As a business based in the UK we have both legal and moral requirements to comply with the letter and spirit of the relevant laws impacting our business. Easy to say but as a small business the compliance landscape is not always the clearest to navigate; mainly because we are small and as our operating model means we have less than 5 employees we are exempt from a number of recent Acts and Regulations. Well, that makes life easy, doesn’t it? At one level, it does but procurement functions in large organisations often don’t operate separate systems for small businesses. So, if you want to do business you have to have a stated policy on a number of subjects– exempt or not!
There is however a more important reason for putting this page together. We do have a view on a number of topics and we want our clients, our suppliers, and everyone who has any dealings with us, to hear and understand where we are coming from and what we do stand for. So, set out below are our policies and views what we hold dear:
The Modern Slavery Act 2015
As our turnover is a tad smaller than £36m we are exempt from complying with this Act. But we fully support the direction and purpose of this legislation and we take steps to ensure that all of our corporate clients are in compliance with the Act to the best of our ability. Our business model does not rely on complex supply chains to meet our clients’ needs but we do exercise care when entering into supplier arrangements, including contractor arrangements.
Slavery of any type is wholly unacceptable to our values and our purpose.
General Data Protection Regulation (GDPR) (WEF 25th May 2018)
This is a complex and demanding piece of EU regulation that, in effect, replaces the Data Protection Act in the UK. At its heart is the desire to ensure all EU citizen’s personal data is protected, transparent and accessible upon request, relevant to the purpose, and can be removed upon request. The covers data held by an organisation and when it transfers or processes that data to or via a third party.
As we have less than 250 employees and we do not process personal data as such it is reasonable to assume that we are exempt.
But we do hold information that is personal in nature regarding our clients while they engage us. When we mentor or coach our clients share information that is intended for our ears and eyes only. We use that information to help our clients and, as none of us are superhuman, we have to record that information somewhere!
Therefore, regardless of whether we are exempt or not, we take the security and confidentiality of our client’s personal information extremely seriously. We trade on our reputation and that is based on our personal professionalism and integrity. So, what steps do we take?
Under the GDPR, the lawful basis for us to hold personal data is “Consent”; the individual has given clear consent for us to process their personal data for a specific purpose. Therefore, our first action is to gain consent from our clients to hold their personal data. Normally we achieve this by entering into a “Non-disclosure agreement” (NDA) with the client or their employer to manage the taking, holding and confidentiality of their personal data.
We record client personal data in two forms: in a notebook during the mentoring or coaching sessions, and in the Cloud via an iMac or a Mac Pro laptop.
When we record client data in the notebook we use a code to represent the client to protect their identity. This is not full proof but it does make it harder to link the notebook content to an individual should we lose a notebook. Whilst we take material care over the custody of our notebooks, we cannot give a 100% guarantee that it will not be lost or stolen.
There are occasions when we capture personal data digitally. This raises two specific risks: unauthorised access and loss.
We use an iMac or PC/Laptop as our main processing machine and MacBook Pros or PC laptop as our onsite-portable machines. The machines are linked Microsoft One Drive; G-Drive Cloud or via Apple’s iCloud. All client data and the IP of the business are stored encrypted via iCloud. No data is specifically held on the hard drives of the machines.
Google Drive, One Drive, and iCloud provide backup and security against loss of data.
Access to our machines is strictly controlled, both physically and logically. In addition to a series of password protection levels, the machines operate within a VPN, have advanced firewall and anti-virus and malware protection, and are scanned regularly.
All emails are sent via the VPN.
A cyber-related and data security risk assessment is undertaken quarterly.
When a client engagement has ended and there is no longer a purpose for us to hold that client’s personal data, it is erased from our systems; both in digital and written form.
No system is 100% secure but for the risk levels associated with our business, we believe we have taken “reasonable” steps to ensure our client’s data is both secure and only used for the purpose that it is given for.
Unless our clients have asked us to we never divulge who our clients are. Whilst we do name sponsoring organisations for some client engagements on our website, we do not name any mentoring or coaching clients or discuss the details of our engagements.
Equality & Diversity
We passionately believe that the best solutions come from the contribution of as wide and diverse a set of sources as possible. Whilst we are a small team we come from a range of backgrounds, professions, and nationalities.
With regard to equality we strive to ensure we treat everyone equally and with respect.
Supporting the environment and others
We have decided to donate 5% of our operating profit to selected charities. The specific charities and why they were chosen are set in the Social Impact page but here we wanted to be very specific on our core values and beliefs.
The whole purpose of Storm McQueen is to help others, so it would be unthinkable not to contribute to charities that focus on helping others.
We are realistic with what we can do to reduce our carbon footprint as we operate our business, where we can we will.