Data Controller:  Rhonda Murkin – ICO Registration Number: [                                        ]

In order to provide you with consultancy advice I need to collect, use or otherwise process personal information about you.  This privacy policy explains how I will do that, how I use and share that information and your rights in relation to it.

“Personal data” is information relating to you as a living, identifiable individual.  I will process your personal data in accordance with applicable data protection and privacy laws including the Data Protection Act 2018 and the UK GDPR.

Who am I?

I am registered with the Information Commissioner’s Office as a Data Controller.  My ICO Registration Number is as stated above.  If you need to contact me about your data or this privacy notice, you can reach me at

Data protection principles

I will at all times comply with the data protection principles set out in the UK GDPR and Data Protection Act 2018 (which includes not only electronic data, but also personal data held in paper format in filing systems).  I will ensure that your personal data is:

  • processed lawfully, fairly and in a transparent manner;
  • collected for specified and legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and kept up to date;
  • kept in a form which permits your identification for no longer than is necessary for those purposes; and
  • processed in a way which ensures appropriate security of data.

In addition, the principle of accountability means that I, as data controller, am responsible for and must be able to demonstrate compliance with these principles.

For these purposes, personal data means any information about an individual from which that individual is capable of being identified. It does not include data where the identity has been removed (anonymised data).

What types of personal data do I collect about you?

I collect and process personal data about you.  The data I collect may include:

  • Your contact details (including name, address, phone number and email address);
  • Bank or payment details;
  • Financial information about your business;
  • Information about your employees.

How do I collect your personal data?

The vast majority of the information I hold about you is collected during the course of your instructions.  This information may either be directly provided by you or I may occasionally obtain information from other sources such as:

  • Information that is available publicly in registers, searches or in the media; and
  • Regulatory, public or administrative bodies.

How do I store your data?

I will keep your personal data secure at all times.  Your information may be stored in different places including a paper based filing system and on my computer/laptop.

I operate various security measures in order to prevent loss of, or unauthorised access to, your personal data. In order to ensure this, I restrict access to your personal data to those with a genuine business need to access it, and I have procedures in place to deal with any suspected data security breach.  I will notify you and any applicable regulator of a suspected data security breach where I am legally required to do so.

How long do I keep your personal information?

Personal data that is processed by me will not be retained for any longer than is necessary for that processing, or for purposes relating to or arising from that processing (including any legal, accounting, regulatory and reporting requirements) and in line with my Data Retention Policy which is available on request.  This policy is reviewed periodically and the periods for storage specified in it may alter depending on the requirements of law and regulation, best practice and insurance.

Please note, however, that different periods for keeping your personal data may apply depending upon the type of data being retained and the purpose of its retention.

In some circumstances I may anonymise your personal information so that it can no longer be associated with you, in which case I may use such information without further notice to you.

The legal basis for processing your personal information

The UK GDPR requires all organisations that process personal data to have a lawful basis for doing so. The lawful bases identified in the UK GDPR are:

  • Consent of the data subject
  • Performance of a contract with the data subject or to take steps to enter into a contract
  • Compliance with a legal obligation
  • To protect the vital interests of a data subject or another person
  • Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • The legitimate interests of ourselves, or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

How do I use your personal information and on what basis?

I will primarily use your personal information to:

  • Manage my relationship with you including providing advice;
  • investigate and respond to your concerns;
  • recover debt;
  • respond to and communicate with the Law Society;
  • investigate or address legal proceedings relating to your use of my services or where otherwise allowed by law;
  • communicate with you about news, updates, events and other marketing purposes;

In the majority of cases I will be seeking to rely on the following bases for processing your data:

  • Performance of a contract with the data subject or to take steps to enter into a contract;
  • The legitimate interests of my business, or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Legitimate interests might include:

  • Provision of advice;
  • maintaining accurate and up-to-date records and contact details;
  • the management, administration and operation of my business, including accounting and regulatory requirements;
  • for business development and direct marketing purposes;
  • establishing, exercising and defending legal claims;
  • to prevent fraud;
  • reporting threats to public security.

There may also be instances where I need to obtain and process data in order to satisfy legal requirements placed upon me including record keeping, administration and regulatory activities.

I may need to process your personal data in order to ensure that I am able to protect your interests (or those of someone else) and where it is needed in the public interest.

On occasion I may rely upon your consent particularly in relation to my marketing activity.  At all times you retain the right to withdraw your consent. Where I have relied upon your consent and you opt to withdraw it this does not invalidate my lawful basis for processing data historically.

I confirm that your personal data will only be used for the purposes for which it was collected, except in those circumstances where I reasonably consider that it needs to be used for another reason, and that reason is compatible with the original purpose.  Should I need to use your personal data for an unrelated purpose, I will notify you, and I will explain the legal basis which allows me to do so.

Note that I may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.


You may opt out of receiving emails and other messages directly from me by following the instructions in those messages.

What if you fail to provide personal information?

If you decide not to supply personal data that I have requested and as a result I am unable to comply with my professional, legal or regulatory obligations, then I may not be able to advise you or enter into a relevant contract with you.

Sharing your data with others

Your personal data may be seen or used me or my staff  in the course of their duties or others working lawfully with me in the ordinary course of my business.  This might include administrative support employed directly by me or my accountants.

I may need to share your data with relevant third parties (for example other professional bodies such as the Law Society or the Bar Council, my assessment body, agencies responsible for the detection of crime and fraud, law enforcement officials, government authorities and auditors) in order to fulfil my legal and professional obligations, or to undertake searches about you, or where you ask me to share your data.

In the event of a complaint or dispute I may need to share your information with my insurers or, in the case of complaint or dispute arising from any Lexcel assessment I have undertaken, the Law Society and/or my assessment body.

Transferring your data outside the UK

I do not expect to transfer your personal information outside the UK.  If I do I will ensure the relevant safeguarding measures are in place.

Your rights in relation to your data

Data protection legislation gives you various rights in relation to your personal data that I hold and process. These rights are subject to specific time limits in terms of how quickly I must respond to you. The rights which data subjects have are, in the main, set out in Articles 12–23 of the UK GDPR. They are as follows:

Right of access – this is usually known as making a data subject access request.  It enables you to obtain from me confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to that personal data and various other information, including the purpose for the processing, with whom the data is shared, how long the data will be retained, and the existence of various other rights (see below).

Right to rectification – this enables you to have any inaccurate or incomplete personal information I hold about you corrected.

Right to erasure – sometimes referred to as the right to be forgotten, this is the right for you to request that, in certain circumstances, I delete data relating to you.

Right to restrict processing – the right to request that, in certain circumstances, I restrict the processing of your data.

Right to data portability – the right, in certain circumstances, to receive that personal data which you have provided to me, in a structured, commonly used and machine-readable format, and a right to have that personal data transmitted to another controller.

Right to object – the right, in certain circumstances, to object to personal data being processed by me where it is in relation to direct marketing, or in relation to processing where I am relying on the legitimate interests of the business as our legal basis for doing so.

Right not to be subject to automated decision making – the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly affects you.  I do not envisage that any decisions will be taken about you based solely on automated decision making, including profiling.

Full details of these rights can be found in the UK GDPR or by reference to guidance produced by the Information Commissioner’s Office.

In the event that you wish to exercise any of these rights please contact me.  Some of these rights are not automatic, and I reserve the right to discuss with you why I might not comply with a request from you to exercise them.  I may need to request specific information from you in order to verify your identity and check your right to access the personal data or to exercise any of your other rights.  This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.

In the limited circumstances where you have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.  This will not, however, affect the lawfulness of processing based on your consent before its withdrawal.  If you wish to withdraw your consent please contact me.  Once I have received notification that you have withdrawn your consent I will no longer process your personal information for the purpose you originally agreed to.

Making a complaint

If you have any queries as to the acquisition, use, storage or disposal of any personal data relating to you please contact me.

Despite our best efforts, inevitably sometimes things do go wrong.  If you are unhappy with any aspect of the use and/or protection of your personal data, you have the right to make a complaint to the Information Commissioner’s Office, who may be contacted in writing at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; by telephone on 0303 123 1113; by fax on 01625 524510; or online at

Changes to this policy

This privacy policy is reviewed annually.  The terms and provisions of this policy may be changed, updated and amended from time to time.

If you would like this policy to be supplied to you in another format (for example audio, large print, braille) please contact me.