Our Compliance

We believe that data compliance and data security are extremely important and that's why they're central to all we do.

Because of this we have taken steps to ensure that all our data is compliant with GDPR (General Data Protection Regulation), PECR (Privacy and Electronic Communications Regulation) and the DPA (Data Protection Act) as well as being within The DMA (Direct Marketing Association) and ICO (Information Commissioner's Office) guidelines.

To demonstrate our commitment to data security we have been accredited to the ISO 27001 Information Security Management Systems standard since 2008. Additionally, we're also accredited to HM Government's Cyber Security Essentials standard and to ISO 9001 Quality Management Systems.

In order to achieve these standards, we are independently audited on a regular basis to ensure our business processes are fully documented and that they are up-to-date and relevant, providing us with a solid foundation for compliance with both the DPA and GDPR.

Finally, as a best practice measure, in 2014 we implemented the higher standard security controls defined by the Centre for Internet Security (CIS).

Our Data Policy

We licence our data from several reputable 3rd party sources.

All the 3rd party data supplied to us must come with a guarantee that is fully opted-in and compliant with all the laws, regulations and guidelines relating to the use of third party data. When collecting an individual's data, our supplier must clearly show their Privacy Notice which outlines which data is being collected, how it will be processed and who it may be transferred to.

Our Data Retention Policy

All the data we hold is stored securely in an encrypted format and is held for no longer than necessary. If an individual asks to be removed from our database directly or via one of our clients, we will action this in line with our suppression policy.

Our Suppression Policy

We will supress personal data from our database if:

  • An individual asks for their data be suppressed or removed. We will action this at the earliest opportunity, and typically within 7 working days
  • A client asks us to suppress an individual's information, following a request from the individual. This will be actioned at the earliest opportunity, and typically within 7 working days
  • If data is found to be inaccurate or out of date
  • If data matches to our suppression file of individuals who have requested exclusion from any marketing activity

We will also inform our suppliers of the request. This will then be actioned by them in line with their policies.

Subject Access Requests (SARs) and Opting Out

We receive a small number of queries, deletion requests and SARs each year. Upon receipt, our compliance team will acknowledge the request as soon as possible and will ask for more information if necessary.

GDPR requires that SARs are responded to within one calendar month in normal circumstances. We endeavour to respond as quickly as possible to all requests, although we will sometimes need to request additional information from our suppliers, before we're able to provide a complete response.

You are free to remove your details at any time and even if we do not hold an individual's details, we will add them to our suppression files (Remove My Details) to ensure that we don't make use of them in the future. If the request also involves any of our suppliers, we will inform them and request confirmation of the "stop" or deletion request to both ourselves and to the you directly.

Find out to how to submit a SAR.

Useful links

The following are links to the Related Legislation, Directives, Guidelines and Codes of Practice:

GDPR https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
PECR, currently being revised to ePrivacy https://ico.org.uk/for-organisations/guide-to-pecr/
DPA https://www.gov.uk/data-protection
The DMA Code https://dma.org.uk/the-dma-code
FCA Guidance https://www.fca.org.uk/data-protection