Privacy Policy
Data controller: PRISM Strategic Intelligence Limited (PRISM or the Company), 1 Manchester Square, London W1U 3AB
INTRODUCTION
This notice is provided pursuant to the Company’s obligations under the UK’s retained EU law version of EU General Data Protection Regulation 2016/679 (UK GDPR) and in line with the Data Protection Act 2018 (DPA).
It addresses the processing by the Company of personal data of the following categories of individuals.
Those who work for, or in association with, its clients, suppliers or contractors, advisers and consultants, or other third parties with whom it has or may be contemplating commercial dealings (Commercial Counterparties)
Visitors to its website (Visitors)
Individuals who apply for a position at the Company (Candidates)
Third parties whose data may be processed in the course of the provision of services to our clients (Other Individuals).
This notice does not apply to the personal data of PRISM’s employees.
The Company is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
In processing personal data, we will comply with applicable data protection laws. In particular, we will take steps to ensure that your data will be processed in line with the following data protection principles.
Processed lawfully, fairly and transparently
Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
Relevant to the specified purposes and limited to those purposes
Accurate and, where required, kept up to date
Kept only as long as necessary for the relevant purposes
Kept securely
2. WHAT INFORMATION DOES THE COMPANY COLLECT?
The Company collects and processes a range of personal data. This may include some or all of the following information:
Commercial Counterparties
Contact details such as your name, title, job title, work address, work email, work telephone number(s), date of birth/age and gender.
Where we deem appropriate (including if you are self-employed/a sole trader), references and experience.
Visitors
Information about your use of our website including any interest in our services.
If you provide them to us, your contact details (e.g. name, title, address, email, telephone number(s)).
Candidates
Contact details such as your name, title, address, email, telephone number.
Any information we request relating to the discharge of our legal obligations (such as equal opportunities monitoring information etc.)
Any other information you provide when applying for a position, including the information contained in your CV (if submitted to us), in any written communications between you and PRISM, and information provided during an interview or otherwise in connection with your application.
Where relevant to your role and permitted in accordance with applicable law, information about criminal convictions or offences.
If your application is successful, prior to your starting work we will collect certain onboarding information from you, which may include passport number, National Insurance/social security number, bank details, emergency contact details, preferred pronouns, date of birth, nationality, gender, ethnicity, and allergies.
Other Individuals
Biographical and other factual details or expressions of opinion (based on reasonable evidence) relating to you or your profile.
Where relevant, such as to comply with its own legal or regulatory obligations, or to assist its clients in complying with theirs, or in relation to risk management processes or in connection with disputes, the Company may collect personal data comprised in so-called special categories, such as information about racial or ethnic origin, criminal offences or convictions, political opinions, or relating to health and lifestyle.
For more information, please refer to the section below headed “Special categories of personal data and criminal offences and convictions personal data.”
3. WHERE DOES THE COMPANY COLLECT THE INFORMATION FROM?
The Company collects this information from the following sources.
Commercial Counterparties
Forms completed by you or your employer/the relevant supplier at the start of or during our business relationship (e.g. when requesting our services or seeking a proposal from us (clients) or when registering with us as an interested supplier or responding to a request for proposal etc. (suppliers and contractors))
Correspondence with you
Over the phone, through meetings or in other communications with you or your employer/the relevant supplier
From social media
In some cases, the Company may collect personal data directly from its own research or from third parties, such as references and background checks, customer satisfaction surveys, and information from credit reference agencies
Visitors
When you provide it to us (e.g. by completing an enquiry form)
Candidates
When you provide it to us (e.g. by completing an enquiry form or by emailing us)
From third party recruitment agencies or platforms we may use
In some cases, the Company collects personal data directly from its own research or from third parties, such as references and background checks relating to qualifications, and information from the Disclosure and Barring Service (DBS) (or its equivalent) in relation to criminal records checks (where necessary and permitted by law)
Your references (if taken up)
Other Individuals
Mainstream public sources such as traditional and social media publications and platforms
Other publicly accessible but more specialised platforms (including ones that are paywall protected) such as records of litigation, overseas national, local and international traditional and social media publications and platforms, aggregated corporate etc. databases, other investigative sources such as specialist search engines, public records databases, electoral registers and databases of IP addresses and domain names
Specialised lists such as those relating to sanctions and politically exposed persons
Other organisations, including fraud prevention agencies
Our associates, advisers, and contractors and their respective business or other contacts
4. WHY DOES THE COMPANY PROCESS PERSONAL DATA?
We process personal data for the following purposes.
Commercial Counterparties
To provide our services to you or to receive services or products from you
To administer and manage your relationship with us, including in relation to current or potential requests, orders, supply chain opportunities or requirements
For conflict checks (only applicable to clients of PRISM)
In connection with invoicing
To enable us to carry out statistical and other analysis
To help us discharge and comply with our legal and compliance obligations
For our reasonable commercial purposes (including in connection with our risk management processes, insurance, quality control, administration and to help us develop and improve our services)
To confirm identities and carry out background checks, including as part of our checks in relation to anti-money laundering, compliance screening and to prevent, investigate or detect fraud and other crimes
To follow up after you request information or after we have delivered our services to see if we can provide any further assistance (only applicable to clients of PRISM)
In the context of a sale or potential sale of all or a relevant part of our business (subject to confidentiality obligations)
Where permitted by applicable law, for invitations to briefings and marketing communications
To manage service issues or customer complaints/feedback
For other lawful purposes associated with our relationship and/or our own operations
Visitors
To understand and respond to your interest in our website and/or services.
To improve and develop our website and/or services.
To protect our rights, interests and/or property (especially our intellectual property).
Candidates
To process your application and manage our interactions with you as a candidate.
Other Individuals
In the course of providing services to its clients, the Company may process personal data on individuals who are the subject of, or relevant to, those services. Those services include, but are not limited to, due diligence, business intelligence, political risk analysis, and strategic advice. Each of those services may be provided in connection with a range of client scenarios or requirements, including in the context of a client’s legal and regulatory compliance efforts, their business risk management, and any actual or potential disputes in which they may be involved.
The Company is not able to provide information directly to such individuals under article 14(1)-(4) of UK GDPR as to do so would seriously impair the achievement of the objectives of that processing (as provided under article 14(5)(b).
The Company processes all such data in accordance with its obligations under UK GDPR and the DPA, including taking appropriate measures to protect the individuals’ rights and freedoms and legitimate interests.
By this privacy notice, the Company complies with its obligation under article 14(5)(b) of UK GDPR to publicise that information.
5. WHAT ARE THE LAWFUL BASES FOR PROCESSING PERSONAL DATA?
Under UK GDPR, the lawful bases we rely on for processing your personal data are as follows.
Contractual necessity
This processing is necessary for the performance of our contract with you.
This basis applies predominantly to our processing of personal data provided by Commercial Counterparties and Candidates.
The Company often needs to process data to enter into a contract with you, your employer or a relevant supplier and to meet its obligations and access its rights under that contract.
Legal obligations
This processing is necessary so that we or our clients can comply with our/their legal obligations.
This may relate to compliance with health and safety laws, discrimination and equality legislation (including measuring and reporting on its compliance with diversity, equality and inclusivity standards) and other compliance-related legislation such as anti-money laundering, sanctions, and anti-corruption laws etc. as well as industry-specific regulatory regimes.
We may also be obliged by law or for security reasons to disclose personal data to a government or law enforcement agency, a competent court, or a regulatory body in response to a lawful request pursuant to a court order, subpoena, warrant, or similar legal mechanism having equivalent effect and authority.
In some cases, it may be necessary to carry out criminal records or other background checks to manage risk, to comply with legal or regulatory obligations, to satisfy external or internal compliance obligations, or to ensure that individuals are qualified or permitted to undertake the role in question.
This basis applies predominantly to our processing of personal data provided by Commercial Counterparties and Candidates.
Vital interests
The processing is necessary to protect your vital interests or those of another person.
This basis applies predominantly to our processing of personal data provided by clients of PRISM – for example, in connection with the provision of services relating to strategic risk management where there may be implications for the safety of individuals. It may also relate to our processing of personal data by certain of our suppliers and contractors where security and safety issues can arise in connection with their provision of services to PRISM.
Public interest
The processing is necessary in connection with the discharge of certain obligations or functions, or the provision of advice or services, that promote the public interest.
This basis applies predominantly to our processing of personal data in connection with services provided to clients (directly or via their legal advisers).
Data may be processed in support of our clients’ efforts to operate compliantly and in a manner that protects their reputation in the market and preserves public trust and confidence in them as organisations and in the industries and professions in which they operate. In connection with compliance and business risk management efforts, the processing helps them to avoid, or appropriately mitigate, third-party risk.
Such processing may relate to the strategic advisory and risk/political analysis services that we provide. In connection with such advisory and analytical services, the processing helps clients to take appropriate steps to operate viably and resiliently, creating a more solid and sustainable foundation for their continued operations.
Last, data may also relate to our services that are connected with actual or contemplated litigation. In connection with disputes and litigation, the processing may be necessary to protect, establish or exercise legal rights or remedies or to enable legal processes to be followed effectively (e.g. service of proceedings in connection with litigation).
In all such regards, the processing may also help us and/or our clients to avoid or mitigate legal liability.
Legitimate interests
This processing is necessary in connection with our legitimate interests or those of a third party (typically, a client of PRISM).
As with the use of personal data for reasons that are in the public interest so, too, this basis applies to our processing of personal data in connection with services provided to clients (directly or via their legal advisers).
This basis also includes processing of personal data in connection with modifications and improvements to our website or services and communicating with you about our services.
As with the public interest basis, using your personal data in connection with our own or our clients’ legitimate interests compliments and enhances efforts to comply with legal and regulatory obligations and to promote risk management objectives.
It may relate to our services that are connected with actual or contemplated litigation. In connection with disputes and litigation, the processing may be necessary to protect, establish or exercise legal rights or remedies or to enable legal processes to be followed effectively (e.g. service of proceedings in connection with litigation).
Data may also be processed in support of our clients’ efforts to operate compliantly and in a manner that protects their reputation in the market and preserves public trust and confidence – in them as organisations, and in the industries, professions and sectors in which they operate. In connection with compliance and reputation management efforts, the processing helps them to avoid, or appropriately mitigate, third-party risk.
Last, data may be processed as part of the strategic advisory and risk/political analysis services that we provide. In connection with such advisory and analytical services, the processing helps clients to take appropriate steps to operate viably and resiliently, creating a more solid and sustainable foundation for their continued operations.
In all such regards, the processing may also help us and/or our clients to avoid or mitigate legal liability.
Where the Company relies on legitimate interests as a reason for processing data, it has considered whether those interests are overridden by your interests or your fundamental rights and freedoms which require protection of personal data and has concluded that they are not.
The Company has conducted a legitimate interests assessment in support of its reliance on this lawful basis.
Consent
The processing is carried out pursuant to your express consent.
We will rarely rely on this basis. It may be relevant to website Visitors in some circumstances. If we do seek your consent, we will do so clearly and transparently. We will ensure the process by which we obtain it means your consent is freely given, specific, informed and unambiguous. If you give your consent and later change your mind, you are allowed to withdraw or modify your consent. You can do this at any time by emailing us at [email protected].
5.1. Special categories of personal data and criminal offences and convictions personal data
The Company will only process special categories of personal data or personal data relating to criminal offences and convictions where the law allows it to do so. This will usually be where such processing is necessary to carry out the Company’s, or to help its clients meet their own, obligations in relation to legal or regulatory compliance or for other substantial risk management reasons.
We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing such data.
5.1.1. Special categories of personal data
The following are special categories of personal data under UK GDPR: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data that identifies an individual, health data or data about a person's sex life or sexual orientation.
The Company may process special categories of personal data for the following reasons. In all cases, where applicable on the facts, the processing of such personal data may also be carried out for other purposes as permitted by UK GDPR and the DPA or other applicable legislation.
Commercial Counterparties
The processing will predominantly be for reasons of substantial public interest such as equal opportunities monitoring, or if the processing is necessary for the establishment, exercise or defence of legal claims.
Visitors
We do not process any such data.
Candidates
We may process such data to help us comply with legal obligations, for health and safety purposes or to help us identify and monitor equality of opportunity or treatment.
Other Individuals
The special categories of personal data that may be processed in respect of Other Individuals are most likely to fall under the headings of racial or ethnic origin, political opinions, or religious or philosophical beliefs.
The processing will predominantly be for reasons of substantial public interest such as the prevention or detection of unlawful acts, protecting the public against dishonesty, to comply with regulatory requirements relating to unlawful acts or dishonesty preventing fraud, or for insurance purposes.
The processing of such personal data may also be necessary for the establishment, exercise or defence of legal claims.
5.1.2. Criminal offences and criminal convictions data
The Company may process criminal offences and criminal convictions data for the following reasons. In all cases, where applicable on the facts, the processing of such personal data may also be carried out for other purposes as permitted by UK GDPR and the DPA or other applicable legislation.
Commercial Counterparties
The processing will predominantly be for reasons of substantial public interest such as the prevention or detection of unlawful acts, protecting the public against dishonesty, to comply with regulatory requirements relating to unlawful acts or dishonesty preventing fraud, or for insurance purposes.
The processing of such personal data may also be necessary for the establishment, exercise or defence of legal claims.
Visitors
We do not process any such data.
Candidates
We may process such data to help us comply with legal or regulatory obligations including in connection with the prevention or detection of unlawful acts, protecting the public against dishonesty, to comply with regulatory requirements relating to unlawful acts or dishonesty preventing fraud, or for insurance purposes.
Other Individuals
The processing will predominantly be for reasons of substantial public interest such as the prevention or detection of unlawful acts, protecting the public against dishonesty, to comply with regulatory requirements relating to unlawful acts or dishonesty preventing fraud, or for insurance purposes.
The processing of such personal data may also be necessary for the establishment, exercise or defence of legal claims.
6. WHERE DOES THE COMPANY STORE THE PERSONAL DATA AND WHO HAS ACCESS TO THE PERSONAL DATA?
Data is stored in a range of different places, including in our client and supplier databases, in our IT systems (such as the Company's email system and drives). Appropriate security and access restrictions are applied according to the personal data and the purposes of the processing.
Commercial Counterparties
Your information may be shared internally with managers in the business and other staff where access to the data is necessary in connection with the performance of their roles.
The Company typically only shares your data with third parties where it is necessary for logistical or operational purposes (such as supply chain management so that they can provide services to us that involve them processing your personal data, which may include, for example, IT service providers) or to obtain references, carry out background checks, or to obtain necessary criminal records checks (where applicable and permitted) or to take external advice regarding a current or contemplated relationship.
We may share your personal data with other data controllers, including your employer, based on our legitimate interests, our contract with you or your employer or the relevant supplier, or to meet our legal obligations.
The Company may also share your data with the appropriate authorities to report suspected offences or with other third parties for the purposes of enforcing its legal rights.
The Company may share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
Visitors
Your information may be shared internally with managers in the business and other staff where access to the data is necessary in connection with the performance of their roles.
The Company may also share your data with the appropriate authorities to report suspected offences or with other third parties for the purposes of enforcing its legal rights.
The Company may share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
The Company will not otherwise share your data with third parties.
Candidates
Your information will be shared internally with members of the human resources team and may be shared with relevant managers in the business in connection with assessing and processing your application.
The Company may share your data with the appropriate authorities to report suspected offences or with other third parties for the purposes of enforcing its legal rights.
The Company will not otherwise share your data with third parties except in connection with necessary background checks (where applicable and permitted) or to check references.
Other Individuals
Your information will be shared internally with members of the client consulting team where access to the data is necessary in connection with the performance of their roles.
Your information may be shared with PRISM’s clients on a confidential and discrete basis in connection with the provision of our services. It may also be shared with our clients’ professional advisers who have, themselves, a lawful basis for processing the data, and our associates, advisers, and contractors where they are involved in assisting us in the provision of such services.
Where we use associates, advisers or contractors to provide services to us or to assist us in providing services to our clients, such parties generally process your personal on our behalf (i.e. as sub-processors, not controllers). We ensure that the processing of personal data by our contractors is done pursuant to appropriate contractual arrangements.
The Company may also share your data with the appropriate authorities to report suspected offences or with other third parties for the purposes of enforcing its legal rights.
The Company may share your data with third parties in the context of a sale of some or all of its business. In those circumstances the data will be subject to confidentiality arrangements.
6.1. International transfers
Commercial Counterparties
The Company does not routinely transfer personal data of individuals working for its Commercial Counterparties to countries outside the UK. Periodically, as a matter of operational necessity, personal data may be shared with clients or suppliers who are located in jurisdictions other than the UK or the EEA.
If, exceptionally, personal data were required to be transferred routinely outside the UK, it would only be transferred if the Company was satisfied it would be protected in line with the requirements of applicable data protection laws. The most common bases for satisfying those criteria are that the data protection laws in place in the relevant territory have been assessed as providing an adequate level of protection for personal data or, where there is no such assessment, that appropriate safeguards have been implemented. Examples of such safeguards include the execution by the Company of binding corporate rules or the entry by the Company and transferee into approved standard data protection clauses.
Visitors
The Company does not routinely transfer personal data of Visitors to countries outside the UK. Periodically, as a matter of operational necessity, the Company’s staff may need to access Visitor personal data whilst travelling on business. But the personal data, whilst accessed remotely, remains on servers located in the UK or the EEA.
Candidates
The Company does not routinely transfer personal data of Candidates to countries outside the UK. Periodically, as a matter of operational necessity, the Company’s HR staff or senior team may need to access Candidate personal data whilst travelling on business. But the personal data, whilst accessed remotely, remains on servers located in the UK or the EEA.
Other Individuals
The Company does not routinely transfer personal data of Other Individuals to countries outside the UK. Periodically, as a matter of operational necessity, Other Individuals’ personal data may be shared with clients or suppliers who are located in jurisdictions other than the UK or the EEA.
If, exceptionally, personal data were required to be transferred routinely outside the UK, it would only be transferred if the Company was satisfied it would be protected in line with the requirements of applicable data protection laws. The most common bases for satisfying those criteria are that the data protection laws in place in the relevant territory have been assessed as providing an adequate level of protection for personal data or, where there is no such assessment, that appropriate safeguards have been implemented. Examples of such safeguards include the execution by the Company of binding corporate rules or the entry by the Company and transferee into approved standard data protection clauses.
7. HOW DOES THE COMPANY PROTECT DATA?
The Company takes the security of personal data seriously. We employ appropriate organisational and technical security measures designed to protect your data from loss or misuse.
The Company has internal policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees or authorised third parties in the performance of their duties.
Our IT systems have tiered access levels and restrictions. Access levels are assigned specific to the person’s position and their tasks and the amount of visibility is periodically monitored and reviewed.
A copy of/relevant extracts from the Company’s Data Protection Policy and its Information Security Policy and Procedures are available on request.
Where the Company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
8. FOR HOW LONG DOES THE COMPANY KEEP DATA?
We will only keep personal data for as long as reasonably necessary in relation to the purposes described in this Privacy Notice.
To determine the appropriate retention period for personal data, we particularly consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the data, the purposes for we process the data and whether we can achieve those purposes through other means, and applicable legal requirements.
The periods for which different categories of personal data are held are set out in the Company’s Data Retention and Deletion Policy. We can provide relevant extracts/details on request.
Commercial Counterparties
Generally, we will retain personal data for the duration of the relationship and for a reasonable period after that relationship ends, which will generally be not less than 6 years.
Visitors
Generally, we will delete the personal data received via our website within 12 months.
Candidates
Generally, we will delete your personal data received 24 months after your application process has come to an end (assuming you do not become an employee). We may retain it for longer with your agreement – for example, if you would like to remain on our database in case new positions become available.
If you become an employee of the Company we will retain your personal data in accordance with the terms of our privacy notice relating to employees.
Other Individuals
The retention period of personal data will depend on the purposes for which the data is processed. In that regard, relevant factors may include the context of the services, the nature and the character of the role fulfilled by the relevant individual, and whether the personal data are processed in connection with efforts to comply with legal and regulatory obligations, in relation to legal proceedings (including taking advice in contemplation of the same), or for other reasons of public interest.
9. YOUR RIGHTS
As a data subject, you have a number of rights. Subject to the provisions of UK GDPR, you can do any of the following.
Access and obtain a copy of your data on request
Require the Company to change incorrect or incomplete data
Require the Company to delete your personal data – for example, where the data is no longer necessary for the identified purposes of processing
Require the Company to temporarily cease further processing of your data – for example, if you want us to establish its accuracy or the reason for processing it
Object to the processing of your data where the Company is relying on its legitimate interests as the lawful basis for processing
If you would like to exercise any of these rights, please contact us at [email protected].
10. HOW TO COMPLAIN
If you are not satisfied with any response to a request by you to exercise your rights (as above) or if you believe that the Company has not complied with your data protection rights, you can make a complaint to us at [email protected].
If your complaint is not properly handled, you may also complain to the Information Commissioner’s Office.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
PRISM is registered with the ICO under reference: ZB386597
11. WHAT IF YOU DO NOT PROVIDE PERSONAL DATA?
We may require your personal data described in this notice to allow us to comply with our legal obligations or in connection with our contractual obligations to you or your employer/the relevant supplier.
If you fail to provide certain information when requested, we may be prevented from fulfilling those obligations or from otherwise corresponding with you or from effectively managing our relationship with you.
If you do not provide the requested information, this will hinder the Company's ability to administer the rights and obligations arising as a result of the business relationship.
12. AUTOMATED DECISION-MAKING
We do not take decisions relating to any person covered by this notice based on automated decision-making.
If this position changes such that we start to use automated decision-making with legal or similarly significant effects on you, we will inform you in advance. If such automated decision-making is not authorised by legislation or not necessary for the performance of or entering into a contract with us, we will ask for your consent.
You can express your opinion or contest any decision that is based solely on automated processing, as well as request a manual decision making process instead by contacting us using the contact details provided.
Date: 11 March 2025