Privacy Policy

GRIFFIN HOUSE CONSULTANCY LTD - 11 September 2019 v.1.3

As data protection specialists you would expect us to take privacy issues very seriously, and you are absolutely right. The Griffin House Consultancy Limited (GHCL) are 100% committed to protecting your personal information and we shall always be transparent with you about how we are using your details.

Regardless of what personal data we hold we shall process your personal data in full accordance the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We will be open about what information we collect, why we need it, and how we intend to use it. This ‘fair collection’ or ‘privacy notice’ explains how we obtain, collect, process and store information about you, if we share with any third parties and details of your rights.

Who are we?

We are the Griffin House Consultancy Limited, a specialist data protection and information governance consultancy and are a registered company based in England under the Registration number 9028231. We are registered with the UK Information Commissioners Office under the reference ZA081014.

Our full contact details can be found at the end of this notice.

This privacy notice covers all information held by the organisation be it captured by electronic means, on paper records, in person or via social media. This polcy covers our main website and also our eLearning website

We need your personal information to allow us to offer our services to you and to comply with our legal and fiduciary duties. In order to be as transparent as possible we have split this privacy notice into the different types of data which we hold so that you can quickly identify the processing which affects you.

How we obtain your information

In 99% of cases you will volunteer your personal details to us. Before we capture your information we will explicitly tell you, or it will be very obvious, for example if you make an enquiry with us, why we need the information and how we will use it.

However, we could be given your details by a third party acting on your behalf, for example, your employer or personal assistant or we may identify your details from professional social networks in which we both operate,or public domain records such as the internet.

What Information we capture and why


If you have enrolled, or been enrolled onto one of our virtual or physical training courses then we will need to know your name, company address and contact details, and in order to support you in your learning experience we may need to ask for other specific sensitive information; for example if you have any medical conditions which may impair your ability to learn in order that we may offer particular assistance with learning materials or additional help in taking the exam.

We ask for your ethnicity for diversity monitoring purposes and so that we can provide statistical analysis to the relevant awarding body, but this is completely voluntary and anonymous..

We also ask if you have any dietary requirements to accommodate your catering requirements on the day, and may on some courses ask for your next of kin details in case of an emergency on the day.

Who we will share this with

For certificated courses we will share your information with the relevant certification body, these will be shown specifically on each course. At the time of writing this policy the main body is Hand In Hand Professionals Limited.

If you work for a company, or have purchased licenses through a third party and asked them to supply the licenses, then that third party may also have access to non-sensitive personal data, i.e. your contact details and information relating to the courses you take, pass rates etc.

In order to maintain and develop the eLearning platform your personal details may be seen by our web developers. They will only access this under our guidance and instruction.

On what legal basis do we process your information?

As an individual learner you will give your information to us directly and we will process this information with your explicit consent, and then in line with our contractual obligations to offer the service to you.

As a business user, either as an administrator, or as a delegate/learner, we will process your details using your consent where you have given this, or our legitimate business interests where this does not impact on your fundamental rights or freedoms. We may also process your data to fulfil our contractual obligations with your employer or strategic partner placing the order,

Processing personal data for legitimate interests means we need to process your information for purposes such as monitoring our network for fraud and crime detection,

We may also share data with third parties if we are required to do so by law, for example to the police, or under a court order.

We may share your information with a third party if it is in the defence of a legal claim for example, seeking legal advice from a solicitor.

How we obtain your information

We will ask you for the information directly or receive this from a recruitment agency with your consent


We shall capture employee data to comply with employment legislation and ensure that all staff and volunteers working within the organisation are qualified, competent, vetted and receive ongoing training.

What Information we capture and why


In order, to consider your application, offer employment, and comply with our legal obligations, for example, the right to work within the UK, we ask for your personal details including contact details. Other information such as qualifications and work experience will be requested to ensure you are qualified to fulfil your role. Your date of birth, nationality, ethnicity and sexuality as well as any medical records that we may need to be aware of will be requested, although you can decline.

Details of marital status and next of kin will be collected as well as any other information you chose to give us.

We may anonymously ask for details of your ethnicity and sexuality to comply with anti-discrimination laws.

Who we will share this with

We may share your information with other parties if this is, in connection with your employment, such as obtaining confidential references, third party organisations who would verify your employment history, and also in connection with identity and right to work checks.

Your data will also be shared internally where this is necessary to facilitate your employment, or support you in your role.

On what legal basis do we process your information?

We will process your data under contractual obligations, employment legislation and, also where applicable, with your consent and our legitimate interests.


How we obtain your information

We will obtain information directly from you, either in person, via normal business channels such as email, telephone, Skype and social media etc and, also in person, for example at networking events.

We may identify your details from public domain sources and, also purchase legal and qualified third party data (see section on Marketing below),

What Information we capture and why

  • Personal data is required to allow us to provide our consultancy, auditing and training services to our clients.
  • We will capture your name, company and contact details and details of any colleagues with whom we may need to communicate. If you volunteer any other information we may also record this where necessary to deliver the service.
  • We will record sensitive information, such as about a disability you may have, if you feel we need to know about this to deliver the service.

Who we will share this with

We will not share your personal information with any third parties save with your permission or required or allowed by law, for example, to obtain legal advice. If we feel another company can assist you when we cannot then your consent will be obtained before sharing your information with them.

On what legal basis do we process your information?

If you have made contact with us then we shall rely on our legitimate interests to record your information, and if we wish to send you administrative or marketing emails, we rely on what is called the soft-opt-in to send those emails to you (at any time you can ask us to stop sending these to you).

If we wish to record any sensitive information about you, for example, about your dietry requirements, then we will have to have a legal reason to do so, or ask for your explicit consent,

If we are in negotiation with you for goods or services then we shall lely upon contractual obligations to process the information, as we will either have a contract in place, or be in negotiations to enter into one.


How we obtain your information

Directly from you or via a third party introducing us

What Information we capture and why

GHCL will use the information you give us to open up a mutually beneficial channel of communication and when a more formal relationship is required, use the information to enter into a contractual relationship. Only business related personal and contact details of the partner, and perhaps their client if you are acting as a reference site and details of the project in hand will be collected

Who we will share this with

Other business partners but only where you give us your consent.

We will share data on a case-by-case basis and unless there are exceptional circumstances, where we may rely upon legal obligations or our legitimate interest, will only share with your permission, we do not systematically share data with third parties.

On what legal basis do we process your information?

With your consent and with the consent of your client. Where that is not obtained then we shall rely on our legitimate business interest and contractual an dor legal obligations to process personal data.


We act as mentors for various educational establishments and need student contact details and profiles to facilitate that relationship.

How we obtain your information

We will obtain personal data directly from the student or graduate or the University, school or college engaged in the programme.

What Information we capture and why

We hold contact details of the student, contact details, their goals, outcomes and details of any challenges which they may face. Sensitive data may be recorded, for example, about any medical conditions, but only with their permission.

Who we will share this with

We will only share this with the University or College, and even then, only if the student is aware and has not objected.

On what legal basis do we process your information?

We are processing the data with consent from the individual and also to meet our contractual obligations.


How we obtain your information

We may collect information from you when you interact with us, for example, when you use our websites, perhaps by signing up for an eLearning Course, a newsletter, or making a general enquiry.

By visiting our website we will be able to see your IP address and the pages you visit. Your information is anonymous until you log in as a user, at which point we shall know your details as you will be pre-registered.

What Information we capture and why

As a website visitor all we capture is your IP address, system type (PC, iPhone, Windows 10 etc), what pages you visit and dates/time. This is managed via Google Analytics, which is detailed below and in our Cookie Policy. You will be asked to consent before semi-anonymous data is collected by Google.

If you, or your company register to use our service, we shall capture your name, contact details, and if you are the Administrator or paying for the service, details of your purchase history. No credit or Debit card payments are managed by the company and these are managed and held by PayPal.

Google Analytics

We use Google Analytics to analyse the use of our websites; Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ devices.

view details of the cookies for

view details of  the cookies for

The information generated relating to our website is used to create reports about the use of our website. Details captured during your visit will include, but not limited to, traffic data, location data, weblogs and other communication data and the resources you access, however, all data collected is anonymous and will not identify you as an individual.

Google, not Griffin House, store this activity information, and you can view Google’s privacy policy here.

To opt out of being tracked by Google Analytics across all websites visit their online opt-out page

How we will store your information and where and how we will protect it

If you sign up for our eLearning service your data is hosted on a secure server within the UK. Our developers are however located outside of the EEA and they have controlled access to this site and the information on it.

If you register for a public or in-house course then your information is stored in a database which is held within the EU and a secure server hosted in Canada, which the EU have approved as having sufficient protection to meet the requirements of the GDPR.

How long will we keep your information?

We will keep your information for no longer than is necessary. We shall follow any statutory time limits and regulator best practice guidelines, but the following will give you an idea of how long we shall retain your information.

Data type
Reason Retention period
Employee data Employee files – for legal purposes 7 years after employee leaves
Employee data Pension data and certificates for medical tests, for example, eye or hearing tests for legal purposes indefinitely
Recruitment information CV’s and applications for unsuccessful candidates will be deleted – legal obligations 6 months after campaign, unless the candidate has consented to a longer retention period.
Learner records Learner records and certificates – contractual and legal obligations 25 years
Learner records Details of special circumstances relating to certified exams – contractual and legal obligations 7 years
Client information All client information – to prove consents and in case of legal disputes 7 years after relationship ends or last activity
Enquiries We retain for this period as often enquiries can take this period of time to come to fruition. 2 years
Financial Information Tax records, payroll etc – for legal purposes 7 years
Analytics Semi-anonymous analytical data 25 years
Email broadcasting Semi-anonymous analytical data from email interaction 25 years

Your rights are detailed below and you have a right to ask us to stop processing or remove certain types of personal data, especially sensitive data. Where there is no overriding lawful reason why we need to do this we shall always honour your request.


If you are a learner or business contact we will ask you if you would like to receive regular communications from us, and we shall do this in accordance with any guidelines cocerning the data protection or ePrivacy (electronic marketing) regulations. You can change your preferences at any time, and if you ask us to stop communicating with you, we shall action this request immediately.

We need to manage our business for example, processing invoices, entering into contracts and to do that we rely on our legitimate interests, legal obligations and fulfilment of our contractual obligations.

We may use your personal information to obtain legal advice or if it is necessary to defend a legal claim or pursue a bad debt, and we may have to pass your information to public authorities and organisations where the law requires us to do so.

To ensure that emails and ICT networks have not been compromised and we will monitor network traffic and may process personal data as a result of this monitoring

EMail Marketing

We do stay in touch with clients and prospects using email and to do this we use an email broadcast company. Emails will either be fully opted-in by the subscriber, or we shall be relying on the soft-opt-in rule within the ePrivacy legislation. Within our emails we utilse web beacon technology, sometimes called pixels, which allows us to see whether the email was delivered, which links were clicked and so on. This is to help us assess the success of campaigns and offer a better, more relevant service. The only information collected will be IP address, date/time, general location and device details. You can read more in our cookie policy.

We never share this information or any of your details with third parties.

How we store your information

All client information and files are retained on cloud servers hosted within the EU and Canada, and any files containing commercially or personally sensitive information are encrypted before saving to the server. We store our marketing information in a robust CRM system, and ensure that only basic contact information, as stated above, is stored. Only authorised members of the team have access to your personal information, and we back it up regularly to prevent against loss or damage.

Who do we share with?

Let me assure you that we will never sell your information, or share it with any third party, save those detailed below, or with any government agency or other party entitled to this information by law, statute or court order.

However, if in the event that the Griffin House Consultancy is ever sold as a going concern, or enters into administration, the database of clients and prospects shall be deemed an asset of the company, and the consents and permissions provided by the indivdiual shall be transferred to the new owners.

For learners, we will share your personal details with any awarding body as necessary to facilitate the awarding of your certificate or qualification. We may from time to time sub-contract elements of our operation to data processors, such as a mailing house, or market research company, but they will be working as a data processor on behalf of GHCL who shall at all times remain responsible for the confidentiality of the data. Any data processor will be vetted and sufficient contracts will be in place to protect the integrity and privacy of your data.

Where possible data will remain on servers within the EEA, in a third country listed on the EU’s approved country list, or on servers within the United States if the company is part of the approved Privacy Shield scheme.


The Data Protection Act 2018 and GDPR affords Data Subjects (that is people whose information we capture) certain rights and these are listed below for your convenience:-

  • You have the right to access a copy of the personal information we hold about you by making a Data Subject Access Request (DSAR), you can do this by phone, in writing or by email to Griffin House, for attention of the Mike Martin (Full contact details are provided at the end of this Privacy Policy)
    We will just have to verify your identity before we can proceed.
  • You have the right of rectification to amend or update your personal information and ensure we maintain accurate and up to date records and or data about you.
  • You have the right to erasure, also known as ‘the right to be forgotten’.
    The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing by Griffin House.
  • You have the right to ‘block’ or suppress the processing of your personal data.
    Processing of your personal information may be restricted in the event it is no longer essential to support the use of services provided to you and is no longer needed for any contractual, legal or financial reasons. In those cases, Griffin House is permitted to store the personal data, but not further process it.
    Griffin House may retain just enough information about you to ensure that any restriction is respected in the future.
  • You have the right to data portability which allows individuals to obtain and or reuse their personal data for their own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  • You have the right to object to the processing of your personal information based on consent, our legitimate interests or the performance of a task in the public interest or exercise of official authority including profiling activity, direct marketing including profiling activity; and processing for purposes of scientific and or historical research and statistics.
  • You have right to be made aware of any automated decision-making, that made without any human involvement, and/or profiling of your personal information by Griffin House
    We use an automated process to mark papers, but this is simply a scoring system, decisions are not made on you which will affect you in a legal way.
  • You have an absolute right to ask us to stop sending you direct mail or marketing emails.

For some processing you will have given us permission to process your information, and in these cases you can withdraw your consent at any time however, we may still need to keep the information for other legal reasons.

In certain situations, the above rights may not apply, for example if you entered into a membership minimum term contract, we may have to write to you about your membership even if you asked us previously not to, but in this case we would not send you any further direct marketing communications.


If you have any questions, do not hesitate to contact us.

Best wishes

Mike Martin

Our entry details on the ICO’s Register of Fee Payers
Data Controller: Griffin House Consultancy Limited
Trading Address:
Griffin House

Tel: +44 (0)01673 885533

Registration Number: ZA081014


Finally, if you are unhappy with how we have processed your information, you have the right to lodge a complaint with the Office of the Information Commissioner, contact details below.

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF

Helpline: 0303 123 1113 (local rate) or +44 1625 545 745

Privacy policy version number 1.3 (11/09/2019)

Our Services


Useful if you’re interested in finding weaknesses in your data protection, your compliance, GDPR or marketing. We highlight areas you could improve and show you how to get them back on track. We conduct GDPR information audits and a data protection audits to name just a few of our auditing services.



We know that time is money and that you do not have time to waste through explaining your needs over and over again. For this reason, we become an extended part of your organisation, offering full DPO services, as and when you need support. Data protection consultancy has never been simpler.



Our training courses are interactive and innovative. Adding some much-needed fun into a subject that can be seen as very complex. We will help improve your data protection and compliance knowledge in as little as one hour. Data protection training just got much more convenient.


Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.