GDPR Statement

Prism Business Consulting are committed to ensuring that your privacy is protected, and we strictly adhere to the provisions of all relevant Data Protection Legislation, including GDPR, ensuring all personal data is handled in line with the principles outlined in the regulation that state:
Personal data shall be:

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and, where necessary, kept up to date
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Prism Business Consulting respect our client’s rights to data privacy and protection and as such we have revised our internal policies, procedures, working practices in order to meet the requirements of the GDPR.

We place a high priority on protecting and managing data in accordance with accepted standards and indeed helping our clients utilise our products and services to the same end.
Prism Business Consulting is committed to compliance with the GDPR and our senior Partner/Director has assumed the responsibility for data protection to ensure compliance on an ongoing basis.

Prism Business Consulting welcomed the introduction of GDPR in May 2018 and is compliant. We take information security seriously, including any obligations as a personal data processor or controller.
Prism Business Consulting already holds all client data inside the European Economic Area (EAA) or to equivalent standards, as set out in the original UK Data Protection Act.


Prism Business Consulting has examined its obligations under GDPR as a:

  • data controller of its own employee data;
  • potential data controller or processor of third party data such as activity relating to marketing, and industry or Consortium communications;

An outline of our GDPR compliance arrangements is set out below.

Compliance arrangements

  • Prism Business Consulting collects personal data only for specific purposes and does not keep personal data once its purpose is fulfilled.
  • Personal data that we hold is pseudonymised, usually by encryption.
  • We are not required to appoint a Data Protection Officer but will review this decision if future growth necessitates it. In the meantime, our senior Partner/Director maintains overall responsibility for GDPR compliance.
  • Breaches of personal data in usable form will be reported to the correct supervisory authority. This forms part of our Information Security Management System (ISMS) Incident Response Plan.
  • Should we undertake the relevant processing of personal data, suitable records will be kept and presented to the supervisory authorities upon request. Currently no relevant processing occurs.
  • Data protection is designed into our services and products (“data protection by design and default”) as part of our comprehensive ISMS.
  • Individuals and employees can exercise any of their rights to erasure, portability, rectification and subject access by contacting Prism Business Consulting at our UK office using the means set out on ⦁ our contact page

Derogations and exceptions

Prism Business Consulting is smaller than 250 employees, and any data processing is not likely to result in a risk to the rights and freedoms of data subjects, is occasional, and does not include any “special categories” of data. This severely limits our obligation to hold processing records, though we are committed to do so wherever this will best serve stakeholders.

Prism Business Consulting relies on “alternatives to consent” (Article 6(1)) for almost all data processing activities. This is because almost all personal data we hold is one of:

  • a contract with the individual or to fulfil obligations under an employment contract;
  • compliance with a legal obligation;
  • legitimate interests including commercial benefit (Article 6(1)(f)), and not outweighed by harm to the individual’s rights and interests.