JOIN SLL

HomeLCRS DATA PROTECTION POLICY &#...

LCRS DATA PROTECTION POLICY & PROCEDURES

Effective Date:

01 May 2026

Last Reviewed:

01 May 2026

1. Policy Statement

The London Centre for Risk & Sustainability (LCRS) is committed to ensuring that all personal
data is handled in a lawful, fair, and transparent manner in accordance with the UK GDPR
and the Data Protection Act 2018.

LCRS recognises that effective data protection is fundamental to:

  1. Organisational integrity
  2. Stakeholder trust
  3. Responsible governance and risk management

2. Purpose

This policy establishes:

  1. The principles governing data protection at LCRS
  2. Procedures for handling personal data securely and lawfully
  3. Responsibilities for all individuals handling data
  4. Controls supporting the Sustainability Leadership League (SLL) and other activities

3. Scope

This policy applies to:

  1. All LCRS employees, contractors, volunteers and partners
  2. All systems, platforms, and processes
  3. All personal data processed by LCRS

Including:

  1. Client and stakeholder data
  2. SLL submissions and organisational data
  3. Communication and marketing data
  4. Research and engagement data

4. Data Protection Principles

LCRS adheres to the following principles:

  1.  Lawfulness, fairness, and transparency
  2.  Purpose limitation
  3.  Data minimisation
  4.  Accuracy
  5. Storage limitation
  6.  Integrity and confidentiality (security)
  7. Accountability

5.Governance & Responsibilities

5.1 Leadership Responsibility

LCRS leadership is responsible for:

  1. Ensuring compliance with data protection laws
  2. Providing oversight and accountability
  3. Allocating responsibility for data protection management

5.2 Operational Responsibility

All individuals handling data must:

  1. Process data only as required
  2. Maintain confidentiality
  3. Follow defined procedures
  4. Report incidents or risks immediately

6. Lawful Basis for Processing

LCRS processes personal data under:

  1. Consent – e.g. subscriptions, SLL registration
  2. Contractual necessity – delivery of services
  3. Legitimate interest – research, engagement, improvement
  4. Legal obligations – where applicable

Special Category Data

Where processed:

  1. Additional safeguards are applied
  2. Processing is strictly limited and justified

7. Data Collection & Minimisation

LCRS ensures:

  1. Data collected is relevant and necessary
  2. No excessive data is requested
  3. SLL data is limited to organisational assessment needs

8. Data Retention & Deletion

8.1 Retention Principles

Retention periods may vary depending on contractual, legal, or regulatory requirements.
Data is retained only as long as necessary and is securely deleted or anonymised thereafter.

8.2 Retention Categories

Data Type

Retention

Contact data

Duration of engagement + 2 years

SLL data

Up to 3 years

Financial/legal

As required by law

Data

Data

8.3 Deletion Procedures

  1. Annual data review
  2. Secure deletion or anonymisation
  3. Responsibility assigned to designated personnel

9. Data Security Controls

9.1 Technical Controls

  1.  Secure systems and platforms
  2.  Password protection and authentication
  3.  Encrypted storage where required

9.2 Organisational Controls

  1.  Restricted access based on roles
  2.  Controlled sharing of sensitive data
  3.  Secure handling of devices

9.3 Storage Rules

  1. Data stored only on approved systems
  2.  No unauthorised personal device storage
  3.  Physical and digital safeguards applied

10. Data Processing Procedures

All data must be:

  1.  Accessed only when required
  2. Used for defined purposes
  3. Stored securely
  4. Not shared without authorisation

10.1 SLL-Specific Processing

Data submitted through SLL is used for:

  1. Maturity assessment
    Insight development
  2. Benchmarking (anonymised and aggregated)

LCRS ensures:

  1. No misuse of organisational data
  2. No unauthorised disclosure
  3. No commercial resale of data

11. Third-Party Data Processing

Where third parties are engaged:

  1. Data Processing
  2. Agreements must be in place

Roles must be clearly defined:

  1. Data Controller
  2. Data Processor
  3. Joint Controller

Third parties must meet required data protection standards

12. Data Protection Impact Assessments (DPIA)

LCRS conducts DPIAs when:

  1. Processing high-risk data
  2. Introducing new systems
  3. Handling sensitive or special category data

13. Subject Access Request (SAR) Procedure

When a request is received:

  1. Verify identity
  2. Log the request
  3. Retrieve relevant data
  4. Respond within legal timeframe
  5. Provide data securely

14. Data Breach Management

In the event of a breach:

  1. Immediate reporting internally
  2. Containment of the breach
  3. Risk assessment
  4. Notification to the Information Commissioner’s Office where required
  5. Communication with affected individuals where necessary

15. Training & Awareness

LCRS ensures:

  1. Staff understand personal and sensitive data
  2. Staff know how to protect data
  3. Staff can identify and report risks

Training is:

  1. Risk-based
  2. Regularly reviewed
  3. Updated as needed

16. International Data Transfers

Where data is transferred outside the UK:

  1. Appropriate safeguards are applied
  2. Legal mechanisms are used
  3. Risks are assessed and mitigated

17. Monitoring and Compliance

LCRS will:

  1. Monitor compliance with this policy
  2. Conduct periodic reviews
  3. Update controls as required

18. Policy Review

This policy will be:

Reviewed at least annually

Updated based on:

  1.  Legal changes
  2. Operational developments
  3. Lessons learned

19. Related Documents

This policy should be read alongside:

  1. Privacy Policy
  2. Terms & Conditions
  3. IT & Cybersecurity Policy
  4. Anti-Slavery Policy

Effective Date:

01 May 2026

Last Reviewed:

01 May 2026

1. Policy Statement

The London Centre for Risk & Sustainability (LCRS) is committed to ensuring that all personal
data is handled in a lawful, fair, and transparent manner in accordance with the UK GDPR
and the Data Protection Act 2018.

LCRS recognises that effective data protection is fundamental to:

  1. Organisational integrity
  2. Stakeholder trust
  3. Responsible governance and risk management

2. Purpose

This policy establishes:

  1. The principles governing data protection at LCRS
  2. Procedures for handling personal data securely and lawfully
  3. Responsibilities for all individuals handling data
  4. Controls supporting the Sustainability Leadership League (SLL) and other activities

3. Scope

This policy applies to:

  1. All LCRS employees, contractors, volunteers and partners
  2. All systems, platforms, and processes
  3. All personal data processed by LCRS

Including:

  1. Client and stakeholder data
  2. SLL submissions and organisational data
  3. Communication and marketing data
  4. Research and engagement data

4. Data Protection Principles

LCRS adheres to the following principles:

  1.  Lawfulness, fairness, and transparency
  2.  Purpose limitation
  3.  Data minimisation
  4.  Accuracy
  5. Storage limitation
  6.  Integrity and confidentiality (security)
  7. Accountability

5.Governance & Responsibilities

5.1 Leadership Responsibility

LCRS leadership is responsible for:

  1. Ensuring compliance with data protection laws
  2. Providing oversight and accountability
  3. Allocating responsibility for data protection management

5.2 Operational Responsibility

All individuals handling data must:

  1. Process data only as required
  2. Maintain confidentiality
  3. Follow defined procedures
  4. Report incidents or risks immediately

6. Lawful Basis for Processing

LCRS processes personal data under:

  1. Consent – e.g. subscriptions, SLL registration
  2. Contractual necessity – delivery of services
  3. Legitimate interest – research, engagement, improvement
  4. Legal obligations – where applicable

Special Category Data

Where processed:

  1. Additional safeguards are applied
  2. Processing is strictly limited and justified

7. Data Collection & Minimisation

LCRS ensures:

  1. Data collected is relevant and necessary
  2. No excessive data is requested
  3. SLL data is limited to organisational assessment needs

8. Data Retention & Deletion

8.1 Retention Principles

Retention periods may vary depending on contractual, legal, or regulatory requirements.
Data is retained only as long as necessary and is securely deleted or anonymised thereafter.

8.2 Retention Categories

Data Type

Retention

Contact data

Duration of engagement + 2 years

SLL data

Up to 3 years

Financial/legal

As required by law

Data

Data

8.3 Deletion Procedures

  1. Annual data review
  2. Secure deletion or anonymisation
  3. Responsibility assigned to designated personnel

9. Data Security Controls

9.1 Technical Controls

  1.  Secure systems and platforms
  2.  Password protection and authentication
  3.  Encrypted storage where required

9.2 Organisational Controls

  1.  Restricted access based on roles
  2.  Controlled sharing of sensitive data
  3.  Secure handling of devices

9.3 Storage Rules

  1. Data stored only on approved systems
  2.  No unauthorised personal device storage
  3.  Physical and digital safeguards applied

10. Data Processing Procedures

All data must be:

  1.  Accessed only when required
  2. Used for defined purposes
  3. Stored securely
  4. Not shared without authorisation

10.1 SLL-Specific Processing

Data submitted through SLL is used for:

  1. Maturity assessment
    Insight development
  2. Benchmarking (anonymised and aggregated)

LCRS ensures:

  1. No misuse of organisational data
  2. No unauthorised disclosure
  3. No commercial resale of data

11. Third-Party Data Processing

Where third parties are engaged:

  1. Data Processing
  2. Agreements must be in place

Roles must be clearly defined:

  1. Data Controller
  2. Data Processor
  3. Joint Controller

Third parties must meet required data protection standards

12. Data Protection Impact Assessments (DPIA)

LCRS conducts DPIAs when:

  1. Processing high-risk data
  2. Introducing new systems
  3. Handling sensitive or special category data

13. Subject Access Request (SAR) Procedure

When a request is received:

  1. Verify identity
  2. Log the request
  3. Retrieve relevant data
  4. Respond within legal timeframe
  5. Provide data securely

14. Data Breach Management

In the event of a breach:

  1. Immediate reporting internally
  2. Containment of the breach
  3. Risk assessment
  4. Notification to the Information Commissioner’s Office where required
  5. Communication with affected individuals where necessary

15. Training & Awareness

LCRS ensures:

  1. Staff understand personal and sensitive data
  2. Staff know how to protect data
  3. Staff can identify and report risks

Training is:

  1. Risk-based
  2. Regularly reviewed
  3. Updated as needed

16. International Data Transfers

Where data is transferred outside the UK:

  1. Appropriate safeguards are applied
  2. Legal mechanisms are used
  3. Risks are assessed and mitigated

17. Monitoring and Compliance

LCRS will:

  1. Monitor compliance with this policy
  2. Conduct periodic reviews
  3. Update controls as required

18. Policy Review

This policy will be:

Reviewed at least annually

Updated based on:

  1.  Legal changes
  2. Operational developments
  3. Lessons learned

19. Related Documents

This policy should be read alongside:

  1. Privacy Policy
  2. Terms & Conditions
  3. IT & Cybersecurity Policy
  4. Anti-Slavery Policy
Shopping Basket