privacy notice
cookie notice

This privacy notice explains how we use personal data.

We are Data GRC Ltd, which including DPO.Business, CISO.Business, HeadWork.Business and StaffMentalHealth.com .

Our ICO registration number is ZA284104.

To talk about our use of personal data, call 07970 808242 or contact us via this website's contact form.

How do we process personal data?

Our use of data aligns to standard business-to-business practises.

We do not process any personal data in a way that we believe creates a risk to individuals privacy rights and freedoms.

Data protection matters.

Visitors to our website ▼

If you visit our website, we record data about your device and your use of our website. This is done as a legitimate interest to help maintain the security and performance (technical and content) of the website. The information is deleted within two years.

Requests for more information ▼

If you ask us a question and provide us with contact details and additional details about yourself, we will use those details to answer your questions and offer you related support. This is done as a legitimate interest for the provision of business services, we retain this data for one year from our last conversation, so that matters can be followed up if needed.

Newsletter subscriptions ▼

If you subscribe to our newsletter, we will use your email address to send you our newsletter, as you will have requested. You certainly have the right to opt out at anytime. This is done as a legitimate interest for the provision of business services, and we retain this data for six months from our last conversation, so that matters can be followed up if needed.

Clients ▼

When working with organisations, we process colleague details as relevant for that engagement, such as names, contact details, roles, and relevant interests and comments. This is done as a legitimate interest for the provision of business services, and we retain this data for three years from the end of our engagement, so that matters can be followed up if needed.

Due to the nature of our business, some colleagues might provide us with information what is sensitive under GDPR, such as health data. We process this data under the UK Data Protection Act 2018, schedule 10.8, for medical (healthcare) purposes. We retain this data in accordance with the associated legal obligations for the provision of healthcare.

Data Recipients

The personal data will be processed by colleagues at Data GRC Ltd, where relevant and appropriate as part of their role.

We also use third party companies to process our data under written instruction, for example, providing email and shared folders, and for website hosting.

We will also share data with third parties where there is a legal obligation or public interest, such as law enforcement obligations.

International Transfers

We only process personal data in the UK.

Individual's Personal Data Rights

We fully respect your rights to request that we:

  • Allow you to opt-out of any process that you previously consented to, at any time.

  • Provide a copy of data we hold on you, or to pass it to a third party on your behalf.

  • Amend, delete or restrict processing of your data.

  • Explain and review any automated decision making or profiling.

  • Provide further information about our processing activities.

If you wish to raise a Data Subject Request or contact us about any another matter, please contact our Data Protection Office at:

  • +44 (0)7970 808242

  • Send an online message from the contact forms on this website.


When we receive a request, we will seek to verify your identity and the request and will normally complete the request within 28 days. We will retain details of your request as a legitimate interest for two years, for quality assurance purposes, to deliver on our agreement to you and to help if you have any further questions about the matter.

Please let us know if you are not happy about how we are handling your data. We will do out best to resolve the matter, but if you have further concerns it is your right to make a complaint to the UK Information Commissioner's Office at https://www.ico.org.uk/.

What Else?

This privacy notice was drafted with brevity and clarity in mind. If you would like more details, please let us know.

We reserve the right to update our privacy notice and cookie notice at any time.

We keep our privacy notice under regular review but also welcome feedback and suggestions.

Contact Us