GDPR Policy

GDPR Policy

Flow Associates

Privacy and personal data protection policy

1: Context and overview

Key details:

  • Policy prepared by: Alex Flowers
  • Approved by Directors on: 05/06/2022
  • Next review date: 01/06/2023


In order to operate, Flow Associates needs to gather and use certain information about individuals. These can include customers and clients, client’s audiences and potential audiences, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards – and to comply with the law.

Why this policy exists:

This data management policy ensures Flow Associates:

  • Complies with data protection law and follows good practice
  • Protects the rights of the public, customers, staff and partners
  • Is transparent about how it stores and processes individuals’ data
  • Protects itself from the risks of a data breach

Data protection law:

The General Data Protection Regulation (GDPR) applies in the UK and across the EU from May 2018. It requires personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of individuals;
  6. Processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  7. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.

2: Who? People and responsibilities

Everyone at Flow Associates contributes to compliance with GDPR.

This includes

  • Directors
  • Staff
  • Associates
  • Consultants
  • Interns
  • Volunteers

Key areas of responsibility

Where Flow Associates is the Data Controller (as opposed to a client taking on this role) we will determine what data is collected and how it is used.

Everyone working at or for Flow Associates has a responsibility to ensure that they adhere to this policy.

The data protection officer is Susanne Buck. She is responsible for the secure, fair and transparent collection and use of data by Flow Associates through:

  • Documenting, maintaining and developing the organisation’s data protection policy and related procedures
  • Embedding ongoing privacy measures into company policies and day-to-day activities, throughout the organisation and within each project that requires the processing of personal data. The policies themselves will stand as proof of compliance.
  • Dissemination of policy across the organisation.
  • Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters
  • Developing privacy notices to reflect lawful basis for fair processing, ensuring that intended uses are clearly articulated, and that data subjects understand how they can give or withdraw consent, or else otherwise exercise their rights in relation to the companies use of their data

Flow Associates uses third party Data Processors (e.g. SurveyMonkey and Thirty8Digital) to process data on it’s behalf. To manage this the Data Processer will

  • Ensure all systems, services and equipment used for storing data meet acceptable security standards
  • Ensure web service providers are performing regular checks and scans to ensure security hardware and software is functioning properly
  • Evaluate any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations

3: Scope of personal information to be processed

Flow Associates collects and holds personal data about individuals including

  • Current, past and prospective employees and associates
  • Clients and customers
  • Respondents to consultancy-related audience research
  • Other stakeholders

This data includes:

  • names of individuals
  • postal addresses of individuals
  • email addresses
  • telephone numbers
  • financial information (bank account details necessary for payment)
  • employment and educational details (e.g. CVs)

In addition we may hold anonymous data which does not fall within data protection rules.

Flow Associates does not collect or hold personal data from the general public for our own use.

How data is collected and stored

Flow Associates uses Dropbox and Google Drive to store and share data within our team. Project specific data may be shared with the client where permission has been granted by the individual. We do not share personal data outside of Flow, or store it in such a way that it could be compromised. We use secure online data-gathering tools such as SurveyMonkey or Google Forms. Where information is collected via paper surveys or signup sheets this is transferred to a database before originals are destroyed. A record is kept where people have given consent for data to be stored and used.

Data relating to clients, associates, contractors, volunteers and interns

  • Data is supplied directly by individuals we work with or intend to work with, and stored electronically, for example within banking software. Out of date data will be deleted.

Data relating to our clients’ audiences and customers

  • Where we have been contracted by a third party to collect, store and analyse data on their behalf (for example as part of an evaluation or audience research project) initial data such as names and email addresses may have been supplied by the client. In other instances we may have gathered data on a client’s behalf, through paper or online surveys. Personal Data is only used and stored for a maximum of one year after the end of the project, and wherever possible data is anonymised.

4: Rights of the individual

Flow respects the rights of individuals with regards to their data. Our procedure for responding to these rights are:

The right to be informed Information will be clearly supplied at the point at which data is collected.
The right of access We will respond within one month with information about data held
The right to rectification We will rectify incorrect data within one month of being informed
The right to erasure Without undue delay
The right to restrict processing Without undue delay
The right to data portability N/A
The right to object We will respond on receipt of objection
Rights in relation to automated decision making and profiling N/A

5: Uses and conditions for processing

There are six ways in which the lawfulness of specific uses and conditions for processing of personal data can be carried out. Of these there are three which are relevant to Flow Associates. These are:

  • Consent
  • Performance of a Contract
  • Legitimate Interest

For any data processing activity Flow Associates will identify the appropriate lawful basis and document this, in according with GDPR.

The below sections outline in brief how Flow Associates will manage these processes.


Where Consent is the most appropriate lawful reason to collect and process data Flow Associates will always obtain explicit consent from a subject to do so. A record of their consent will be stored with their data. Transparent information will be given at the time the data is collected as to who is collecting it, why, how it will be used, and who by. Their rights with regards to that data will also be explained, such as their right to withdraw consent. Where contact data is used for future communication the right to withdraw consent will be notified every time.

Where consent is withdrawn this data will be deleted within one month.

Legitimate Interest

Where ‘legitimate interest’ is the lawful condition for processing, Flow will have carried out a Data Protection Impact Assessment (DIPA) to determine this. This process will be recorded along with details of how we have considered or mitigated against any potential negative impact on the individual.

See appendix for an example DIPA

A DPIA can address more than one project, e.g. using anonymised information in an evaluation report


Consent may not be explicitly required where personal data is necessary for us to perform a service or fulfil an agreement. This may include contact with clients, or past and future associates.

6: Data Sharing

Flow Associates does not share personal data with third parties unless explicit consent has been given by the individual that their data can be passed on to a named third party. This is likely to be a client on who’s behalf we are collecting the data.

If permission to share personal data has not been sought or given then personal data will not be shared in any circumstance. However we will legitimately use this data to inform work we have been contracted to perform on behalf of clients. All insights will be anonymised.

7: Security measures

If permission has been given to share personal data with a client or other named third party, or if we need to share data with an associate who has been contracted by us to carry out work, our preferred method is using secure data sharing processes such as Dropbox or a shared Google Drive document. Where data is shared via an email attachment it will only be sent to relevant, named personnel.

Information collected remotely (e.g. survey responses or queries via our website) will be through a secure third party Data Processor such as Survey Monkey or our website managers 38 Digital. Access to this data will be restricted by password and in the case of SurveyMonkey a secure passcode log in system.

Password management: Access to passwords are restricted to Flow Team members only.

Data back-up: Where possible we store data within the software it was collected. Copies (e.g. downloaded in spreadsheet form) are kept only within the company Dropbox account and not on individual computers.

Data breach: In the unlikely account that our systems are compromised and data breach takes place we will notify the relevant bodies accordingly.

Data deletion: Personal data from research, such as survey information, demographic data, geographical locations, will be deleted within three months of the end of research.

8: Automated processing

Flow Associates does not use automated processing for personal data. Qualitative data collection, such as responses to surveys, are anonymised if automated analysis tools are used, such as IntraNodus, or other machine learning platforms.

9: Subject access requests

All individuals who are the subject of data held by Flow Associates are entitled to:

  • Ask what information the company holds about them and why
  • Ask how to gain access to it
  • Be informed how to keep it up to date
  • Be informed how the company is meeting its data protection obligations

Individuals who request information on or access to their data, will be responded to within one month.

10: The right to be forgotten

All data that could be used to identify an individual will be deleted within one month on request.

11: Privacy notices

Flow Associates aims to ensure that individuals are aware that their data is being processed, and that they understand:

  • Who is processing their data
  • What data is involved
  • The purpose for processing that data
  • The outcomes of data processing
  • How to exercise their rights.

To these ends the company has a privacy statement, setting out how data relating to these individuals is used by the company.

Our privacy statement can be read on the Flow Associates website here

12: Ongoing documentation of measures to ensure compliance

Meeting the obligations of the GDPR to ensure compliance will be an ongoing process. Flow Associates details here the ongoing measures implemented to:

  1. Maintain documentation/evidence of the privacy measures implemented and records of compliance
  1. Regularly test the privacy measures implemented and maintain records of the testing and outcomes.
  1. Use the results of testing, other audits, or metrics to demonstrate both existing and continuous compliance improvement efforts.
  1. Keep records showing training of employees on privacy and data protection matters.

Appendix A

Scope / purpose of processing Duration of processing Nature of processing required Types of personal data to be processed Lawful Conditions for processing* Evidence for lawful basis
Contacting individuals with a survey or questions on behalf of a client Initial contact and reminders as necessary Mail-merge of name and contact details from client supplied database Name, email address, occupation Consent Ensure consent collected by client (as data controller) to allow 3rd party contact
Contacting individuals with a survey or questions Initial contact and reminders as necessary Inviting individuals with an interest in the project to participate Name, email address, phone number Legitimate Interest Project relevant and beneficial to individual
Collating responses to questions via an online survey; paper form; or sent in an email Duration of project Transferring responses into a database Name, email, phone number, occupation, organisation, age, gender, ethnicity, postcode Consent Evidence of date consent given, how, permitted use and, permitted comms channels.
Analysing data Duration of project Organisation of data into sets to look for trends Name, email, phone number, occupation, organisation, age, gender, ethnicity, postcode Consent Evidence of date consent given, how, permitted use and, permitted comms channels.
Using data and information supplied by an individual to inform a report End of project Presenting quotes and statistics in a report. Anonymised data included in charts and tables. Anonymised quotes (may be identified with consent) Legitimate Interest Individual having taken part in a focus group, workshop or event, or given information via email or a survey that is explicitly linked to a research or evaluation  activity.

*e.g. Consent, Performance of a Contract, Legitimate Interest.