Facebook Linkedin Instagram
Get Your Free Gift

GDPR Policy

Since 2015

Effective Date: 05/09/2025
Last Reviewed: 05/09/2025

1. Purpose

This policy ensures that Rising Tides complies with the UK GDPR and Data Protection Act 2018 concerning the collection, storage, and processing of personal data.

2. Scope

Applies to all employees, contractors, third-party providers, and covers all personal data processed by Rising Tides, irrespective of format.

3. Definitions

  • Personal Data: Information relating to an identifiable individual.
  • Processing: Any operation performed on personal data.
  • Data Subject: Individual to whom the personal data belongs.
  • Data Controller: Rising Tides, determining data processing purposes.
  • Data Processor: Third party processing data on our behalf.

4. Data Protection Principles

We uphold:

  1. Lawfulness, fairness & transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity & confidentiality
  7. Accountability

5. Lawful Bases for Processing

We process data only when:

  • Consent is given
  • It’s necessary to perform a contract
  • Required by law
  • Protecting vital interests
  • Necessary for legitimate interests without overriding data subject rights

6. Data Subject Rights

Individuals have the right to:

  • Be informed
  • Access data
  • Rectify data
  • Erase data (“right to be forgotten”)
  • Restrict or object to processing
  • Data portability
  • Resist automated decisions or profiling

7. Data Security

We implement measures to:

  • Prevent data loss or unauthorised access
  • Limit data access
  • Encrypt/pseudonymise where possible
  • Review practices and risks regularly

8. Data Breach Protocol

In case of a breach:

  • Assess risk to data subjects
  • Notify ICO within 72 hours, if required
  • Inform affected individuals when there’s a high risk
  • Record all breach incidents

9. Data Retention

We retain data only as long as needed; securely delete or anonymize when no longer required or legally permitted.

10. Third-Party Processors

Only work with vendors who guarantee GDPR compliance; formal agreements ensure appropriate safeguards.

11. International Data Transfers

Transfers outside the UK only occur when:

  • Adequacy decisions exist, or
  • Appropriate safeguards (like Standard Contractual Clauses) are in place

12. Roles & Responsibilities

  • Data Protection Lead: Oversees GDPR compliance
  • All Staff & Contractors: Must follow policy and report data issues

13. Training & Awareness

Training on GDPR and data protection is mandatory for staff and relevant third parties, with refresher sessions as needed.

14. Policy Review

Reviewed annually or when law/practice changes occur.

15. Contact

For any queries, data subject requests, or breaches:

Email: wave@tideleaders.com