GDPR and data protection policy.

This policy explains how CIO Solutions LTD (Company No. 16179733) approaches data protection under the UK GDPR, the Data Protection Act 2018, and related UK privacy rules. It should be read alongside the privacy policy, which explains the personal data collected through this website.

This page is intended to give clients, prospects, suppliers, and website visitors a clear view of the way personal data is handled. It is not a substitute for any client-specific data processing agreement, statement of work, or security schedule.

Controller details

The data controller for this website and general business administration is CIO Solutions LTD. You can contact me at hello@interimcio.co.uk.

Where client work involves personal data, the role of CIO Solutions LTD may vary. Depending on the engagement, I may act as a controller, joint controller, or processor. The relevant contract or statement of work should set this out for each project.

Data protection principles

Personal data is handled in line with the core UK GDPR principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

In practical terms, this means I aim to collect only what is needed, explain why it is needed, keep it for no longer than is reasonable, protect it appropriately, and document decisions where the risk or sensitivity requires it.

Lawful bases

The lawful basis used depends on the context. Typical lawful bases include:

• Contract, where data is needed to discuss, deliver, or manage a service.
• Legitimate interests, where data is needed to respond to enquiries, run the business, secure systems, and understand website performance.
• Consent, where someone opts into marketing or accepts analytics cookies.
• Legal obligation, where records must be kept for accounting, tax, compliance, or other legal reasons.

Personal data handled

The personal data handled by the business may include contact details, company details, enquiry messages, newsletter signup information, booking details, analytics data, supplier correspondence, project records, and information included in client systems or documents during an engagement.

I do not intentionally collect special category personal data through this website. If a client project may involve sensitive data, the scope, controls, access rights, and lawful basis should be agreed before that work starts.

Client systems and AI work

Some engagements may involve reviewing business systems, workflows, documents, datasets, or AI tooling. Where personal data is involved, access should be limited to what is necessary for the agreed work.

For AI-related projects, I aim to avoid using personal data where anonymised, pseudonymised, synthetic, or sampled data would be sufficient. Where external AI services are used, the data flow, vendor position, retention settings, and relevant safeguards should be agreed as part of the engagement.

Processors and service providers

I use a small number of service providers to operate the website and business. These may include hosting, analytics, email, newsletter, booking, cloud, and professional-services providers. The current website privacy policy names the main providers used for this site.

Where a provider processes personal data on behalf of CIO Solutions LTD, I aim to use providers that offer appropriate contractual, technical, and organisational safeguards.

International transfers

Some providers may process or store data outside the UK. Where this happens, I aim to rely on appropriate transfer mechanisms, such as adequacy regulations, standard contractual clauses, or equivalent safeguards offered by the provider.

Retention

Personal data is kept only for as long as it is needed for the purpose it was collected, including any legal, accounting, security, or dispute-resolution requirements. Website enquiries and project records may be retained where needed to manage the relationship and keep an accurate business record.

Security

I use proportionate technical and organisational measures to protect personal data. These may include access controls, multi-factor authentication, least-privilege access, secure cloud services, device security, encrypted transport, and limiting access to client data to the people and systems that need it.

No website, cloud service, or email system can be guaranteed to be completely secure. If I become aware of a personal data breach, I will assess the risk and, where required, notify the affected client, individual, or the Information Commissioner’s Office within the relevant legal timeframe.

Your rights

Individuals have rights under the UK GDPR. These may include the right to be informed, access personal data, correct inaccurate data, request erasure, restrict processing, object to processing, request portability, and challenge certain automated decisions.

To exercise a right, email hello@interimcio.co.uk. I may need to verify your identity before acting on a request. If the request relates to data processed on behalf of a client, I may need to refer the request to that client as the relevant controller.

Complaints

If you are unhappy with how personal data is handled, please contact me first so I can try to resolve it. You also have the right to complain to the UK Information Commissioner’s Office at ico.org.uk.

Review

This policy will be reviewed periodically and updated when the website, services, providers, or legal requirements change.