Contact Us →

GDPR & Data Protection Process

Internal working document · Owner: [name / role] · Last updated: 9 June 2026 · Review: every 12 months

A short, practical process for handling personal data in line with the UK GDPR, the Data Protection Act 2018 and PECR (as amended by the Data (Use and Access) Act 2025). Keeping a documented process is itself part of compliance.

1. What personal data we hold

Data Where it lives Source
Enquiry data (name, email, phone, organisation, message) Website contact form → email inbox / CRM Website visitors
Client & membership records CRM / accounting system Clients
Website analytics (aggregated) Analytics tool Consenting visitors

2. Lawful basis

  • Enquiries: legitimate interests / pre-contract steps.
  • Clients & memberships: contract.
  • Marketing updates: consent (opt-in only).
  • Analytics cookies: consent (banner).
  • Tax/accounting records: legal obligation.

3. Retention

  • Non-converting enquiries: delete after 24 months of no contact.
  • Client/member records: keep for the relationship + 6 years (tax/legal), then delete.
  • Run a retention review every 6 months – diarise it.

4. Consent & cookies

  • Cookie banner (CookieYes) must offer Accept all and Reject all with equal prominence.
  • Analytics/non-essential cookies stay off until consent.
  • Google Analytics runs through Consent Mode v2.
  • Keep the banner’s consent log (CookieYes records this) as evidence of consent.

5. Handling a data-subject / access request (DSAR)

People can ask to access, correct, delete, or object to use of their data, or withdraw consent.

  1. Log the request (date, who, what they want).
  2. Verify their identity (match against records).
  3. Respond within one calendar month (free of charge).
  4. Locate all their data across inbox, CRM and any provider.
  5. Provide / correct / delete as requested, and confirm in writing.
  6. If you refuse (rare), explain why and tell them they can complain to the ICO.

Single point of contact for requests: hello@thebuildroom.co.uk

6. Data breaches

  1. Contain it (change passwords, revoke access).
  2. Assess the risk to individuals.
  3. If there’s a risk to people’s rights, report to the ICO within 72 hours (ico.org.uk).
  4. If high risk, tell the affected individuals.
  5. Record what happened and what you did – even for breaches you don’t report.

7. Suppliers (processors)

Keep a short list of who processes data for you and check each has a privacy/processing agreement. Note any that process data outside the UK and confirm safeguards are in place.

Supplier Purpose UK or overseas
[Host] Website hosting  
[Email provider] Enquiries  
Analytics Site analytics  
CookieYes Consent management  

8. Quick compliance checklist

  • ☐ Privacy Policy published and linked in footer
  • ☐ Cookie Policy published and linked in footer
  • ☐ Cookie banner live with equal Accept/Reject
  • ☐ Analytics blocked until consent (Consent Mode v2)
  • ☐ Retention review diarised (6-monthly)
  • ☐ DSAR contact inbox monitored
  • ☐ Supplier list kept current
  • ☐ Consider whether ICO registration / data protection fee applies (check at ico.org.uk)

Note: This is an internal working document, not legal advice. Have it reviewed by a qualified adviser before relying on it.