Data Protection Policy

Integrity Nexus Ltd’s commitment to protecting personal data and meeting its obligations under UK GDPR.

Last updated: June 2026. This policy is reviewed annually or following any significant change in data processing activities.

1. Purpose and scope

This policy sets out how Integrity Nexus Ltd (SC837413) meets its obligations as a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It applies to all personal data processed by Integrity Nexus Ltd in the course of its consultancy and advisory activities, including data collected through this website. It applies to Stuart Gilliland as principal of the business and to any associates engaged to deliver work on behalf of Integrity Nexus Ltd.

2. Data protection principles

Integrity Nexus Ltd is committed to processing personal data in accordance with the six data protection principles under UK GDPR. Personal data must be:

Processed lawfully, fairly and transparently

We process data only where we have a lawful basis and we are open with individuals about how their data is used.

Collected for specified, explicit and legitimate purposes

We collect data only for defined purposes and do not use it in ways incompatible with those purposes.

Adequate, relevant and limited to what is necessary

We collect only the information we need. We do not hold data speculatively or in excess of what the purpose requires.

Accurate and kept up to date

We take reasonable steps to ensure data is accurate and update or delete inaccurate data promptly.

Kept no longer than necessary

We apply retention periods to all categories of personal data and delete data that is no longer needed.

Processed securely

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss or destruction.

3. Types of personal data we process

In the course of our activities, Integrity Nexus Ltd may process the following categories of personal data:

Contact and identity data: names, email addresses and professional roles of clients, contacts and service users.

Organisational data: information about the organisations our clients represent, including charity registration details, income and governance arrangements.

Engagement data: records of sessions, correspondence and outputs produced in the course of an engagement.

Website data: information submitted through contact and registration forms on our websites.

We do not knowingly process special category data (such as health information, criminal records or political opinions) unless this arises unavoidably in the course of an engagement, in which case it is handled with additional care and deleted as soon as the purpose is served.

4. Lawful basis for processing

We rely on the following lawful bases depending on the nature of the processing:

Legitimate interests: the primary basis for processing data relating to client registrations, session delivery and follow-up communications.

Contract: where processing is necessary to deliver a contracted engagement.

Legal obligation: where processing is required to comply with applicable law.

5. Data retention

We apply the following retention periods as a guide. Data is deleted or anonymised when the period expires unless there is a specific legal or regulatory reason to retain it longer.

Registration enquiries that do not progress to a session: deleted within 90 days of last contact.

Active client contact details: retained for the duration of the engagement plus 12 months.

Session records and outputs: retained for up to three years for governance, quality assurance and reference purposes.

6. Data security

We take reasonable and proportionate steps to protect personal data, including:

Password protection and access controls on systems holding personal data.

Use of reputable, UK or EEA-based service providers with appropriate data processing terms.

Limiting access to personal data to those who need it to carry out their role.

Secure disposal of data that is no longer required.

7. Data subject rights

Individuals whose data we process have rights under UK GDPR, including the right to access, correct, delete or restrict processing of their personal data, and the right to object to processing based on legitimate interests.

Requests should be directed to compliance@integrity-nexus.co.uk. We will respond within one calendar month. We will not charge a fee for reasonable requests.

8. Data breaches

In the event of a personal data breach, we will assess the risk to individuals and, where the breach is likely to result in a risk to their rights and freedoms, notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. Where the risk is high, we will also notify the affected individuals without undue delay.

All suspected breaches should be reported immediately to compliance@integrity-nexus.co.uk.

9. Third party processors

Where we engage third party services that process personal data on our behalf (such as website hosting, form processing or communication tools), we ensure those providers offer appropriate data protection guarantees and, where required, have data processing agreements in place.

10. Contact and complaints

For any questions about this policy or our data protection practices, contact us at compliance@integrity-nexus.co.uk.

You have the right to complain to the Information Commissioner’s Office at ico.org.uk or by calling 0303 123 1113 if you believe your data protection rights have not been respected.