top of page
  • TikTok
  • Facebook
  • Instagram

Data Protection

Prepared by: Jennifer Higgins
Approved on: 14/09/2025
Next Review Date: 14/09/2026

1. Purpose & Scope

This policy outlines how personal data must be handled, stored, processed, and protected in compliance with UK GDPR. We are registered with the UK Information Commisioner's Office (ICO) as a data controller and comply with applicable UK data protection legislation. Personal data submitted via our application forms is collected and processed by our UK entity. Applications may be retained for consideration for future representation opportunities, including potential international divisions, unless otherwise requested.

2. Principles

Personal data must be:

  • Lawfully, fairly, transparently processed

  • Collected for specified, explicit purposes

  • Limited, adequate, relevant, not excessive

  • Accurate and up to date

  • Not kept longer than necessary

  • Processed in line with data subject rights

  • Secure and protected against breach

  • Not transferred outside UK / EEA without safeguards

3. Roles & Responsibilities

  • Directors: ensure legal compliance, review risks

  • Data Protection Lead / Officer: oversee data policy, handle subject requests, training, audit

  • Staff / Contractors: comply with policy, protect data, use secure systems

4. Data Processing & Storage

  • Data stored on secure servers or approved cloud providers

  • Backups maintained, tested

  • Encryption used for sensitive data

  • Access only for authorised personnel

  • Mobile / local copies avoided

5. Data Sharing & Third Parties

  • Only share with necessary third parties (hosting, accounting, legal)

  • Contracts in place to enforce data protection obligations

  • Audits of third-party security

6. Subject Access Requests & Rights

  • Respond to SARs within statutory timeframe (usually 1 month)

  • Verify identity before disclosure

  • Log requests and actions

7. Data Breach & Incident Handling

  • Procedures for detection, reporting, and recovery

  • Report to ICO within 72 hours if required

  • Notify affected individuals if high risk

8. Training & Awareness

  • Regular training for all staff and contractors

  • Updates when policy or legislation changes

9. Review & Audit

  • Annual reviews of data processes

  • Audits of security, third parties, access logs

10. Enforcement & Compliance

  • Disciplinary measures for policy breaches

  • Regular reporting to leadership

bottom of page