right to retain any and all documents (both electronic and print) containing personal data to the extent our company is required by law to do. We will also retain documents containing personal data if we have reason to believe said documents could be relevant to legal proceedings, or to establish and/or exercise our own legal rights.

Our company will organise backups of our database and all of the electronic data held within our company server(s). Backup activities should include all data that relates to current users or customers, alongside any document or dataset relating to one of the aforementioned reasons as outlined within this data retention and erasure policy. Self-Project Management Advisors Ltd does this to ensure that lost information can be retrieved within one year, as and where needed.

  1. Electronic data

Emails

Most emails do not need to be kept. Emails that are inconsequential or unrelated to contracts or projects should subsequently be treated in line with the following policies:

  • All emails should be deleted after 12 months. This includes both internal and external emails
  • Self-Project Management Advisors Ltd will archive emails for six months after employees have deleted them. After this six-month period, archived emails will be destroyed
  • Employees should never send emails containing confidential or proprietary data to external sources unless it has been approved by a relevant manager

Electronic documents

Electronic documents include, among other formats, both PDF document and files originating from Microsoft Office Suite or similar software.

Retention and erasure will depend upon the purpose of the electronic document, yet as a general rule of thumb employees can apply the following rules:

For PDF documents, the maximum period of retention should be 6 years. PDF documents that employees deem vital to their performance or role should be printed and/or stored in the relevant employee’s workspace.

For text documents or other formatted files, the maximum period of retention should be 5 years. Text documents or other formatted files that employees deem vital to their performance or role should be printed and/or stored in the relevant employee’s workspace.

Self-Project Management Advisors Ltd does not and will not automatically delete electronic documents or corresponding data beyond the time periods defined within this policy. It is the responsibility of our employees to ensure they are adhering to our policy guidelines.

  1. Insurance data

Record

Retention period

Certificates

Permanent

Claims files

Permanent

Current insurance policies

Permanent

Expired insurance policies

Permanent

  1. Legal data

Record

Retention period

Legal memoranda and legal opinions

7 years after resolution

Litigation data

1 year after expiration of appeals or time for filing appeals

Court orders

Permanent

Requests for a departure from Self-Project Management Advisors Ltd retention and erasure schedule

10 years

Register of members

Permanent

Director’s meetings minutes

10 years

  1. Miscellaneous data

Record

Retention period

Reports from consultants

2 years

Documents containing content of historical value

Permanent

Original policy and procedures manuals

Current version with revision history

Copies of policy and procedures manuals

Retain current version only

Annual company reports

Permanent

Records of personal identification

5 years

Any work-related reportable accident, injury or death

3 years from incident

Immigration checks

2 years from termination of job

  1. Personnel data

Record Type

Retention Period

Job applications and/or related interview data concerning unsuccessful candidates

6 months

Employee personnel records

6 years after end of contract

Employment contracts

7 years after end of contract

Employment records correspondence with employment agencies

3 years from date of hiring

Job descriptions

3 years after superseded

Working time opt-out  documentation

2 years

Financial details of employees

As long as necessary

  1. Tax data

Self-Project Management Advisors Ltd keeps accounts and/or records to demonstrate and establish amounts of gross income, deductions, credits and other information. These records are crucial to maintaining our company’s compliance of tax laws.

Associated records and documentation will include (but are not limited to) the following records and associated schedules:

Record

Retention period

Tax-exemption documentation

Permanent

Tax bills

7 years

Tax returns

Permanent

Tax receipts

Permanent

Tax statements

Permanent

Sales and/or use of tax records

7 years

Annual returns

Permanent

Payroll/wage records for unincorporated businesses

5 years after 31 Jan following the year of assessment

PAYE records

3 years from the end of the tax year to which they relate

Maternity records

3 years after the end of the tax year in which the maternity pay period ends

Data breach policy, letter and reporting template

Here at Self-Project Management Advisors Ltd, we take privacy seriously. That is why we take every possible precaution to protect personal data, and actively work to avoid any data protection breaches which could compromise our data security, or the personal rights of our clients, customers, stakeholders or anyone else associated with our company.

To mitigate the risk that any such data compromise could pose, we have developed the following data breach policy. It is an integral part of our compliance responsibilities under the General Data Protection Regulation and Data Protection Act 2018, and is designed to develop clear lines of responsibility and processes that must be followed to adequately mitigate and manage data breach and security incidents.

What does this policy cover?

The scope of this data breach policy encompasses all personal and sensitive data our company holds. This data breach policy applies to everyone at our company – including employees, temporary or casual staff, consultants, suppliers, contractors, freelance workers or other data processors who are storing or processing data on the behalf of our company.

What is the purpose of this policy?

The purpose of this data breach policy is to contain all data breaches and to minimise the risks associated with any breaches. It also outlines the actions that should be taken in the event of a breach to ensure data is secure and to prevent further breaches.

About data breaches

 

A data breach is defined as any incident, event or action that has the potential to compromise the availability of data, the integrity of data, confidentiality or our company’s data systems. This includes incidents or events that happen by accident or deliberately. Both confirmed and suspected incidents may qualify as a data breach.

For the purposes of this data breach policy, an incident may include (but is not limited to) any of the following:

  • Unauthorised use or accessing of data
  • Unauthorised modification of data
  • Loss of personal or sensitive data
  • Theft of personal or sensitive data
  • Loss or theft of equipment on which data has been stored
  • Individual error
  • Any attempts to gain access to data or our company IT systems (both successful or failed)
  • Defacement of web property
  • Physical incidents, like a fire, which could compromise IT systems

How to report a data breach

All employees who access, manage or use data in any way are responsible for reporting a data breach or any other type of security incident. This report should be made immediately to the employee’s line manager, using the data breach reporting form.

This report must include full details of the incident or breach, when it occurred, who the data relates to and how. It must also include details about the individual reporting the incident.

If a data breach or a data security incident occurs outside of normal company hours, or a data breach or data security incident is discovered outside of normal company hours, it must be reported as soon as possible.

Any violation of this data breach policy could result in disciplinary action procedures taking place for company employees.

Data breach containment and data recovery

All necessary steps must be immediately carried out to minimise the effects of any data security breach or data security incident. This process of containment should begin with an initial assessment designed to establish the severity of the incident. The initial assessment should also include analysing whether there is any way to recover the lost data, and mitigate further risks associated with the incident.

Your initial assessment should include the following information:

  • The data involved
  • Whether the data involved is sensitive in nature
  • The individuals affected
  • The security measures that are in place to protect the data
  • What has happened to the data
  • Whether the data involved could be used in an illegal or otherwise inappropriate way
  • Any perceived wider consequences associated with the breach or incident

Data breach notification

Self-Project Management Advisors Ltd will determine which individuals must be notified in the event of a data breach or data security incident. Each incident must be assessed on a case-by-case basis. In every instance, the following considerations will be made:

  • Any contractual notification requirements
  • Any legal notification requirements
  • How many people are affected
  • What consequences may occur as a result of the data breach or data security incident
  • Whether notification of a breach or incident would help the individual to mitigate risks associated with the incident
  • Whether notification could assist the company in meeting its legal obligations under GDPR and Data Protection Act 2018
  • Whether notifying an individual could prevent the unauthorised or illegal use of data
  • Whether Self-Project Management Advisors Ltd must notify the Information Commissioner’s Office

All data breaches and data security incidents, both suspected and verified, must be recorded, to assist in further analysis and to help prevent further breaches.

The danger of notifying too many individuals

There will be data security incidents in which a large number of individuals will need to be notified. However, there will be other incidents in which notifying a large number of individuals may have the potential to cause disproportionate enquiries.

Whenever we notify an individual whose personal data has been affected by an incident or breach, that notification must include a description of when the breach occurred, how the breach occurred and what data was involved. Notifications must also include explicit guidance concerning what said individual can do to protect themselves. We should also outline to concerned individuals what steps our company has already taken to mitigate risks.

Data breach evaluation and response

After the data breach or data security incident has been contained by carrying out all necessary measures, Self-Project Management Advisors Ltd will conduct an extensive review detailing:

  • The cause(s) of the breach
  • The effectiveness of any responses
  • Whether changes to existing IT systems, company procedures or policies must be implemented

All existing protocols must be reviewed to analyse their adequacy. Any necessary amendments to protocols must be identified and carried out as soon as possible.

Cookies

We store cookies on your computer to identify that you have been to our site before, and to personalise certain content based on previous behaviour. We do use third party cookies to track data. A summary of the cookies used on this Site and what they are used for can be viewed below.

You can opt out of Google’s use of cookies by visiting Google’s Ads Settings page:
http://www.google.com/settings/ads. If you would not like to be tracked during your visit you can install a Do Not Track Plugin for Google Chrome or enable the Do Not Track feature in Firefox. You can also visit http://www.aboutCookies.org/ or http://cookiepedia.co.uk/ for further information how to manage and delete Cookies.

For information on how this website use cookies visit this page https://support.squarespace.com/hc/en-us/articles/360001264507

For information on how this website uses Google Analytics cookies visit this page: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage