Privacy Policy


As data protection specialists you would expect us to take privacy issues very seriously, and you are absolutely right. The Griffin House Consultancy Limited (GHCL), are 100% committed to protecting your personal information and we shall always be transparent with you about how we are using your details.

Regardless of what personal data we hold we shall process your personal data in full accordance the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. We will be open about what information we collect, why we need it, and how we intend to use it. This ‘fair collection’ or ‘privacy notice’ explains how we obtain, collect, process and store information about you, if we share with any third parties and details of your rights.

Who are we?

We are the Griffin House Consultancy Limited, a specialist data protection and information governance consultancy and are a registered company based in England under the Registration number 9028231. We are registered with the UK Information Commissioners Office under the reference ZA081014.

Our full contact details can be found at the end of this notice.

This privacy notiec covers all information held by the organisation be it captured by electronic means,m paper records, in person or via social media. This polcy covers our main website and also our eLearning website

We need your personal information to allow us to offer our services to you and to comply with our legal and fiduciary duties. In order to be as transparent as possible we have split this privacy notice into the different types of data which we hold so that you can quickly identify the processing which affects you.

If we offer you training or educational services

How we obtain your information

In 99% of cases you will volunteer your personal details to us. We will always tell you before we capture your information why we need the information and how we will use it.

However, we could be given your details by a third party acting on your behalf, for example, your employer or personal assistant.

What Information we capture and why


If you have enrolled, or been enrolled onto one of our virtual or physical training courses then we will need to know your name, company address and contact details, and in order to support you in your learning experience we may need to ask for other specific sensitive information; for example if you have any medical conditions which may impair your ability to learn in order that we may offer particular assistance with learning materials or additional help in taking the exam.

We ask for your ethnicity for diversity monitoring purposes and so that we can provide statistical analysis to the relevant authorities.

We ask if you have any dietary requirements to accommodate your catering requirements on the day, and

We ask for your next of kin in case of an emergency on the day.

Who we will share this with

For certificated courses we will share your information with the relevant certification body, these will be shown specifically on each course. At the time of writing this policy the main body is Hand In Hand Professionals Limited.

If you work for a company, or have purchased licenses through a third party and asked them to supply the licenses, then that third party may also have access to non-sensitive personal data, i.e. your contact details and information relating to the courses you take, pass rates etc.

In order to maintain and develop the eLearning platform your personal details may be seen by our web developers. They will only access this under our guidance and instruction.

On what legal basis do we process your information?

As an individual learner you will give your information to us directly and we will process this information with your explicit consent, and also our contractual obligations to offer the service to you.

As a business user, either as an administrator, or as a delegate/learner, we will process your details using your consent where you have given this, or our legitimate business interests where this does not impact on your fundamental rights or freedoms. We may also process your data to fulfil our contractual obligations with your employer or strategic partner placing the order,

Processing personal data for legitimate interests means we need to process your information for purposes such as monitoring our network for fraud and crime detection,

We may also share data with third parties if we are required to do so by law, for example to the police, or under a court order.

We may share your information with a third party if it is in the defence of a legal claim for example, seeking legal advice from a solicitor.

 If you are employed or apply for employment

How we obtain your information

We will ask you for the information directly or receive this from a recruitment agency with your consent


To comply with employment legislation and ensure that all staff and volunteers working within the organisation are qualified, competent, vetted and receive ongoing training.

What Information we capture and why


In order, to consider your application, offer employment, and comply with our legal obligations, for example, the right to work within the UK, we ask for your personal details including contact details. Other information such as qualifications and work experience will be requested to ensure you are qualified to fulfil your role. Your date of birth, nationality, ethnicity and sexuality as well as any medical records that we may need to be aware of will be requested, although you can decline.
Details of marital status and next of kin will be collected as well as any other information you chose to give us.

We may ask for details of your ethnicity and sexuality to comply with anti-discrimination laws.

Who we will share this with

We may share your information with other parties if this is, in connection with your employment, such as obtaining confidential references, third party organisations who would verify your employment history, and also in connection with identity and right to work checks.

Your data will also be shared internally where this is necessary to facilitate your employment, or support you in your role.

On what legal basis do we process your information?

We will process your data under contractual obligations, employment legislation and, also where applicable, with your consent.


How we obtain your information

We will obtain information directly from you, either in person, via normal business channels, email, telephone, Skype and social media etc and, also in person, for example at networking events.

We may identify your details from public domain sources and, also purchase third party data (see section on Marketing below),

What Information we capture and why

  • Personal data is required to allow us to provide our consultancy, auditing and training services to our clients.
  • We will capture your name, company and contact details and details of any colleagues with whom we may need to communicate. If you volunteer it we may also record other information necessary to deliver the service.
  • We will record sensitive information, such as about a disability you may have, if you feel we need to know about this to deliver the service.

Who we will share this with

We will not share your personal information with any third parties save with your permission or required by law. If we feel another company can assist you when we cannot then your consent will be obtained before sharing your information with them.

On what legal basis do we process your information?

If you have made contact with us then we shall rely on our legitimate interests to record your information, and if we wish to send you administrative or marketing emails, we rely on what is called the soft-opt-in to send those emails to you (at any time you can ask us to stop sending these to you).

If we wish to record any sensitive information about you, for example, about your dietry requirements, then we will have to have a legal reason to do so, or ask for your explicit consent,

If we are in negotiation with you for goods or services then we will either have in a place a contractual or be in negotiations to enter into one.


How we obtain your information

Directly from you or via a third party introducing us

What Information we capture and why

GHCL will use the information you give us to open up a mutually beneficial channel of communication and when a more formal relationship is required, use the information to enter into a contractual relationship. Only business related personal and contact details of the partner, and perhaps their client if you are acting as a reference site and details of the project in hand will be collected

Who we will share this with

Other business partners with whom you give us consent. We will only share on a case-by-case basis and with your permission, this is not considered as systematically sharing data.

On what legal basis do we process your information?

With your consent and with the consent of your client. Where that is not obtained then we shall rely on our legitimate business interest and contractual obligations to process personal data.


We act as mentors for various educational establishments and need student contact details and profiles to facilitate that relationship.

How we obtain your information

We will obtain personal data directly from the student or graduate or the University, school or college engaged in the programme.

What Information we capture and why

We hold contact details of the student, contact details, their goals, outcomes and details of any challenges which they may face. Sensitive data may be recorded, for example, about any medical conditions, but only with their permission.

Who we will share this with

We will only share this with the University or College, and even then, only if the student is aware and has not objected.

On what legal basis do we process your information?

We are processing the data with consent from the individual and also to meet our contractual obligations.


How we obtain your information

We may collect information from you when you interact with us, for example, when you use our websites, perhaps by signing up for an eLearning Course, a newsletter, or making a general enquiry.

By visiting our website we will be able to see your IP address and the pages you visit. Your information is anonymous until you log in as a user, at which point we shall know your details as you will be pre-registered.

What Information we capture and why

As a website visitor all we capture is your IP address, system type (PC, iPhone, Windows 10 etc) and what pages your visit. This is done via Google Analytics, which is detailed below and in our Cookie Policy. At any time you can stop the collection of your anonymous data by Google.

If you, or your company register to use our service, we shall capture your name, contact details, and if you are the Administrator or paying for the service, details of your purchase history. No credit or Debit card payments are managed by the company and these are managed and held by PayPal.

Who we will share this with

Learners details will be shared with hand In Hand Professionals Limited and the organisation for whom Learners work, data is not shared with any other Data Controllers except where the law demands or allows us to do so.

Google Analytics

We use Google Analytics to analyse the use of our websites; Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ devices.

view details of the cookies for

view details of  the cookies for

The information generated relating to our website is used to create reports about the use of our website. Details captured during your visit will include, but not limited to, traffic data, location data, weblogs and other communication data and the resources you access, however, all data collected is anonymous and will not identify you as an individual.

Google, not Griffin House, store this activity information, and you can view Google’s privacy policy.

To opt out of being tracked by Google Analytics across all websites visit their online opt-out page

How we will store your information and where and how we will protect it

If you sign up for our eLearning service your data is hosted on a secure server within the UK. Our developers are however located outside of the EEA and they have controlled access to this site and the information on it.

If you register for a public or in-house course then your information is stored in a database which is held within the EU and a secure server hosted in Canada, which the EU have approved as having sufficient protection to meet the requirements of the GDPR.

How long will we keep your information?

We will keep your information for no longer than is necessary. We shall follow any statutory time limits and regulator best practice guidelines, but the following will give you an idea of how long we shall retain your information.

Employee data: 7 years after employee leaves. Pension data and certificates for medical tests, for example, eye or hearing tests, will be kept indefinitely.

Recruitment information: CV’s and applications for unsuccessful candidates will be deleted 6 months after campaign, unless the candidate has consented to a longer retention period.

Learner records: Learner records and certificates will be retained for 25 years. Details of special circumstances relating to certified exams will be held for 7 years.

Client information: For as long as a working relationship is active and then 7 years following last activity.

Enquiries: 24 months. We retain for this period as often enquiries can take this period of time to come to fruition.

Financial information: 7 years

Your rights are detailed below and you have a right to ask us to stop processing or remove certain types of personal data, especially sensitive data. Where there is no overriding lawful reason why we need to do this we shall always honour your request.


If you are a learner or business contact we will ask you if you would like to receive regular communications from us, and we shall do this within any guidelines with the DPA or PECR Regulations. You can change your preferences at any time, and if you ask us to stop communicating with you, we shall action this request immediately.

We need to manage our business for example, processing invoices, entering into contracts and to do that we rely on our legitimate interests, legal obligations and fulfilment of our contractual obligations.

We may use your personal information to obtain legal advice or it is necessary to defend a legal claim, or pursue a bad debt, and we may have to pass your information to public authorities and organisations where the law requires us to do so.

To ensure that emails and ICT networks have not been compromised and we will monitor network traffic and may process personal data as a result of this monitoring

How we store your information

All client information and files are retained on cloud servers hosted within the EU, and any files containing commercially or personally sensitive information are encrypted before saving to the server. We store our marketing information in a robust CRM system, and ensure that only basic contact information, as stated above, is stored. Only authorised members of the team have access to your personal information, and we back it up regularly to prevent against loss or damage. This CRM is hosted in the USA.

Files are encrypted before they are backed up, but backups may be stored in the USA.

Who do we share with?

Let me assure you that we will never sell your information, or share it with any third party, save those detailed below, or with any government agency or other party entitled to this information by law, statute or court order.

However, if in the event that the Griffin House Consultancy Limited is ever sold as a going concern, or enters into administration, the database of clients and prospects shall be deemed an asset of the company, and the consents and permissions provided by the data subject shall be transferred to the new owners.

For learners, we will share your personal details with any awarding body as necessary to facilitate the awarding of your certificate or qualification. We may from time to time sub-contract elements of our operation to data processors, such as a mailing house, or market research company, but they will be working as a data processor on behalf of GHCL who shall at all times remain responsible for the confidentiality of the data. Any data processor will be vetted and sufficient contracts will be in place to protect the integrity and privacy of your data.

Where possible data will remain on servers within the EEA, in a third country listed on the EU’s approved country list, or on servers within the United States if the company is part of the approved Privacy Shield scheme.


The Data Protection Act 2018 and GDPR affords Data Subjects (that is people whose information we capture) certain rights and these are listed below for your convenience:-

  • You have the right to access a copy of the personal information we hold about you by making a Subject Access Request (SAR), you can do this by phone, in writing or by email to Griffin House, for attention of the Mike Martin (Full contact details are provided at the end of this Privacy Policy)
    We will have to verify your identity before we can proceed.
  • You have the right of rectification to amend or update your personal information and ensure we maintain accurate and up to date records and or data about you.
  • You have the right to erasure, also known as ‘the right to be forgotten’.
    The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing by Griffin House.
  • You have the right to ‘block’ or suppress the processing of your personal data. Processing of your personal information may be restricted in the event it is no longer essential to support the use of services provided to you and/or not part of any contractual, legal or financial requirement to do so. Griffin House is permitted to store the personal data, but not further process it.
    Griffin House may retain just enough information about you to ensure that any restriction is respected in future.
  • You have the right for data portability which allows individuals to obtain and or reuse their personal data for their own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  • You have the right to object to the processing of your personal information based on consent, our legitimate interests or the performance of a task in the public interest or exercise of official authority including profiling activity, direct marketing including profiling activity; and processing for purposes of scientific and or historical research and statistics.
  • You have right to be made aware of any automated decision-making, that made without any human involvement, and/or profiling of your personal information by Griffin House
    We use an automated process to mark papers, but this is simply a scoring system, decisions are not made on you which will affect you in a legal way.
  • You have an absolute right to ask us to stop sending you direct mail or email.

For some processing you will have given us permission to process your information, and in these cases you can withdraw your consent at any time. In certain situations, these rights may not apply, for example if you entered into a membership minimum term contract, we may have to write to you about your membership even if you asked us previously not to, but we would not send you direct marketing.


If you have any questions, do not hesitate to contact us.

Best wishes

Mike Martin

Our entry details on the ICO’s Register of Fee Payers
Data Controller: Griffin House Consultancy Limited
Trading Address:
Griffin House

Tel: +44 (0)01673 885533

Registration Number: ZA081014


Finally, if you are unhappy with how we have processed your information, you have the right to lodge a complaint with the Office of the Information Commissioner, contact details below.

Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF

Helpline: 0303 123 1113 (local rate) or +44 1625 545 745

Privacy policy version number 1.2 (13/09/2018)

Our Services


Useful if you’re interested in finding weaknesses in your data protection, your compliance, GDPR or marketing. We highlight areas you could improve and show you how to get them back on track. We conduct GDPR information audits and a data protection audits to name just a few of our auditing services.



We know that time is money and that you do not have time to waste through explaining your needs over and over again. For this reason, we become an extended part of your organisation, offering full DPO services, as and when you need support. Data protection consultancy has never been simpler.



Our training courses are interactive and innovative. Adding some much-needed fun into a subject that can be seen as very complex. We will help improve your data protection and compliance knowledge in as little as one hour. Data protection training just got much more convenient.


Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.