GDPR Policy

Mayfair IT Consultancy - Personal Data Handling Statement - V1


Mayfair IT Consultancy Ltd takes the protection of personal data very seriously. We ensure that all Personnel (i.e. whether temporary, fixed-term, or permanent), consultants, contractors, trainees, seconded staff, home workers, casual workers, agency staff, volunteers, interns, agents, sponsors, or any other person or persons associated with us (including third parties), are provided with this statement on how we handle personal data before starting employment with us, or prior to provision of professional services with our clients.

All personnel must reaffirm on an annual basis that they understand their responsibilities under the Code of Conduct to treat personal data appropriately and in accordance with our policies and procedures.

We have privileged and wide-ranging access to both government and personal data and information to support our contracts and consultancy work and have a duty to respect this privileged access and to ensure that the personal data entrusted to us is safeguarded properly.
We have robust procedures for managing personal data in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) 2018. Our private statement, published on our website explains how we use and protect personal data.

Statement on management of personal data

We take our obligations under the General Data Protection Regulations (GDPR) and Data Protection Act 2018 seriously. We have appointed a Data Protection Officer ( and all our staff are provided with appropriate training and required to comply with formal data protection policies, guidelines and procedures designed to keep personal data secure and support privacy by design.

We maintain a secure modern IT environment. We undertake regular independent security assessments, hold the UK government Cyber Essentials certification and our Information Security Management Systems is aligned to ISO27001. Our systems and backups are all hosted within the European Economic Area.

We keep our requests for personal data to the minimum necessary to complete our work and retain any personal information we obtain only for as long as we need it. We take appropriate measures to safeguard the confidentiality, integrity and availability of data we hold according to its volume and sensitivity as laid out in our data protection policies. Were appropriate, we conduct data protection impact assessments which may result in additional controls being applied. We keep a record of our data processing activities.


To help you understand our commitment, we have developed a series of Personal Data Statements below, which all our personnel subscribe to.

We will only request personal data for use in discharging our statutory and other audit functions and for lawful purposes. We request the minimum amount of information necessary to carry out our work. We have protocols which specify the measures we use for protecting personal data during transfer for the purposes of our work.

We will work with you to discuss and implement required and appropriate data handling protocols for protecting personal data during transfer for the purposes of our work.

All personal information will be assigned an Information Asset Owner at Director level who is responsible for authorising requests for personal data and for ensuring that personal data is transferred, processed, stored and destroyed in accordance with GDPR and DPA guidelines.

We will destroy, return, or store personal data as necessary on completion of our work. We have procedures to manage to the long-term storage of personal data where this is required by law or by professional standards.

If we become aware of a potential or actual breach of the personal data you have provided to us, we will notify you without undue delay.

We ensure our personnel operate suitable procedures for personal data protection. From time-to-time we contract with third parties who support us in discharging our statutory and other audit responsibilities.


Access to personal information will only be given under contract to organisations who can demonstrate that they are meeting their data protection obligations under applicable law and capable of maintaining the standards defined in these statements.


We ensure their data protection commitments through contractual obligations that meet the requirements of the GDPR.

We audit our compliance with our data protection policies. The Data Protection Officer monitors compliance and our suite of policies and procedures that make up our data protection framework.
We will comply with the rights of data subjects in line with the requirements of data protection legislation.

Where information identifying individuals must be given up by law, we will release it only to those legally entitled to receive it.