Applicable to: All employees and associates within Common Ground
Effective from: January 2025
To be reviewed by: January 2026
Versions: Version 3 – December 2025
–
We use a variety of data about identifiable individuals in our everyday business, including:
In collecting and using this data, we are subject to legislation that controls the activities we may carry out and the safeguards we must put in place to protect it.
The purpose of this policy is to set out the relevant legislation and to describe the steps Common Ground is taking to ensure that we comply with it.
This control applies to all systems, people and processes that constitute our information systems, including directors, employees, suppliers and other third parties who have access to Common Ground systems.
1.1 HOW WE COLLECT AND USE YOUR PERSONAL DATA
As part of our day to day business we may collect and store the following information:
Name;
Job title and the type of business you operate or work in;
Business address;
Telephone number and email address;
Business bank or building society account details and credit or debit card information.
We may also collect other information about you relating to research purposes; see Common Ground Network, 1.2, below.
We collect personal information when you provide it to us. We may collect this information during normal business transactions conducted by email, telephone, by post and in person, via briefs, purchase orders, business enquiries and other documents that you supply to us, and that is required by us in order to provide you with our services.
When you use our website, we may collect the following information:
Your IP Address;
Device and other tracking information, such as browser information, device identifiers, operating system, geolocation or information gained from cookies.
We do not give your information to third parties unless you give your prior written consent.
1.2 How we use general personal information
Authorised employees, agents, suppliers and subcontractors may have access to your personal information for the following purposes:
1.3 The Common Ground Network
The Common Ground collects additional personal data via its opt-in Network. Here, subjects explicitly agree to participate in our surveys, focus groups, interviews, and reader activities. In order to participate, members of the Network give us written consent to agree to participation and acknowledge that they are at least eighteen (18) years old. The information Network members provide may include videotaping or audiotaping their participation so that those staff members of Common Ground and its clients who cannot be present can review the activity at a later time and benefit from the feedback. Subjects in the Network will be notified in advance and have the option to opt out of any studies that require audio or video taping. Common Ground promises that, as a Network member, their personal data will be kept strictly and absolutely confidential between Common Ground and its consultants, other service providers, and clients. Except as set out in this privacy policy, their Personal Information will not be disclosed other than internally by Common Ground and with its consultants and other service providers as necessary for such consultants and service providers to provide Common Ground with services required to offer, run, and improve the Program. Common Ground will wherever possible to anonymize all information that is provided by subjects, including personal data. By participating in the Network, members direct Common Ground to intentionally share Anonymous Information with our clients for any purpose permitted by applicable law. “Aggregated Information” means (a) anonymous under applicable laws, non-attributable to an individual, and not capable of being reverse-engineered; and (b) with respect to data, that such data has been combined with other data in a manner that ensures that such data does not identify and is not capable of identifying any user, household, browser, application, computer or device. Personal data is stored by Common Ground for the shortest possible time period, and regularly reviewed and destroyed when it is no longer in use.
1.4 Cookies
Like most websites, we use cookies to track visitor use of the website. None of the cookies we use collect personal data about you; they are used to give us anonymous data that allows our website to work properly and see where we can improve. From time to time we may use third party cookies for analytics tracking, such as Google Analytics, which are anonymous and not linked to any personal information.
For further information about cookies and how they work, visit http://www.allaboutcookies.org/. You can set your browser not to accept cookies and the above website tells you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.
2.1 The General Data Protection Regulation (GDPR)
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 is one of the most significant pieces of legislation affecting the way we carry out information processing activities. Significant fines are levied if a breach is deemed to have occurred under the GDPR. It is our policy to ensure that our GDPR compliance, and other relevant legislation, is always clear and demonstrable.
2.2 Definitions
There are 26 definitions listed within Article 4 – Definitions of the GDPR and it’s not appropriate to reproduce them all here. However, the most fundamental definitions are as follows:
Personal data is defined as: “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Processing means: “Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Controller means: “The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
2.3 Principles relating to processing of personal data
There are several fundamental principles upon which the GDPR is based. These dictate that personal data shall be:
We must ensure that we comply with all of these principles in both the processing we currently carry out and as part of the introduction of new methods of processing, such as new IT systems. The operation of an information security management system (ISMS) that conforms to the ISO/IEC 27001 international standard is a key part of that commitment.
2.4 Rights of the individual
The data subject also has rights under the GDPR. These consist of:
Each of these rights must be supported by appropriate procedures within Common Ground that allow the required action to be taken within the timescales stated in the GDPR. These timescales are shown in Table 1.
| DATA SUBJECT REQUEST | TIMESCALE |
| The right to be informed | When data is collected (if supplied by data subject) or within one month (if not supplied by data subject) |
| The right of access | One month |
| The right to rectification | One month |
| The right to erasure | Without undue delay |
| The right to restrict processing | Without undue delay |
| The right to data portability | One month |
| The right to object | On receipt of objection |
| Rights in relation to automated decision making and
profiling |
Not specified |
2.5 Consent
Unless necessary for a reason allowable in the GDPR, consent must be obtained from a data subject to collect and process their data. In case of children below the age of 16, parental consent must be obtained. Transparent information about our usage of their personal data must be provided to data subjects at the time that consent is obtained, and their rights regarding their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.
If the personal data is not obtained directly from the data subject, then this information must be provided within a reasonable period after the data is obtained and definitely within one month.
2.6 Privacy by design
We have adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process personal data will be subject to due consideration of privacy issues, including the completion of one or more privacy (also known as data protection) impact assessments.
The privacy impact assessment will include:
We will consider the use of techniques such as data minimization and pseudonymisation where applicable and appropriate.
2.7 Transfer of personal data
Transfers of personal data outside the European Union must be carefully reviewed prior to the transfer taking place to ensure it falls within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country, and this may change over time.
It may be necessary for specific contractual terms to be used to cover international transfers. Where possible, these should be based on Standard Contractual Clauses (SCCs) of the relevant authority.
2.8 Data protection officer
A defined role for the Data Protection Officer (DPO) is required under the GDPR if an organisation is a public authority, performs large scale monitoring, or processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to a service provider.
2.9 Breach notification
It is our policy to be fair and proportionate when considering actions to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours.
Under the GDPR the relevant supervisory authority has the power to impose a range of fines of up to 4% of annual worldwide turnover or 20 million euros, whichever is the higher, for infringements of the regulations.
2.10 Addressing compliance to the GDPR
The following actions are undertaken to ensure that Common Ground always complies with the accountability principle of the GDPR:
o Organisation name and relevant details
o Purposes of the personal data processing
o Categories of individuals and personal data processed
o Categories of personal data recipients
o Agreements and mechanisms for transfers of personal data to non-EU countries, including details of controls in place
o Personal data retention schedules
o Relevant technical and organisational controls in place
These actions will be reviewed on a regular basis as part of the management review process of the information security management system.