1. Purpose & scope
This document sets out how Data Centre Insight (DCi) collects, stores, uses, shares and disposes of personal data. It applies to all staff, contractors, suppliers and systems that process personal data on behalf of the company, including customers, prospects, employees, suppliers and partners.
It complements the public-facing Privacy Notice and supports our accountability under UK GDPR. This is an operational policy and does not replace legal advice.
2. Data protection principles
We follow the core data protection principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. All processing must be documented and justified.
3. Roles & responsibilities
• Board / Senior Management: ultimate accountability for data protection and for providing adequate resources.
• Policy owner: Sunny Nehru, Director — maintain this policy, schedule reviews and report to the board.
• Data Protection Officer (DPO) / Data Lead: Sunny Nehru, Director. Duties: advise on obligations, manage RoPA, handle SARs, coordinate DPIAs, be ICO contact (if appointed).
• IT Manager / Security Lead: implement technical controls, patching, backups, access management.
• Marketing Manager: approve marketing uses, suppression lists and lawful bases for communications.
• All staff: follow this policy, complete training, report incidents immediately.
4. Types of personal data processed
• Customers / prospects: name, email, phone, postal address, billing details, order history, IP address, cookies behaviour, marketing preferences.
• Employees / contractors: name, contact details, bank details (payroll), NI number, HR records, emergency contact, right-to-work documents.
• Suppliers / partners: contact names, corporate contact details, bank details, contract files.
Action: Maintain a live Record of Processing Activities (RoPA) that lists each processing operation, data types, purposes, lawful basis, retention and security measures.
5. Lawful bases for processing
Every processing activity must have a lawful basis under UK GDPR. We use:
• Consent — explicit consent for marketing or optional services (document consent records).
• Contract — to deliver services and process payments.
• Legal obligation — to meet statutory obligations (tax, employment law).
• Legitimate interests — where we balance business interests with individuals’ rights (document Legitimate Interests Assessments (LIAs)).
6. Retention & disposal (storage limitation)
We keep personal data only as long as necessary.
Record type: Customer transactional data / invoices
Retention period: 2 years
Rationale: Tax & accounting rules
Disposal method: Secure deletion / archival
Record type: Marketing lists (active)
Retention period: Until unsubscribe; review after 3 years inactivity
Rationale: Opt-out requirement & minimal retention
Disposal method: Secure deletion
Record type: Website analytics (aggregated)
Retention period: 12 months
Rationale: Service improvement
Disposal method: Delete or anonymise
Record type: Employee records (payroll)
Retention period: 6 years post-employment
Rationale: Employment & tax law
Disposal method: Secure archive then deletion
Record type: Recruitment applications (unsuccessful)
Retention period: 6–12 months
Rationale: Recruitment audit
Disposal method: Delete unless candidate consents to longer retention
Action: Create a formal Retention Schedule (appendix) with owner, retention trigger and disposal method. Log disposal activity.
7. Data sharing & third-party processors
We must maintain a Processor Register. All processors handling personal data must be under a written contract meeting data protection requirements (scope, security, subprocessors, audit rights).
Vendor Name: GoDaddy
Service Provided: Domain & Website Hosting
Data Categories Processed: Customer contact data, Website visitor IPs
Location(s) of Processing/Countries: US, EU (Server locations vary)
Contract Start/Review dates: 17/06/2025, reviewed annually
Contact for Data Incidents: security@godaddy.com
Vendor Name: Zoho
Service Provided: CRM & Productivity tools
Data Categories Processed: Customer names, emails, phone numbers, sales records
Location(s) of Processing/Countries: India, US, EU (depending on data centre)
Contract Start/Review dates: 22/08/2025, reviewed annually
Contact for Data Incidents: privacy@zohocorp.com
Vendor Name: Google Analytics
Service Provided: Web analytics
Data Categories Processed: Pseudonymized visitor data, IP addresses, device/browser info
Location(s) of Processing/Countries: EU
Contract Start/Review dates: 13/08/2025, reviewed annually
Contact for Data Incidents: security@google.com
Vendor Name: Indeed Ireland Operations Ltd.
Service Provided: Recruitment platform
Data Categories Processed: Candidate personal details (name, contact info, CV/resume, work history, application responses, communications)
Location(s) of Processing/Countries: EU (Ireland HQ) with transfers to US under SCCs/UK Addendum
Contract Start/Review dates: 21/7/2025, reviewed annually
Contact for Data Incidents: privacy-dept@indeed.com
8. Social media processing
We use social media platforms such as X (Twitter), LinkedIn, and Meta (Facebook, Instagram) to promote content, run campaigns, and measure engagement. In doing so:
• We may process personal data when individuals interact with our pages, posts, ads, or direct messages.
• We may use social media tools (e.g., Facebook Pixel, LinkedIn Insight Tag, Twitter tracking) for analytics, retargeting, and creating advertising audiences.
• In some cases, we act as joint controllers with the platform, which also processes the data under its own privacy notice.
• We do not export personal data from social media platforms into our systems unless we have a lawful basis and appropriate consent where required.
Individuals should review the privacy notices of these platforms to understand how their data is processed. We ensure that any data collected for our purposes complies with UK GDPR.
9. International transfers
If we transfer or store data outside the UK/EEA, we must ensure an appropriate transfer mechanism: adequacy decision, UK IDTA / standard contractual clauses, Binding Corporate Rules, or specific derogations in limited cases. Document each transfer and its lawful safeguard in the Processor Register.
10. Security standards
Security controls must be proportionate to the risk. Minimum standards we require:
• Role-based access control and principle of least privilege.
• Strong passwords and multifactor authentication for critical systems.
• Encryption in transit (TLS) and encryption at rest where feasible for sensitive data.
• Regular backups with documented restore testing.
• Endpoint protection and timely patching schedules.
• Secure configuration for cloud services; avoid storing personal data on unmanaged devices.
• Secure disposal (shredding for paper; secure wipe for devices).
• Data access reviews at least annually.
11. Data subject rights and SARs
Individuals have the right to access, rectify, erase, restrict processing, object, and request portability, plus the right to withdraw consent. We must respond to Subject Access Requests (SARs) without undue delay and normally within one month; complex cases may extend the period with notice.
SAR handling process:
1. Receive request to data@datacentreinsight.co.uk and log in SAR register.
2. Verify identity safely before disclosing data.
3. Search systems, gather records, redact third-party information where necessary.
4. Provide response securely and document closure.
11. Personal data breach response
All staff must report suspected breaches immediately to data@datacentreinsight.co.uk or the DPO. We will assess and, if likely to risk individuals’ rights and freedoms, notify the ICO without undue delay and where feasible within 72 hours.
Breach response steps:
1. Report incident to DPO / IT.
2. Contain & preserve evidence.
3. Conduct risk assessment (likelihood & severity).
4. Notify ICO within 72 hours if required; notify affected individuals if high risk.
5. Remediate and record lessons learned.
Action: We maintain an Incident Log and attach breach reports for audits.
12. DPIAs (Data Protection Impact Assessments)
We carry out a DPIA for any new project or processing that is likely to result in high risk (e.g., large-scale profiling, special category data, or systematic monitoring). Document outcomes and mitigation measures and get sign-off from the DPO or senior management.
Use the following simplified DPIA checklist:
• Describe processing and purpose
• Assess necessity & proportionality
• Identify risks to individuals
• List mitigating controls
• Decide whether processing can proceed
13. Training, audits & record keeping
• All staff receive data protection induction and role-relevant refresher training annually.
• Keep Records of Processing Activities (RoPA) and a Processor Register.
• Conduct internal audits at least annually; follow up action items within agreed deadlines.
14. Monitoring, enforcement & sanctions
Non-compliance with this policy may result in disciplinary action. Policy exceptions require written approval from the DPO and Board.
15. Appendices
A. Retention Schedule
Record type: Customer invoices
Owner: Finance
Retention period: 6 years
Retention trigger: Invoice date + 6 years
Disposal method: Archival, then secure deletion
Record type: Marketing Lists
Owner: Marketing
Retention period: Until unsubscribe / 2 years inactivity
Retention trigger: Last contact date + 2 years
Disposal method: Secure deletion
Record type: Website analytics
Owner: IT/Marketing
Retention period: 14 Months
Retention trigger: Collection date + 14 Months
Disposal method: Aggregation/ Secure Deletion
B. Processor Register
Vendor: GoDaddy
Service: Hosting/Servers
Data Categories: Website logs, Backups
Location: UK / Ireland
Contract date: 17/06/2025
Review date: 1/6/2026
Contact: security@godaddy.com
Vendor: Zoho
Service: Email marketing
Data Categories: Names, emails
Location: UK / Ireland
Contract date: 22/08/2025
Review date: 1/08/2026
Contact: privacy@zohocorp.com
C.RoPA summary
Processing activity: Zoho
Purpose: Marketing
Data types: Name, email, preferences
Lawful basis: Consent / Legitimate interest
Retention: Until unsubscribe, or 2 years of inactivity
Owner: Marketing Manager
16. Contact & escalation
Data contact (DPO / lead): Sunny Nehru, Director
Email: data@datacentreinsight.co.uk
Phone: +44 (0) 7763 229 726
If unresolved, individuals may complain to the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF