The meaning of the key GDPR terms used in this policy

• “data subject” means an identified individual.
• “personal data” is any information about a data subject who is or could be identified in the information.
• “using” or “processing” is any use of personal data, including collecting, recording, organising, storing, altering, retrieving, restricting, destroying or making it known to third parties.
• “consent” means an indication of the data subject’s wishes, signifying their agreement to the use of their personal data.
• “criminal records personal data” means personal data relating to criminal allegations, proceedings, convictions or offences.
• “data protection legislation” means the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
• “member of staff” is any director, employee, intern, volunteer, contractor or consultant employed or engaged by M3.
• “special categories of personal data” reveal racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic/biometric information, physical/mental health and the sexual activities/orientation of a data subject.

The purpose and consequences of this policy

This policy sets out how the Company uses personal data of data subjects, including job applicants and current and former directors, employees, interns, volunteers, contractors, consultants, clients, customers, suppliers and other third parties. The Company is committed to being clear and transparent about how we use personal data and to protecting its confidentiality, security and integrity.

This policy applies to all members of staff when they use personal data and a breach of this policy will be misconduct and dealt with under the Company’s disciplinary procedure. A significant or deliberate breach, such as accessing or disclosing personal data without authority, is gross misconduct and could lead to dismissal or a contract being terminated. All members of staff must comply with eight principles set out under the GDPR to ensure personal data is :

• Processed lawfully, fairly and in a transparent manner;
• Collected only for specified purposes and not used in a way incompatible with those purposes;
• Adequate, relevant and limited to what is necessary for the purposes;
• Accurate and appropriately up to date, with every reasonable step taken to erase or rectify inaccuracies;
• Not retained for longer than necessary for the purposes;
• Kept appropriately secure and confidential against unauthorised use or accidental damage or destruction;
• not transferred to another country without appropriate safeguards in place;
• made available to data subjects and allow data subjects to exercise certain rights in relation to their personal data.

Members of staff should be aware they may be held criminally liable because it is a criminal offence to knowingly or recklessly:

• obtain or disclose personal data or to enable disclosure to a third party without the consent of M3 or the data subjects, including taking clients’ or customers’ contact details or other personal data without M3’s consent, accessing other employees’ personal data without authority or otherwise misusing or stealing personal data;
• re-identify personal data that has been anonymised without the consent of M3 or the data subjects;
• alter, block, erase, destroy or conceal personal data with the intention of preventing their disclosure to a data subject following a data subject request – see below.

Where unlawful activity is suspected, M3 will report the matter to the Information Commissioner’s Office for investigation.

The Data Protection Manager and seeking their assistance

The Company’s Data Protection Manager, Michael-John Saunders, This email address is being protected from spambots. You need JavaScript enabled to view it. has responsibility for the Company’s data protection compliance and should be consulted whenever there is:

• any doubt about what, how and when personal data can be used – see below, or
• uncertainty about the basis being relied upon to use personal data lawfully – see below, or
• the need to issue a privacy notice when collecting personal data – see below, or
• any doubt about the accuracy or currency of the personal data being used – see below, and
• uncertainty about the retention period for personal data – see below, or
• any doubt about the security of personal data – see below, or
• assistance required to address data rights invoked by a data subject – see below, or
• a suspicion a personal data or any other breach of this policy may have occurred or is at risk of occurring.

What how and when personal data can be used

Decisions about any use of personal data in accordance with this policy are the responsibility of the member of staff using them. This includes simple situations like using a data subject’s email address to invite them to a social event or to participate in a charitable sponsorship. When using any personal data for any purpose, members of staff must be confident:

• there are no special categories of personal data or criminal records personal data involved in any way (see the definitions in section 1 above) without the prior approval of the Data Protection Manager and
• the personal data does not relate to Company finance/accounting or human resources activities, unless the use has been approved in writing, and 
• they are clear about the lawful basis for the intended use (see below) and they are not in need of any guidance on this from Richard Hollingworth or his nominee as regards marketing or business development activities or from Michael-John Saunders in any other regard, and
• they are not sending content to or making requests of any data subjects who may be offended or irritated as a consequence, or who have indicated they do not wish their personal data to be used as intended, and
• they are well acquainted with all of the data subjects to whom they send content or of whom they make requests, and
• they give the data subjects the clear opportunity to inform the sending member of staff that they do not wish to receive any future content or requests from any member of staff. If a data subject indicates they do not wish their personal data to be used, it is essential HR is notified as soon as possible, and this is then recorded in the Company’s master record of the data subject’s contact details.

Determining the basis relied upon to use personal data lawfully

Personal data must only be used by a member of staff where their job duties and responsibilities require it and when it is lawful on the basis of one or more of the following:

• to perform a contract with the data subject or their business, including to deliver service to a client; or
• at the data subject’s initiation to seek to enter into a contract with them, including as a new employee or client; or the data subject has given consent for the specific purpose involved, provided a clear record is kept of the consent, what the data subject was told when they gave their consent and how and when the consent was given; or
• to comply with the Company’s legal obligations; or
• to protect the data subject’s or someone else’s vital interests; or
• to pursue the Company’s legitimate interests, provided : (i) the data subject’s rights and freedoms do not override the Company’s legitimate interests, and (ii) the purpose for using or processing the personal data is set out in a privacy notice, and (iii) a record is prepared and retained of why this is a lawful basis.

The legitimacy of the basis should remain under review to ensure a repeated or continuing use remains appropriate.

When consent is the basis, the data subject needs to have given a clear positive indication their personal data can be used for the purpose. Pre-ticked boxes, inactivity or silence do not constitute consent. When consent was given, data subjects must also have been advised of an easy way to withdraw their consent at any time.

Personal data must be collected only for specified purposes. It must be adequate, relevant and limited to what is necessary for the purposes and must not be used for new, different or incompatible purposes unless the data subject has been informed.

Additional conditions apply to the use of special categories of personal data which have not manifestly been made public by the data subject and of criminal records personal data – see the definitions in section 1 above. Before using these types of data, members of staff must seek prior approval of the Data Protection Manager because :

• the data subject must have given clear explicit consent to using their personal data for the specified purposes, or
• the use is necessary to carry out obligations or exercising specific rights of either the Company or the data subject under employment law or social security law, or
• the use is necessary in connection with legal claims.

Privacy notices

The Company will provide specific information to data subjects through privacy notices which are concise, transparent, intelligible, easily accessible and use clear and plain language. Whenever the Company collects personal data from data subjects, the following must be provided in a form and content approved by the Data Protection Manager:

• the contact details of the member of staff managing or coordinating the specific use of the personal data or, if not a specific use, of the Data Protection Manager, and
• the purpose for which the personal data will be used, and
• the basis for the use (see section 5 above) and, where legitimate interests are the basis, the nature of them, and
• the right to withdraw consent at any time, where consent is the basis for the use, and
• if not obtained directly from the data subject, the nature of the personal data and its sources, and
• the recipients or recipient groups with whom the personal data may be shared, including the Company’s service providers, and
• details of transfers of the personal data to be made to non-EEA countries and the safeguards to be applied, and
• the retention period for the personal data or the criteria to be used to determine the retention period, and
• the data subject’s rights to access, obtain, rectify, erase, restrict or object to the use of their personal data, and
• the right to complain to the Information Commissioner’s Office, and
• the existence of any automated decision-making, including profiling, and meaningful information about how decisions will be made using the personal data and the significance and consequences of the decisions to be made, and
• whether the provision of personal data is part of a statutory or contractual requirement or obligation, or a requirement necessary to enter into a contract, and the possible consequences of failing to provide the personal data.

The Company must issue a privacy notice when a data subject’s personal data are first collected from by them. If the personal data have been obtained from third parties, the Company must provide the privacy notice within a reasonable period of obtaining the personal data and at the latest within one month. If the personal data are to be used to communicate with the data subject, the privacy notice must be provided before or when the first communication takes place. If disclosure of the personal data to a third party is envisaged, the privacy notice must be provided before or when the data are first disclosed.

Accuracy and currency of personal data

Personal data must be accurate and appropriately up to date, with every reasonable step taken to erase or rectify inaccuracies. Members of staff should keep the HR Manager informed if their personal data changes because the Company cannot be held responsible for errors in their personal data unless the member of staff notified the Company of the relevant change. Members of staff must also ensure the personal data about other data subjects they hold or coordinate in connection with their  role at the Company is accurate and up to date. The accuracy and currency of personal data must be checked at the point of collection and at regular intervals thereafter and reasonable steps must be taken to destroy, erase or correct outdated personal data.

Retaining personal data

Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is used. The Company will only retain personal data for as long as is necessary for the purposes for which they were originally collected, including to satisfy legal, tax, health and safety, reporting or accounting requirements.

All personal data must be reviewed before destruction or erasure to determine whether special factors mean this should be delayed. Otherwise, they must be destroyed or erased at the end of the retention periods below. In some circumstances, the Company may anonymise personal data so they no longer permit a data subject’s identification and they are then retained for a longer period.

job applicants:

If a job applicant’s application for employment or engagement is unsuccessful, the Company will generally hold their personal data for one year after the end of the relevant recruitment exercise, but this is subject to minimum statutory or other legal, tax, health and safety, reporting or accounting requirements and retention for up to six years to protect against legal risks. If the job applicant has consented to the Company keeping their personal data for future employment opportunities, the Company will hold their personal data for a further six months after the end of the relevant recruitment exercise or until they withdraw their consent if earlier.

members of staff:

The Company will generally hold personal data for the duration of a member of staff’s employment or engagement, except disciplinary, grievance and capability records will only be retained until the expiry of any warning given and then only a summary record will be maintained. Once a member of staff has left employment or their engagement has been terminated, the Company will generally hold their personal data for six years except where the personal data forms part of the records of services provided by the Company or is subject to minimum statutory or other legal, tax, health and safety, reporting or accounting requirements.

other third parties including clients customers and suppliers:

The Company will generally hold personal data belonging to clients, customers and suppliers for the duration of the Company’s business relationship with them. Once the Company’s business relationship with a client, customer or supplier has been terminated, the Company will generally hold their personal data for six years after the termination of the relationship except where the personal data forms part of the documentation or records of the services provided by the Company or is subject to minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records.

Security of personal data

Appropriate security of personal data must be maintained, including protection against unauthorised or unlawful use or accidental loss, destruction or damage. The Company takes the security of personal data seriously and have implemented and maintain safeguards which are appropriate to the size and scope of the business, the amount of personal data held and identified risks. This includes encryption of personal data where appropriate. The Company also takes steps to ensure the ongoing confidentiality, integrity, availability and resilience of its processing systems and to ensure, in the event of a physical or technical incident, availability and access to personal data can be restored in a timely manner. The Company regularly tests and evaluates the effectiveness of our technical and organisational safeguards to ensure the security of its processing activities.

Members of staff are responsible for protecting personal data and must comply with all procedures and policies to maintain the security of personal data from the point of collection to the point of destruction.

Where the Company uses third-party service providers to process personal data, additional security arrangements safeguard the security of personal data, which is only accessible to third-party service providers where the third party :

• has a business need to know the personal data for the purpose of providing the contracted services; and
• was identified in the privacy notice provided to the data subject; and
• has agreed to comply with the Company’s data security procedures with adequate measures to secure processing; and
• has a written contract and related instructions with the Company containing specific approved terms and requirements; and
• will assist the Company to allow data subjects to exercise their data protection rights and in meeting the Company’s obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments; and
• will delete or return all personal data to the Company at the end of the contract; and
• will submit to audits.

The approval of the Data Protection Manager is required before an agreement involving the processing of personal data by a third-party service provider is entered into or amended.

Personal data accessed or acquired by members of staff in connection with their  role must not be stored on local computer drives or on personal devices. They may only share personal data they access or acquire in connection with their  role with other members of staff if they have a business need to properly perform their job duties and responsibilities.

Hard copy personnel files and removable storage media, which hold personal data about members of staff, are confidential and must be stored in locked filing cabinets. Only authorised members of staff, who have a business need to properly perform their job duties and responsibilities, have access to these files and media. Personal data about members of staff held in electronic format will be stored confidentially with password protection and only authorised members of staff will have access.

The Company has network backup procedures in place to ensure personal data held in electronic format cannot be accidentally lost, destroyed or damaged.

Data protection legislation requires the Company to notify any personal data breach to the Information Commissioner’s Office within 72 hours after becoming aware of the breach and, where there is a high risk to the rights and freedoms of data subjects, to the data subject themselves. A personal data breach is any breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and includes any act or omission that compromises the confidentiality, integrity or availability of personal data or the safeguards that the Company , or our third-party service providers, have put in place to protect them. Anyone knowing or suspecting that a personal data breach has occurred should immediately contact our Data Protection Manager, Michael-John Saunders, This email address is being protected from spambots. You need JavaScript enabled to view it. and retain any evidence they have in relation to the breach.

Data subject rights

If someone wishes to exercise their data subject access rights, they should please put the request in an e-mail and send it to the Data Protection Manager, Michael-John Saunders at This email address is being protected from spambots. You need JavaScript enabled to view it. or at M3 Consulting, Dashwood House, 69 Old Broad Street, London, EC2M 1QS. Any member of staff receiving such a request must immediately forward it to the Data Protection Manager.

Data subjects have the right to request and obtain a copy of the personal data the Company holds about them and to receive :

• confirmation as to whether or not their personal data are being used or processed;
• access to copies of their specified personal data;
• the purposes of the use or processing and the categories of personal data concerned;
• the recipients or recipient groups to whom the personal data have been or will be disclosed;
• where the personal data are not collected from them, any available information as to their source;
• where the personal data are transferred to a non-EEA country, what safeguards are in place relating to the transfer;
• the period for which the personal data will be stored or the criteria used to determine that period;
• the existence of any automated decision-making, including profiling, and meaningful information about how decisions will be made using the personal data and the significance and consequences of the decisions to be made;
• confirmation of the data subject’s rights to request rectification or erasure of their personal data or restriction of use or processing of their personal data or to object to the use or processing;
• information about their right to lodge a complaint with the Information Commissioner’s Office if they think the Company has failed to comply with their data protection rights.

When a data subject makes such a request, the Company will log the date on which the request was received and confirm their identity. Where the Company has reasonable doubts about the data subject’s identity, additional information will be requested to confirm their identity. The Company will then search databases, systems and other places where the personal data may be held. Where the Company processes a large quantity of personal data about a data subject, the Company may ask them to first specify the information to which their request relates, to help expedite a response.

If the data subject makes their request electronically, the Company must provide a copy of the personal data in a commonly used electronic format, unless the data subject specifically requests otherwise. If the data subject wants additional copies of the personal data, the Company will charge a reasonable fee based on the administrative costs of providing the additional copies.

The Company must respond to a request and provide copies of the personal data within one month of the request. However, if the Company determines that a data subject request may take longer than one month to respond to, it may extend this time limit by a further two months if the request is complex or there are a number of requests from the data subject. If the Company intends to extend the time limit, it will contact the data subject within one month of receiving the request to inform them of the extension and explain why it is necessary.

Before providing the personal data to the data subject making the request, the Company will review the documents to ascertain whether they contain personal data of other data subjects. The Company may redact personal data of other data subjects unless they have consented to the disclosure of their personal data. The Company will also check for relevant statutory exemptions that may be relevant, which may mean the personal data is not disclosed.

Whilst the Company will normally provide a copy of the personal data in response to a request free of charge, the Company reserves the right to refuse to respond to request (where it can demonstrate the request is manifestly unfounded or excessive) or to charge a reasonable fee, based on the administrative costs of providing the personal data, when a request is manifestly unfounded or excessive or if it repeats a request to which the Company has already responded. Where the Company refuses to respond, the data subject will be given written reasons why within one month of the request. The Company will also inform them of their right to complain to the Information Commissioner’s Office or to seek a judicial remedy in the courts.

Subject to certain conditions, and in certain circumstances, data subjects also have the right to :

• be informed, normally by an appropriate privacy notice;
• request rectification of inaccurate or incomplete personal data : unless there is an applicable exemption, the Company should rectify the personal data without undue delay and also communicate the rectification of the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort;
• request the erasure of their personal data : the Company should erase the personal data without undue delay (provided one of the grounds set out in the data protection legislation applies and there is no applicable exemption) and communicate the erasure to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort;
• restrict the use or processing of their personal data, including to send them marketing, invitations or other requests : where processing has been restricted in accordance with the grounds set out in the data protection legislation, the Company should only process the personal data (excluding storing them) with the data subject’s consent, in connection with legal claims, to protect the rights of another person or for reasons of important public interest and then the Company should communicate the restriction of processing the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort and, prior to lifting the restriction, inform the data subject that it is to be lifted;
• object to the processing of their personal data, including to ask the Company to stop processing their personal data where the Company is relying on the legitimate interests of the business as the basis for processing and there is something relating to their particular situation which makes them decide to object to processing on this ground : where such an objection is made in accordance with the data protection legislation and there is no applicable exemption, the Company should no longer process the data subject’s personal data unless the Company can show compelling legitimate grounds for the processing which overrides the data subject’s interests, rights and freedoms or the Company is processing the personal data in connection with legal claims;
• request the transfer of their personal data to another party so they can reuse them for their own purposes : unless there is an applicable exemption, the Company should provide the personal data if the basis for the processing of the personal data is consent or pursuant to a contract and the Company’s processing of those data is carried out by automated means;
• not be subject to automated decision-making, including profiling : unless there is an applicable exemption, the Company should no longer make related decisions unless the data subject is given the right to express their point of view and contest the decisions and either (i) it is necessary for entering into or to perform a contract between the Company and the data subject, or (ii) is authorised by applicable law which lays down suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, or (iii) is based on the data subject’s explicit consent;
• be notified of a data breach which is likely to result in a high risk to their rights and freedoms.

Where someone has consented to the use of their personal data for a specific purpose, they have the right to withdraw their consent for that specific purpose at any time, but without affecting the legitimacy of use based on consent before its withdrawal. Someone wishing to withdraw their consent to the processing of their personal data for a specific purpose should notify the Data Protection Manager. Once notified, the Company will no longer process the personal data for the purpose previously consented, unless the Company has another lawful basis for processing.

Changes to this Personal Data and GDPR section of this policy

The Company will review this policy at regular intervals and we reserve the right to update or amend it at any time and from time to time. The Company will circulate any modified policy to members of staff and, where appropriate, may notify changes by e-mail. It is intended that this policy is fully compliant with the data protection legislation. However, if any conflict arises between the data protection legislation and this policy, the Company will comply with the data protection legislation.