Redwood Consulting Data protection policy

Revised: May 2020


  1. Redwood Consulting [Redwood] needs to gather and use certain data about individuals and companies and their projects in the course of its business. This can include our staff and suppliers, clients, business contacts, and other people we have a relationship with or need to contact. It can also include limited and justified use of personal data specifically for the purpose of public consultation.
  2. This policy describes how this personal data must be collected, handled and stored to meet our data protection standards, and to comply with the law.

Data protection regulation

  1. Redwood is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation 2016/679 (GDPR). This applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier. This applies equally to hard copies of files and digital resources.
  2. Article 5 of the GDPR requires that personal data shall be:
    1. processed lawfully, fairly and in a transparent manner;
    2. collected for specified, explicit and legitimate purposes;
    3. adequate, relevant and limited to what is necessary;
    4. accurate and where necessary kept up to date;
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed; and 
    6. processed in a manner that ensures appropriate security of the personal data.

General provisions

  1. This policy applies to all personal data processed by Redwood.
  2. This policy shall be reviewed at least annually.
  3. Separate policies shall be produced and regularly reviewed to cover the company’s human resources and public affairs functions. They shall comply in every particular with this overarching data protection policy.
  4. All Redwood staff will be informed about this data protection policy and its principles, and will be required to confirm that they have read and understood it.


  1. All Redwood staff have responsibility for ensuring that data is collected, stored and handled in compliance with the law and this policy. They shall have appropriate training to support them in this requirement.
  2. The company shall designate a data protection [officer/representative]. They must be appropriately supported in that role, sufficiently independent, and free from conflicts of interest in connection with the use of personal data. They shall:
    1. advise the board on data protection responsibilities, risks and issues;
    2. review all data protection procedures and policies in line with an agreed schedule;
    3. arrange data protection training and advice for staff;
    4. handle data protection questions from staff; and
    5. review data processing agreements from suppliers and for clients.
  1. People have the legal right to undertake a data subject access request (DSAR) to understand what data Redwood holds about them. The human resources data protection policy shall outline how these requests are to be processed.

Lawful purposes

  1. All personal data processed by Redwood must be done on one of the following lawful bases: consent, contract, legal obligation, vital interest, public task or legitimate interests. It must be made clear at the point of collection the basis on which Redwood will process that data.
  2. Where consent is the lawful basis for processing data, evidence of opt-in consent shall be stored with the data.
  3. Where consent is the lawful basis for processing data, the option to revoke consent should be clearly available and immediately processed if required.

Proportionate data collection

  1. Redwood will ensure that personal data collection is directly relevant and limited to that necessary for the purpose for which it is processed.


  1. Redwood will take reasonable steps to ensure personal data is accurate.
  2. Where necessary for the lawful basis on which the data is processed, steps shall be put in place to ensure that personal data is kept up to date.


  1. Personal data held on behalf of clients must be returned to the client or destroyed at the conclusion of the contract, unless otherwise required by law. Redwood will inform its clients of this.
  2. To ensure that personal data is kept for no longer than necessary, the human resources and public affairs data protection policies shall specify for how long personal data will be stored and how that will be reviewed.
  3. There shall always be a presumption in favour of the deletion of personal data.


  1. Redwood will ensure that personal data in digital form is stored securely using modern software, and that that software is kept up-to-date.
  2. Redwood will ensure that personal data stored on paper or on removable storage media is kept in a secure place where unauthorised people cannot see it. When not being used, it should be kept in a locked storage unit.
  3. Access to personal data shall be limited to personnel who require access for the purpose for which the data is collected and processed. Appropriate protections for that data, both physical and digital, shall be put in place.
  4. When personal data kept on paper is disposed of, it should be securely shredded.
  5. When personal data kept in digital form is deleted, this should be done in such a manner that the data cannot be recovered.
  6. Appropriate back-up and disaster-recovery mechanisms shall be in place to protect against accidental deletions, corruption of or damage to personal data.
  7. Personal data must never be uploaded to cloud storage without the approval of the board and data protection [officer/representative]. Such storage must be protected by appropriate security measures.
  8. Personal data that is either collected or processed on behalf of the company should never be transferred onto a personal computer or other mobile device.
  9. Personal data should never be transferred outside the European Economic Area (EEA) without the consent of the data protection [officer/representative]. Data processors or storage facilities outside the EEA shall be required to provide guarantees that they will process and store data in a way that complies with the provisions of the GDPR and this policy.

Third-party data processing and control

  1. Where Redwood processes data on behalf of a third party, it shall provide as part of the contract a data processing agreement that outlines responsibilities and liabilities relating to personal data. Where contractual relationships already exist, a separate data processing agreement covering the same areas shall be prepared and supplied with all deliberate speed.
  2. Where Redwood acts as data controller, it shall require suppliers who process personal data on its behalf to produce a data processing agreement which complies in every relevant particular with this data protection policy. This must provide sufficient guarantees that the requirements of the GDPR shall be met and the rights of data subjects protected. It must also provide for the secure disposal of all personal data or its return to Redwood at the conclusion of the contract.
  3. Where Redwood acts as a data processor, it will support the data controller in meeting all requirements under the GDPR.
  4. Where subcontractors are used to support Redwood in its capacity as a data processor, the data controller shall be notified if those subcontractors change.
  5. There must be no material changes to the handling of data that Redwood either controls or processes without that having been communicated to and agreed by the controller.
  6. Where clients, suppliers or other third parties request changes in the way data is processed, the data protection [officer/representative] must be consulted on and approve the change.
  7. Where a DSAR relates to data controlled by a Redwood client, the data protection officer must ensure that the client is notified about the request in the event that it is fulfilled.


  1. The data protection [officer/representative] is responsible for supervising procedures relating to a data security breach.
  2. Unauthorised sharing of information within or outside the company constitutes a disciplinary offence.
  3. In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Redwood shall promptly assess the risks to data subjects’ rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office as quickly as possible within the statutory timescale.
  4. Where a reportable breach occurs and Redwood is the data processor, Redwood will notify the data controller that this has taken place.
  5. There shall be at least annual reviews of data security during the preceding 12 months.



Cookies Policy

Last updated: April 02, 2019

Redwood Consulting (“us”, “we”, or “our”) uses cookies on the website (the “Service”). By using the Service, you consent to the use of cookies.

Our Cookies Policy explains what cookies are, how we use cookies, how third-parties we may partner with may use cookies on the Service, your choices regarding cookies and further information about cookies..

What are cookies

Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you and make your next visit easier and the Service more useful to you.

Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your personal computer or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser.

How Redwood Consulting uses cookies

When you use and access the Service, we may place a number of cookies files in your web browser.

We use cookies for the following purposes:

  • To enable certain functions of the ServiceWe use both session and persistent cookies on the Service and we use different types of cookies to run the Service:Essential cookies. We may use essential cookies to authenticate users and prevent fraudulent use of user accounts.

What are your choices regarding cookies

If you’d like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser. As an European citizen, under GDPR, you have certain individual rights. You can learn more about these rights in the GDPR Guide.

Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.

Where can you find more information about cookies

You can learn more about cookies and the following third-party websites: