Leading Figures’ GDPR Policy and Approach
Leading Figures is a firm with two partners (Data Controllers and Data Processors) and five associates (Data processors).
We currently engage four sub-contractors on an occasional basis:
- one personal assistant
Quest Leadership (& Wiley) for (Leadership Practices Inventory) LPI 360s
- OPP for MBTI (Myers Briggs Type Indicator) profiling and reports
- Odro virtual meeting rooms embedded in our website to facilitate secure video communication
Our email communications and documentation systems are served by the Microsoft Office 365 Business Premium platform. Office 365 has industry-leading security measures and privacy policies to safeguard data in the cloud, including the categories of personal data identified by the GDPR.
When interacting with any of our contacts and clients, our Associates are contractually obliged to uphold and adhere to our GDPR requirements and standards.
Our personal assistant helps us arrange travel, hotel accommodation and venue bookings but does not deal with client data.
Leading Figures complies with the ICO guidelines for organisations with fewer than 250 employees.
We process individual data on the legal basis of Legitimate Interest, cognisant of the ICO’s three-part test in terms of:
- Purpose – that there is a legitimate interest behind the processing.
- Necessity – that the processing is necessary for that purpose.
- Balancing – that our legitimate interest is not overridden by the individual’s interests, rights or freedoms.
Our GDPR Policy and Approach
1. Collection of Data
We collect basic data such as name, email address and telephone number purely for us and the client to communicate when working together and to highlight any specific events they and our contacts may find of interest to attend. Additional personal information is collected during the natural course of our coaching and mentoring sessions with our clients, mostly by way of confidential conversations we have with clients but also in some circumstances by completion of a questionnaire. Data on psychometrics (currently drawn from Myers Briggs analysis provided by a third party OPP) and leadership characteristics (administered by Quest Ltd and Wiley publishing) are also collected by Leading Figures; clients are made aware of this if they provide information to such third parties.
2. Specified Purpose for the information obtained
The data is used as part of the coaching and mentoring services we provide to our clients. The nature of the service we provide is often one of a private confidant, and clients will reveal personal information to us that they feel is helpful to explore as part of their personal and professional development. We do not share any personal details or data points with other third parties unless we have the explicit permission of our clients to do so. In line with the ICO guidelines our clients (or any individual we hold information on) can exercise their right to ‘subject access’ of the personal data we hold on them. Such requests can be made verbally or in writing to which we will respond within one month.
3. Guidelines Governing the Use and Safeguarding of Collected Information
All electronic data is held on password-protected devices with appropriate firewalls in place.
Our associates are contractually bound to adhere to these guidelines.
Data is used and safeguarded in line with points 1&2 above.
4. Security Plan for the data sets that Leading Figures holds on to
All data processors, including our partners and associates are required to use password protected devices and restrict their use of data to points 1&2 outlined above.
Quest Leadership processes individual data on the legal basis of Legitimate Interest, as part of each given client project. Quest Leadership is the Data Controller for all LPI data. All data is retained on the global server at Wiley Inc. offices, Indianapolis, MA, USA. A full privacy statement relating to LPI can be found at: www.lpionline.com
- Microsoft Office 365 GDPR compliance information is provided here
5. Collecting only the information that is necessary
We collect data in two ways: from our clients directly during conversations and meetings, where we may record, mostly in written form, key issues raised by the clients that can relate to any aspect of their life, activities, feelings and beliefs. We may take notes of such points to help us assist our clients in their personal and professional development. The second is -subject to client consent- from collecting data through psychometrics and leadership assessments as discussed above. Again, such information is only sought where a client provides explicit permission for us to do so and they believe it will be of benefit to them for their future development.
6. Data Retention Policy
We keep records indefinitely whilst working with a client but erase their information when we have finished working with them and they have eventually lost contact with us. Electronic data is deleted while hard copy information is security shredded by a reputable company that provides certified destruction.
7. Data Breach Policy
In line with the ICO’s guidelines we will report a personal data breach under the GDPR if such a breach is likely to result in a risk to people’s rights and freedoms. As such we will report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it. We will adhere to the ICO’s dictum of ‘Tell it all, tell it fast, tell the truth.’
8. Policy for Protecting Paper Data
The partners and associates treat paper data in the same way as electronic data as outlined above. All data processors are required to have adequate filing systems in place with lockable cabinets.
Our GDPR policies and procedures are reviewed regularly by the partners who are both data controllers and data processors.