GDPR Statement


The Data Protection Act 2018 came into force on 25 May 2018 (at the same time as the EU General Data Protection Regulation 2016), superseding the Data Protection Act 1998. Following Brexit, the UK adopted GDPR in full (commonly referred to as UK GDPR) and this impacts all organisations that control or process personal data. The legislation grants data subjects a range of rights, giving them more control over how their personal data is used. Organisations are subject to responsibilities and obligations, including the need to demonstrate compliance with the legislation.

What do we do to ensure compliance?

At Alcumus, we are committed to protecting and respecting the privacy of individuals and take our obligations under the legislation seriously.  To this end, we have appointed a voluntary data protection officer to oversee compliance.

Robust management systems – We manage personal data in accordance with the industry standards for ISO 27001, PCI DSS, and in some locations, in accordance with the Cyber Essentials Certification. Alcumus has adopted processes and policies which are ISO 9001 and ISO 27001 certified to ensure protection of personal data.

Business-wide awareness – We have mechanisms to ensure that our employees, associates and consultants are fully aware of Alcumus’ ongoing data protection obligations, (thus providing accountability and shared responsibility from Board level down and across our business). Compulsory data protection eLearning training is provided to all our employees, supplemented by in-depth, tailored face to face training where required.

What do we do to on a regular basis?

Alcumus processes personal data on behalf of our circa 40,000 customers, from large global brands through to SME businesses. We understand the importance of good data practices to our customers and are on hand to support our customers with this. Some of the specific measures that we have in place to ensure compliance with our data protection obligations include:

Data Review – We periodically conduct an extensive review of all personal data we hold and have a data roadmap which outlines where this data is held, why we hold it and for how long.

Contractual Compliance – We ensure all third parties who process data on our behalf are contractually required to comply with the legislation to ensure that we (and our customers) are protected. In addition to this, we have updated our current business terms and conditions following the UK’s transition out of the EU.

Processes – We have procedures to ensure we have the tools to maintain compliance with the legislation. This includes our appointed voluntary Data Protection Officer, and frequent reviews of our policies such as our data security and incident response plans.

Subject Access – We have clear subject access request processes to ensure that it is easier and quicker for data subjects to exercise their rights, and for Alcumus to respond efficiently to such requests in the statutory timescales.

Marketing practices – We ensure that our marketing practices are transparent, fair and compliant with the legislation. These practices are carefully followed by the Alcumus marketing team.

Range of data protection-related products and services – We provide a wide range of products and services to assist our clients in ensuring that they can establish and maintain GDPR compliant processes. This includes data governance modules in our software tools, provision of related template data protection impact assessments with guidance on product-specific considerations. We also provide our clients with advice on data retention and deletion, and impose robust security requirements (e.g., data encryption at rest) with software access controls.

If you have any queries regarding Alcumus’ data protection processes, please do not hesitate to contact our appointed Data Protection Officer at [email protected]

Suzie Chetri

Director of Legal and Compliance​