Privacy Notice

At DPAS we’re committed to protecting, respecting your privacy and being transparent in everything we do.

This notice explains:

  • Who we are
  • When we collect your information from you
  • What type of personal information is collected from you
  • How we use your  information
  • How long we hold your  information
  • The situations where we may share your personal information
  • Controlling your personal information for marketing
  • Your data rights
  • Keeping your information safe
  • Keeping children safe
  • Links to other websites

We may change this policy from time to time so please check this page to ensure that you’re happy with any changes. 

Any questions regarding our privacy practices should be sent by email to: 

Nigel Gooding, DPO, Unit 14 Dunchideock Barton, Dunchideock, Exeter, EX2 9UA or

Questions for the DPO should be sent to

1. who are we?

In this notice, all references to “DPAS”, “we”, “our” and “us” are to be taken as references to Gooding&Co Ltd, trading under the name ‘Data Privacy Advisory Service’.

DPAS’s registration with the Information Commissioner’s Office as a Data Controller is number

We provide Data Protection Officer Services in accordance with Articles 37 to 39 of the UK and EU
General Data Protection Regulation (GDPR). We also provide Consultancy Services and
Training in the field of Data Protection more generally.

We promise at DPAS that your personal data shall be:

  • Processed lawfully, fairly and in a transparent manner;
  • Collected for specified, explicit and legitimate purposes and not further processed in a
    manner that is incompatible with those purposes (‘purpose limitation’);
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which
    they are processed (‘data minimisation’);
  • Accurate and, where necessary, kept up to date; every reasonable step will be taken to
    ensure that personal data that are inaccurate, having regard to the purposes for which they
    are processed, are erased or rectified without delay (‘accuracy’);
  • Kept in a form which permits identification of data subjects for no longer than is necessary
    for the purposes for which the personal data are processed (‘storage limitation’);
  • Processed in a manner that ensures appropriate security of the personal data, including
    protection against unauthorised or unlawful processing and against accidental loss,
    destruction or damage, using appropriate technical or organisational measures (‘integrity
    and confidentiality’).


The term “Personal Data” means any information relating to you that identifies you, or through which you can be identified, directly or indirectly. In particular, by reference to an identifier such as a name, an identification number, location data, or an online identifier to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.


The purpose of this Privacy Notice is to let you know how we process your Personal Data when you visit our website. This Privacy Notice therefore explains what Personal Data we collect from you and how we collect, use, store and disclose it when you use our website.

This Privacy Notice also contains information about your rights under applicable data protection legislation.

We are committed to compliance with data protection laws. We believe that ensuring data protection compliance is the foundation of trustworthy business relationships.

It is important that you read this Privacy Notice together with any other Privacy Notice we provide on specific occasions when we are collecting or processing Personal Data about you so that you are fully aware of how and why we are using your data. This Privacy Notice supplements the other notices and is not intended to override them.

4. How do we use your personal information now that we have collected it? 

We use personal information about you in connection with the following purposes:

Fulfilling your requests:

  • Respond to you following a DPO related request, concern or casework activity;
  • Provide you with the information, products and services that you have requested from us;
  • Complete any transaction you are undertaking with us;
  • Carry out our obligations arising from any contracts entered between you and us;
  • Allow you to participate in interactive features of our service, when you choose to do so;
  • Process a job application or enquiry and;
  • Meet a legal or statutory obligation.


Service improvements and account management:

  • To ensure that content from our site is presented in the most effective manner for you and
    for your computer;
  • To administer our site and for internal business administration and operations, including
    troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • To notify you about changes to our service;
  • To manage and operate your account with us.
  • We do not use profiling or automated decision-making tools.



  • Provide you with information, suggestions and recommendations about other goods and
    services we offer that are similar to those that you have already purchased or enquired about (unless you have opted out);
  • To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you, which may be based on your activity on our website(s) or the website of another DPAS company or third parties’ websites (the information we use
    for this purpose is collected using cookies and you can adjust your cookie settings by clicking on cookie settings on our website).
  • To contact you after you have entered a competition with DPAS online.
  • To contact you after you have voluntarily signed up to a free webinar or event.
  • Before getting in touch by telephone, we will always check against the Telephone Preference Service (TPS) and/or the Corporate Telephone Preference Service (CTPS),
    whichever is appropriate.
  • We never market to data subjects who have contacted us when acting in our capacity as a DPO.
  • If you no longer wish to be contacted for marketing purposes, please email: or click on the unsubscribe button at the bottom of the emails we


We will only use your Personal Data for the purpose we collected it and in accordance with the law.


We will not use your Personal Data for any other purpose without your prior consent. The only exception to this is if it is required or permitted by law, such as where it is necessary for the prevention, investigation, detection or prosecution of criminal offences or the enforcement of civil law matters.


The information we collect will change based on the reason we are processing your data. We will never collect more from you than we need.

Data Protection Officer

When you contact us in our capacity as DPO, we will collect whatever information is necessary to fulfil our legal obligation to you and our contract with our client.

This will typically include your name and some details about why our client was processing your data and information about whether you feel they are meeting their data privacy obligations towards you. We may ask for verification to prove who you are and what your relationship is with our client.

You have the right to contact us in regard to all issues related to processing of your personal data. This includes contacting us to exercise your rights under the GDPR. We are bound by confidentiality in the performance of this task, in accordance with the Data Protection Act 2018.

You can contact our Chief DPO, Nigel Gooding, to find out more about how we process your personal data in confidentiality, by emailing

Enquiring about our products and services or asking for our materials online

When you contact us enquiring about products, services, and events, we will collect whatever information is necessary prior to taking steps to enter into a contract with you. This information will typically include the name and place of work of key contacts in your organisation and their contact details.

We will also process any information you submit via our online forms. We may also process any other information that we have legitimately collected about you in relation to our other services (such as whether your business has paid for our training courses in the past) where this other purpose was known to you at the point of data collection. This information would only be processed in relation to engaging in a contract at your request.

Contacting you after a referral

When we contact you at the request of someone else, we will always tell you who we are and where we got your information from. We will do this as soon as is reasonably possible and no later than 28 days after first receiving your contact details. Wherever possible, we will ask the person referring you to us to make the introduction or to check with you whether it is ok for us to call you first.

The information that we will have processed prior to that point will be likely minimal and will include your name, job title/ place of work and a contact point such as an email or telephone number.

The lawful basis we rely on when contacting you about our products or services at the request of someone else will be different depending on the context. For the most part, it will be in our legitimate interest to do so, and you can request that we stop processing your data. Where you have agreed for us to get in touch, we will be doing so based on your consent and you can withdraw this at any time.

You apply for a job with us

If we advertise a job posting or you are interested in working as a contractor for us, we may process some of your personal data so as to take steps to enter into a contract with you. 

Typically, we will process your name, contact information and your CV and cover letter. Depending on the route you came into us, we may also look at your publicly available profiles in advance of an interview, such as a LinkedIn page or a professional Twitter account. We will also contact those you offered as a reference for you. 

If you let us know about a disability or health condition (or provide us with any other special category data), we will process this data under our legal obligations in relation to employment and equality laws.

If you are successful in your application and we want to offer you a job, we will process more information than this. To see our employee privacy notice, please contact

You enter a competition or you attend a free DPAS Privacy Pulse Webinar or Event

If you register to attend a free webinar or training event, we will process this data so we can send
you information about the webinar or event that you have registered to attend. To ensure the safety of individuals who attend our in-person events, we may also collect special category personal data, such as food allergies and accessibility requirements.

We will also let you know about future DPAS Privacy Pulse webinars and training courses under the lawful basis of legitimate interest.

If you enter a competition with DPAS, we will process this data so we can send you information
about the competition should you be successful. We will also let you know about future competitions, so you have a chance of winning again.

You use our website

Like many other websites, the DPAS website uses cookies. ‘Cookies’ are small pieces of
information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. They collect statistical data about your browsing actions and patterns and most do not identify you as an individual. 

However, some cookies and tagging/ tracking technologies that we use, such as Google Analytics, do let us know some information which may constitute personal data. An example of this is our Google Analytics Cookies that tell us about which of our pages a certain IP address accessed,
when and where it was accessed from. Consent is required for all cookies except essential cookies, and you can adjust your preferences using the preference centre tab displayed on the home page.

For more information on how to switch off cookies on your computer and about the cookies we use, please visit our full cookie policy.

You attend one of our training courses

DPAS will process the names, attendance dates, job title, and place of work data of attendees, per its obligations to fulfil the terms of the contract. If our contract is directly with the attendee, we will rely on the legal basis of contract to process this data. If our contract is with the employer, we will rely on the legal basis of legitimate interests to process this data. DPAS will maintain this data for 6 years after the course completion date, per industry best practice and the Limitation Act 1980. This data will be processed on our CRM for this purpose only. DPAS have a contract in place with this CRM provider. This data will also be shared with the trainer on the day of the course, who will have a contract with DPAS. To find out the identity of this trainer in advance of this information being shared, please contact

DPAS may process the payment details of the client, through our website and using our accounting provider, Xero Ltd. DPAS will maintain a record of this payment for six years, per its legal obligations under the Limitations Act 1980. Card payment details will not be retained beyond immediate use in the payment gateway. Payment status will be held on our CRM and accessed by limited DPAS employees for this purpose only. DPAS have a contract in place with Xero, whereby they and their sub-processors meet EEA standard adequacy arrangements. 

DPAS will process information relating to attendee transport, as per our legitimate interest to organise the logistics of the course. With your explicit consent, we may also need to process information relating to disabilities (in some circumstances) and dietary requirements for the same reason. DPAS will retain this information for up to a maximum of 30 working days post course completion. This data will be processed on our CRM for this purpose only.

DPAS and our trainers will access the names, of attendees, and any answer sheets and pass or fail status per our contractual obligation to award the CPD credits and BCS certificates. DPAS will also collate statistical evidence using this personal data to evaluate the effectiveness of training, to improve upon the courses and to assist DPAS in providing further advice to the Client. DPAS will keep this in an identifiable form for 1 year only, after which, any statistical conclusions will be kept in an anonymised format. This data will be stored on Arlo CRM for this purpose only. DPAS have a contract with this software provider. DPAS will also share the pass / fail status of attendees with the Continuing Professional Development body, where required to by contract.

DPAS offers accredited training courses, and to enable delegates to sit their chosen exams, DPAS must pass some personal information to the professional accrediting bodies. This will enable candidates to sit their exam and gain access to their BCS associate membership.

DPAS delivers accredited training courses for the Chartered Institute for IT – BCS. DPAS have signed a Provider Contract with the BCS which allows us to deliver the following BCS Certified training courses:

  • BCS Foundation Certificate in Data Protection
  • BCS Practitioner Certificate in Data Protection
  • BCS Practitioner Certificate in Freedom of Information

DPAS is not a Data Processor for, nor does it process personal data on behalf of the BCS.

Our BCS Accredited Training Provider status does not infringe upon our personal data collection practices. We will only share your personal information with BCS when we have to in order to fulfil our contract with you.

We share the delegate’s name and email address at their request when they inform us that they wish to sit a BCS exam. We only pass across these details once the delegate has confirmed the specific exam date (usually included within the classroom training course) and where applicable, have completed their exam prep and mock exam successfully. The BCS then contacts the delegate directly to create a log-in portal on their site. DPAS does not have access to the delegate portal.

We are required to provide the BCS feedback from delegates regarding courses they have attended. Delegates receive a feedback form at the end of their course, which enables us to fulfil our obligation to the BCS, and also allows us to improve the quality of our training services. We are grateful to all delegates that complete these forms, including giving your name to enable your comments to be used.

The BCS share your exam results (marks only) with DPAS as we are the Accredited Training Provider (ATP). This benefits us in a number of ways:

  • It enables us to monitor the success of our training
  • It helps us to improve the service we offer you
  • It allows us to maintain a record of exam results for our delegates

We will not share this information with any third party.

We become business associates/connections

If you are a business connection, for example, we meet you at a networking event, we will only collect the information you choose to provide to us which typically includes your name, company address, company telephone number and company email address. Our legal basis for processing your information is legitimate interests and we will retain it for 12 months following our last meaningful contact.

We contact you for marketing purposes

Where we have publicly found your contact details (e.g.,, we may send you business marketing information by email where we think you may be interested in our products or services.

Where we have a corporate email address for you which contains identifiable information (e.g., we may send you business marketing information by email, if we think your products or services may be of interest to you. We may also telephone you to discuss our products and services providing your telephone number is not listed on the Corporate Telephone Preference Service list (CTPS).

We may contact you after you have entered a competition we are running. We will generally provide you with information about further competitions should you have been unsuccessful, or discounts on DPAS products that you may be interested in. This will be processed under the lawful basis of legitimate interest, Article 6(1)(f) of the UK GDPR. If you’d like to stop receiving our emails simply click the unsubscribe button or get in touch with us.

We may contact you after you have registered to attend a free webinar or training event. We will generally provide you with information about further webinars or training events which you may be interested in. This will be processed under the lawful basis of legitimate interest, Article 6(1)(f) of the UK GDPR. If you’d like to stop receiving our emails simply click the unsubscribe button or get in touch with us.

You have the right to object, and if you do, we will respect your wishes and remove you from our mailing list, if this is the case, please email

We may share your information with:

  • Fresh Desk – Client ticketing system.
  • Hubspot – Client management system.
  • Arlo – Training management system.
  • WordPress – Website.
  • Xero – Invoicing software.
  • Survey Monkey – Feedback software company.
  • People HR – HR management software (employment purposes only).
  • Eventbrite – Event management.
  • Glasscubes – To share files securely.
  • Nalytics – To review raw data, from a range of file types to remove meta data to create a clean PDF image on the original file.
  • Supernormal – During meetings, we may make use of Supernormal. Supernormal takes notes during our meetings and formats them automatically, for all different use cases, using secure AI.

We may share your information with credit reference agencies and other companies for use in credit decisions and for fraud prevention.

We may share your information with third party contractors or organisations working with DPAS to fulfil supplier contracts.

We will only share information that is relevant to fulfilling your request. For example, if you are booked onto a DPAS training course, we will share your information with the course trainer. If you attend one of our in-person events, we will share your information with the venue provider, catering companies, and any other third-party that may be involved in hosting the event.

We may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation, or if we’re under a duty to disclose or share your personal data in order to comply with any legal obligation or to enforce or apply our terms of use or to protect the rights, property or safety of our staff and customers. However, we will take steps with the aim of ensuring that your privacy rights continue to be protected.

We operate internationally. As part of the services offered to you by DPAS, the information, which you provide to us may be transferred to countries outside the European Union (“EU”) and the European Economic Area (EEA). By way of example, this may happen if any of our servers are from time to time located in a country outside of the EEA. These countries may not have similar data protection laws to the UK. If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Privacy Notice.

We take appropriate technical and organisational measures to safeguard your personal information when transferring it outside the EEA as:

  • We only allow personal data to be processed in countries which the European Commission have confirmed have adequate protection for personal data (see European Commission: Adequacy of the protection of personal data in non-EU countries) and/or;
  • We enter into appropriate contracts which the European Commission have confirmed provide adequate protection for personal data (see European Commission: Model contracts for the transfer of personal data to third countries)
  • If you use our services while you are outside the EEA, your information may be transferred outside the EEA in order to provide you with those services.


The UK and EU GDPR, (our global standard of compliance) requires that a Controller must have a legal basis for processing Personal Data. In most instances, our legal bases for processing your personal information are:

  • Your consent, which you are able to remove your consent at any time. This can be done by contacting
  • We have a contractual obligation.
  • We have a legal obligation.
  • We have a vital interest.
  • We need it to perform a public task.
  • We have a legitimate interest.


You have a choice about whether or not you wish to receive marketing information from us.

You have the absolute right to object to us processing your personal information for marketing purposes and to withdraw your consent when that is the basis we rely on.

You can exercise these rights and change your marketing preferences at any time by contacting us by email:

Where we have your business, contact details (e.g., and no personally identifiable information, we may send your business marketing information by email where we think you may be interested in our products or services. Where we have a corporate email address for you which also contains identifiable information (e.g.: we may send your business marketing information by email if we think that our products and services may be of interest to you.

However, as stated above, you have the right to object and if you do, we will respect your wishes and we will not send you any further marketing material by email.


We will hold your data for no longer than we need it for. This will be context dependant on our relationship with you and why we are processing your data.  We may have legal (i.e., financial obligation) reasons to keep your data beyond its immediate use, but this will never be for longer than industry standard.

All DPO related casework will be held for a minimum of 6 years before being destroyed.

Where not already stated in this policy, you can view our retention schedule by contacting us directly.


We will never keep paper copies of any of your personal data.

We have a duty under law to keep all DPO casework confidential.  Only our trained DPO staff will review the information you have sent and ensure it is kept within the secure email system and secure ticketing software.

All DPO casework is password protected and securely held.

We use Google Cloud platform to store some personal information as it provides some of the best cyber security in the business. To read the detailed specification of how they keep your data safe, please click on the link below.

We use Arlo, Fresh Sales and Fresh Desk to manage potential customers and current customers
information. This system has servers in the EEA and your data will be hosted there.
When using a third-party service provider, we will conduct all the necessary due diligence checks to
keep your data secure. For example, when required under Article 35 of the UK GDPR, we will undertake a data protection impact assessment (DPIA) to document and mitigate any associate risks. For more information on this, please contact

Emails are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.

When sharing sensitive client details, we will use the platform Glasscubes. Glasscubes uses SSL encryption to keep data secure. Glasscubes is also accredited by UKAS with the ISO/IEC 27001 Information Security Management Systems certification and IASME Consortium with the Cyber
Essentials certification.

Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.


The accuracy of your information is important to us and, if the personal data we hold about you is incorrect, you have a right to have it rectified. We’re working on ways to make it easier for you to review and correct the information that we hold about you. In the meantime, if you change email address, or any of the other information we hold about you is inaccurate or out of date, please email us at:

You have the right to ask for access to a copy of the personal information DPAS holds about you. This is known as a Subject Access Request and there is no charge for this, providing the requests are not manifestly unfounded or excessive. We may ask you to provide ID before processing the request. Once in receipt of this, we will process the request without undue delay and within one month. You also have rights in relation to erasure, restriction, data portability and objections.  We do not use automated decision-making tools. If you would like to exercise your rights, please contact us at or on telephone number 01392 914019.

If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.

Our Chief Data Protection Officer is Nigel Gooding, and you can contact him at:

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO). Information about how to complain to the ICO can be found here: 

If any of your Personal Data changes whilst you are a user of our services, it is important that you update the information within your account to ensure that the data we hold about you is accurate and up to date. 


We protect the privacy of children aged under 18. If you are aged under 18‚ please get your parent/guardian’s permission beforehand whenever you provide us with personal information.

If we learn that we have collected the personal information of a child under the relevant minimum age without parental consent, we will take steps to delete the information as soon as possible, unless we have a legal obligation to process it, for example as part of our role as DPO. 

Parents who believe that their child has submitted personal information to us and would like to have it deleted may contact us at:


We reserve the right to update this Privacy Notice from time to time. Updates to this Privacy Notice will be published on our website. To ensure you are aware of when we make changes to this Privacy Notice, we will amend the revision date at the top of this page. Changes apply as soon as they are published on our website. We therefore recommend that you visit this page regularly to find out about any updates that may have been made.

This Privacy Notice was last updated on the 29th of September 2023.