Data Protection Policy

RCU will protect personal data in accordance with the following eight principles of the Data Protection Act 1998 and the Data Protection Act 2018 (GDPR):

  1. Process personal data fairly and lawfully

RCU will formally identify and record all categories of personal data that it processes and the legal basis, as defined by the Data Protection Act, for carrying out this processing.

  1. Process the data for the specific and lawful purpose for which it is collected

RCU will ensure that the reason for which it collected the data is the only reason for which it processes this data.

  1. Ensure that data is adequate, relevant and not excessive in relation to the purpose for which it is collected

RCU will not seek to collect or process any personal data which is not strictly necessary for the purposes for which it was obtained.

  1. Keep personal data accurate and where necessary up to date

Where RCU is the Data Controller and has a lawful basis for processing data (e.g. staff records) it will review the data on a regular basis. It is the responsibility of individuals giving their personal data to ensure that it is accurate.

  1. Only keep personal data as long as necessary

RCU will not retain personal data for longer than is necessary for the purposes for which it was collected. Project activities for clients which require the processing of personal data will formally identify a deletion date for that data at the start of the project and this will be recorded in the project contract. Where RCU is the Data Controller arrangements for deletion will be recorded in the Data Privacy Impact Assessment.

  1. Process personal data in accordance with the rights of the data subject under the legislation

RCU will ensure that the following rights of data subjects are upheld, either directly (if RCU is the Data Controller) or in consultation with the Data Controller (if RCU is the Data Processor)

  • – Right of information and access
  • – Rights to object
  • – Rights to erasure and restriction of processing
  • – Rights to be forgotten
  1. Put appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data and against accidental loss or destruction of data

RCU will put in place appropriate security measures as identified in RCU’s Information Security Policy (P13). The information Security Management System will be accredited under the international standard ISO 27001 and Cyber Essentials certification.

  1. Ensure that no personal data is transferred to a country outside of the European Economic Area

RCU will ensure that no personal data is transferred to a country outside of the EEA.


RCU will be appropriately registered with the Office of the Information Commissioner and will identify a named Data Protection officer.


In cases where RCU is the Data Processor, RCU will ensure that organisations that provide it with personal data are aware of their responsibilities as a Data Controller under the Data Protection Act. RCU will ensure that a formal contract exists between the Data Controller and RCU as the Data Processor. The contract will include information on the information to be processed, the duration of processing, appropriate technical and organisational measures required and procedures to follow if a data breach occurs.


RCU will carry out Data Privacy Impact Assessments for areas where personal data is collected and processed highlighting data flows, risks that could lead to data breaches and actions to minimise these risks. Data Privacy Impact Assessments will also identify how the rights of data subjects will be upheld. The Data Privacy Impact Assessment will include:

  • – A description of the processing operations and the purpose of the processing
  • – An assessment of the need for and proportionality of the processing and the risks to data subjects (as viewed from the perspective of data subjects) and
  • – A list of the measures to mitigate the risks and ensure compliance with the Data Protection Act.


Data breaches will be reported to the Managing Director or nominee as soon as they are identified and to the Information Commissioners Office within 72 hours of the breach occurring. Details of the breach should be recorded on the Data Security Incident Report Form (R25) as outlined in RCU’s Information Security procedures.


Where RCU is acting as the Data Controller data subjects will be informed of their rights to access personal data held about them. Data subjects should submit a written request to the Managing Director and RCU will formally respond at the latest within month. RCU will use reasonable means to verify the identity of the individual making the request.


As a Data Controller RCU will not transfer personal data to a third party unless this is specified in a formal contract and data sharing agreement with the third party and the arrangements are fully compliant with the principles of GDPR. RCU will require written assurance that such data will be appropriately protected by third parties before its transfer.


RCU will ensure that all of its staff, including Associate Consultants and contractors are aware of their responsibilities under the Data Protection Act.  This will include keeping a record of formal training specific to a particular role.


Wherever possible data will be anonymised, or if this is not feasible, pseudo-anonymised to remove or minimise the risk of unlawful access to personal data. Wherever possible data storage devices and data transfer systems will be fully encrypted to remove the risk of unlawful access to personal data. This will include all RCU desktop PC’s and laptops, third party cloud servers and data transfer links. All published outputs from data analysis relating to individuals will be rounded to the nearest 10 and numbers less than 5 will be supressed to preserve confidentiality.