Risk Management Consulting
 

Privacy Notice

Introduction

Xcina Consulting(“XCL”) is committed to safeguarding an individual’s personal and sensitive personal data and is bound to comply with the UK Data Protection Act 2018 (“DPA”) and EU General Data Protection Regulation (“GDPR”), along with similar and applicable laws in other countries around the world. This Privacy Notice forms part of XCL’s obligation to be fair and transparent with all individuals whose personal and sensitive personal data it processes, whilst visiting the XCL website, and to provide details around how it processes such data.

Who we are?

XCL provides business and technology risk assurance and advisory services and is headquartered in London, UK.

XCL is the consulting arm of Brookcourt Solutions Limited whose registered address is 22 Great James Street, London WC1N 3ES and its registered company number is 05356175. 

Brookcourt Solutions Limited is a subsidiary of the Shearwater Group plc (“SWG”), an Alternative Investment Market (“AIM”) listed company whose UK registered company number is 05059457 and whose registered address is 22 Great James Street, London, WC1N 3ES.

For the purposes of data protection laws, XCL is a Data Controller in relation to the personal data that XCL collects and holds about you. This means that we are responsible for ensuring that your data is processed fairly and lawfully by us.

XCL will comply with relevant data protection laws. Such laws require that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way;
  • Collected only for valid purposes that we have clearly explained to you;
  • Relevant to the purposes we have told you about and limited only to those purposes;
  • Accurate and kept up to date;
  • Kept only as long as necessary for the purposes we have told you about; and
  • Kept securely.

 

What personal data do we process?

We process the personal data of web visitors, each time they visit our website, and registered users to access gated content, notably:

  • Technical information about your computer such as domain name, browser type and version, operating system and platform, IP address, cookie information and time zone setting; and
  • Information about your visit including the full Uniform Resource Locators (URL) clickstream to, through and from the Site (including date and time), what web pages you visit on the Site and how long you spend on each page, page interaction information (such as scrolling, clicks and mouse-overs), page response times, download errors, traffic data, location data, weblogs, methods used to browse away from the page and information on what website you visited before accessing the Site.

We also process the following kinds of personal data if you provide it to us via our website:

  • Your name, email address, business address and job title.

 

Why do we process your personal data?

We use your personal data for the following purposes: –

  • To alert you of new content that is posted on the XCL website, depending on your previously selected preferences.
  • To process and respond to requests, enquiries and complaints received by you, in accordance with our legitimate interests to provide you with a responsive service.
  • To provide services, requested by you, which may be required to fulfil a contractual obligation.
  • To maintain accurate personal data records and for audit purposes.
  • To prevent or detect fraud.
  • To comply with requests from law enforcement and regulatory authorities.
  • To analyse trends and profiles with the aim of improving or personalising our services and communications for the benefit of our clients.
  • To carry out customer satisfaction research with the aim of improving or personalising our services and communications for the benefit of our clients.
  • If you make enquiries through our site, and agree in the contact form to receiving email updates, we will send you such updates on the grounds of your consent.
  • To enable third parties, if required, to support us in operating our business.

 

If you cannot provide personal data

 

  • In some instances, we need to collect your data in order to provide you with our whitepapers, or other thought leadership and insights. If you do not provide your data then we would be unable to provide you with such content.

 

 

 

Lawful basis

 

XCL operates under a number of lawful bases as required under the data protection laws.  These include:

 

  • Consent
  • Legitimate interests
  • Performance of a contract
  • Compliance with a legal obligation

 

 

We have provided below, examples of some data processing activities that we carry out, along with the respective lawful bases being relied upon.

 

 

 

Purpose of processing

Types of personal data

Lawful basis relied upon

Sending marketing emails (business to business)

Name, email address, marketing preferences

Legitimate interests

Sending marketing emails (business to customer)

Name, email address, marketing preferences

Consent

Carrying out a data protection ‘gap analysis’ for a client

Name, email address and job role of contact

Contract

Carrying out an audit for a client

Name, email address and job role of contact

Contract

 

 

Who do we share your data with?

We only disclose your personal data in ways set out in this Privacy Notice or subject to any contractual agreements that are in place with us. The following circumstances may apply: –

  • With the Shearwater Group plc, company Number 05059457.
  • Across the SWG portfolio companies, as part of a need to know basis; as part of improving our existing services or as part of providing new services. These portfolio companies include:
    • Brookcourt Solutions Limited, company number 05356175;
    • Pentest Limited, company number 11925182; and
    • SecurEnvoy Limited, company number 04866711.
  • We may share personal data with third parties who provide us with support services. Such providers assist us with administering or troubleshooting our website; assist us with our mailing campaigns or provide us with electronic or physical storage services.
  • We may disclose your personal data with law enforcement agencies or our professional advisors if we are under a duty to do so.
  • If we are acquired by another organisation, such parties will have access to your personal data as part of any due diligence or onboarding activities.

We do not sell, rent or trade any of your personal data.

Data retention

We hold your personal data for as long as necessary in line with any legislative, regulatory or business need/best practice.

We have provided below, examples of the data retention periods applied for different types of personal data

 

Type of personal data

Retention period

Justification

Applications relating to unsuccessful job applicants

6 months from date of application

Business need/Best practice

Invoices from suppliers

7 years from invoice date

Limitation Act 1980

Employee personnel files

7 years after employee leaves the company

Limitation Act 1980

Data subject access requests

2 years from last action

Business need/Best practice

 

 

As stated below, you have the right to request we erase your data, where we do not have any overriding legal, regulatory or contractual obligations.

How do we protect your data?

We aim to ensure that your personal data is secure. In order to prevent unauthorised access, loss, misuse or alteration, we have put in place appropriate physical, technical and organisational measures to safeguard and secure the personal data we collect. Our service providers are required to do the same. They will only process your personal data on our instructions and they are subject to a duty of confidentiality and oversight.

In addition, we limit access to your personal data on a least privilege, need to know basis. We also carry out regular security testing to ensure that your personal data is protected.

Any personal data sent to us, either in writing or email, may be insecure in transit and we cannot guarantee its delivery.

International data transfers

Personal data that we collect is only stored in the UK, the EU and the USA.  Where data is stored outside the UK or the EU, we ensure that there are adequate security controls in place, such as contractual arrangements, to ensure it is processed appropriately.  

Your legal rights

XCL tries to be as open as it can be in terms of giving people access to their personal information and we have outlined your rights below.

You have the right to ask us:

  • whether we are processing your personal information and the purposes it is processed for (the right to be informed) – this is delivered through ‘fair processing information’ such as this Privacy Notice;
  • for a copy of the personal information that we hold about you (the right of access);
  • to update or correct your personal information (the right to rectification);
  • to delete your information (the right to erasure); and
  • to restrict processing of your personal information where appropriate (the right to restrict processing).

In certain circumstances you also have the right to:

  • object to the processing of your personal information (the right to object);
  • object to automated decision making and profiling (the right not to be subject to automated decision-making including profiling); and
  • request that information about you is provided to a third party in a commonly used, machine readable form (the right to data portability)

 

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable admin fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex. In such instances, we will notify you and keep you updated.

How to manage your marketing consents

You may give and withdraw consent to the receipt of marketing information and tell us your communication preferences at any time. If you wish to change your preferences regarding the receipt of marketing or other communications from us please contact info@xcinaconsulting.com, You may also use the ‘unsubscribe’ link at the bottom of any marketing communication.

Updates to this policy

In order to remain compliant with any legal and regulatory obligations, or as part of our evolving business practices, we may update this Privacy Notice from time to time by publishing a new version. In certain instances, we may notify you.

Data Protection Registration

We are registered as a data controller with the UK Information Commissioner’s Office and our data protection registration number is: ZA269764.

 

How to contact us

You can contact us as follows:

Email:

dpo@xcina.co.uk

Web:

www.xcinaconsulting.com

Telephone:

+44 (0)20 3745 7820

In Writing:

Data Protection Officer
Xcina Consulting
32 Threadneedle Street
London
EC2R 8AY
United Kingdom

Making a complaint

If you feel your rights have not been respected, or do not feel a situation was resolved satisfactorily, you have the right to raise a complaint to the UK Information Commissioner.

You can contact them as follows: –

Web: https://ico.org.uk/make-a-complaint/

Telephone: +44 (0)303 123 1113

Live Chat: https://ico.org.uk/global/contact-us/live-chat

In writing:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>