top of page

Privacy & Data Protection Policy

This policy

This document sets out Epion Consulting Limited’s (Epion’s) Privacy & Data Protection Policy.  While Epion controls and processes data in the UK, the policy applies to all Epion activities, regardless of the geography in which they are undertaken.  The policy has been prepared by Nick Smith (Director), formally approved at board level (2nd September 2020) and is reviewed (and, as appropriate, updated) annually with the next review and update to be completed by 31st August 2021.

Policy purpose

This policy has been developed, and is applied, so that Epion

  • Complies with the law

  • Follows good practice

  • Protects clients, our people, and other individuals

  • Protects the organisation


Types of data 

Epion is a data controller for personal information such as name, business, role, email address, telephone number, business address, and on occasion bank details (for payment of invoices), and notes of contacts with individuals.  Epion does not, and will not, hold or process special category data.

Policy statement

Epion will at all times use all reasonable endeavours to:

  • Comply with both the law and good practice

  • Respect individuals’ rights (including those defined within GDPR)

  • Be open and honest with individuals whose data is held

  • Provide training and support for staff who handle personal data, so that they can act confidently and consistently in line with this policy

  • Notify the Information Commissioner voluntarily, even if this is not legally required, in the event of any breach


Data risks

Epion identifies two key risks relating to personal data:

  • Information about data getting into the wrong hands, through inadequate security or inappropriate disclosure of information

  • Individuals being harmed through data being inaccurate or insufficient


To mitigate these risks, Epion will:

  • Annually undertake a cyber-security assessment and sustain appropriate certification for its information security

  • Encrypt and password protect all personal data held on its systems 

  • Annually review its adherence to data protection legislation and amend policy and practice as appropriate

  • Include data protection and information security in initial staff induction and annual staff refresher briefings



The following are key roles and responsibilities in regard to data protection:

  • Epion Director(s): Ensuring Epion complies with legal obligations and that this policy is annually reviewed, current, and applied

  • Data Protection Officer: Nick Smith (Director) is the nominated Data Protection Officer, in which role he is responsible for:

    • Briefing the Board on Data Protection responsibilities

    • Reviewing Data Protection and related policies

    • Advising Epion people on Data Protection issues

    • Ensuring that Data Protection induction and refresher training takes place

    • Notification to the ICO

    • Handling subject access requests

    • Approving unusual or controversial disclosures of personal data

    • Approving contracts with Data Processors

  • Epion people (consultants and any others): all Epion people are required to read, understand and accept this policy (and related policies and procedures) that relate to the personal data they may handle in the course of their work


Ensuring adherence to the policy is the responsibility of Epion’s Director(s).  Failure to adhere will result in sanctions ranging from warning to termination of contract dependent on scale of breach and any repeated failure to adhere.

Data retention and storage

Data is retained for no more than the maximum allowable of:

  • Legal constraints (eg CVs no longer than six months without express permission)

  • A period of ongoing active relationship with the individual to whom the data pertains

  • Five years.


Data will be deleted from live systems on as required by the above policy on an annual basis.


Data is stored encrypted and password protected on Epion systems, and by third parties providing data processing services to Epion (eg Microsoft, Xero).



Epion wants Data Subjects to be aware that their data is being processed and why, and of their rights.  This is also addressed in the website privacy statement and automatically applied Epion email signatures.  These are the following:

  • The right to access:

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to object to processing

  • The right to data portability


Lawful basis

Epion holds data on the following basis:

  • Legitimate interest for those with whom there is no contractual relationship: these include individuals who have expressed or who have an interest in the challenges that Epion’s services address

  • Contractual: these are individuals whose data must be held if Epion is to deliver its contractual obligations


Epion provides individuals with the option to opt out of their data being used for particular purposes.


Contacting Epion

Epion can be contacted in regard to data protection at, on 07484 194207, or in writing to the registered office.

Complaints and concerns

Complaints or concerns that individuals feel Epion has not satisfactorily addressed, can be raised by contacting the Information Commissioner’s Office (ICO) the UK data protection regulator / supervisory authority.  Details of how to contact the ICO are set out on the ICO website.


Nick Smith


bottom of page