Scroll Top

The Purposeful Leader

Data Protection Policy


  1. The Purposeful Leader needs to gather and use certain data about individuals and companies and their projects in the course of its business. This can include our staff and suppliers, clients, business contacts, and other people we have a relationship with or need to contact. It can also include limited and justified use of personal data specifically for the purpose of a project.
  2. This policy describes how this personal data must be collected, handled, and stored to meet our data protection standards, and to comply with the law.

Data protection regulation

  1. The Purposeful Leader is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation 2016/679 (GDPR). This applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier. This applies equally to hard copies of files and digital resources.
  2. Article 5 of the GDPR requires that personal data shall be:
    1. processed lawfully, fairly, and in a transparent manner;
    2. collected for specified, explicit, and legitimate purposes;
    3. adequate, relevant, and limited to what is necessary;
    4. accurate and where necessary kept up to date;
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed; and
    6. processed in a manner that ensures appropriate security of the personal data.

General Provisions

  1. This policy applies to all personal data processed by The Purposeful Leader.
  2. This policy shall be reviewed at least annually.
  3. Separate policies shall be produced and regularly reviewed to cover the company’s human resources and public affairs functions. They shall comply in every particular with this overarching data protection policy.
  4. All of The Purposeful Leader’s staff, including Associates, will be informed about this data protection policy and its principles and will be required to confirm that they have read and understood it.


  1. All The Purposeful Leader’s staff have responsibility for ensuring that data is collected, stored, and handled in compliance with the law and this policy. They shall have appropriate training to support them in this requirement.
  2. The Purposeful Leaders shall designate a data protection officer/representative. They are appropriately supported in that role, sufficiently independent, and free from conflicts of interest in connection with the use of personal data. They shall:
    1. advise the board on data protection responsibilities, risks, and issues;
    2. review all data protection procedures and policies in line with an agreed schedule;
    3. arrange data protection training and advice for staff;
    4. handle data protection questions from staff; and
    5. review data processing agreements from suppliers and clients.
  1. People have the legal right to undertake a data subject access request (DSAR) to understand what data The Purposeful Leader holds about them. The human resources data protection policy shall outline how these requests are to be processed.

Lawful purposes

  1. All personal data processed by The Purposeful Leader must be done on one of the following lawful bases: consent, contract, legal obligation, vital interest, public task, or legitimate interests. It must be made clear at the point of collection the basis on which The Purposeful Leader will process that data.
  2. Where consent is the lawful basis for processing data, evidence of opt-in consent shall be stored with the data.
  3. Where consent is the lawful basis for processing data, the option to revoke consent should be clearly available and immediately processed if required.

Proportionate data collection

  1. The Purposeful Leader will ensure that personal data collection is directly relevant and limited to that necessary for the purpose for which it is processed.


  1. The Purposeful Leader will take reasonable steps to ensure personal data is accurate.
  2. Where necessary for the lawful basis on which the data is processed, steps shall be put in place to ensure that personal data is kept up to date.


  1. Personal data held on behalf of clients must be returned to the client or destroyed at the conclusion of the contract unless otherwise required by law. The Purposeful Leader will inform its clients of this.
  2. To ensure that personal data is kept for no longer than necessary, the human resources and public affairs data protection policies shall specify for how long personal data will be stored and how that will be reviewed.
  3. There shall always be a presumption in favor of the deletion of personal data.


  1. The Purposeful Leader will ensure that personal data in digital form is stored securely using modern software and that that software is kept up-to-date.
  2. The Purposeful Leader will ensure that personal data stored on paper or on removable storage media is kept in a secure place where unauthorized people cannot see it. When not used, it should be kept in a locked storage unit.
  3. Access to personal data shall be limited to personnel who require access for the purpose for which the data is collected and processed. Appropriate protections for that data, both physical and digital, shall be put in place.
  4. When personal data kept on paper is disposed of, it should be securely shredded.
  5. When personal data kept in digital form is deleted, this should be done in such a manner that the data cannot be recovered.
  6. Appropriate backup and disaster-recovery mechanisms shall be in place to protect against accidental deletions, corruption of, or damage to personal data.
  7. Personal data must never be uploaded to cloud storage without the approval of the board and data protection officer/representative. Such storage must be protected by appropriate security measures.
  8. Personal data that is either collected or processed on behalf of the company should never be transferred onto a personal computer or other mobile devices.
  9. Personal data should never be transferred outside the European Economic Area (EEA) without the consent of the data protection officer/representative. Data processors or storage facilities outside the EEA shall be required to provide guarantees that they will process and store data in a way that complies with the provisions of the GDPR and this policy.

Third-party data processing and control

  1. Where The Purposeful Leader processes data on behalf of a third party, it shall provide as part of the contract a data processing agreement that outlines responsibilities and liabilities relating to personal data. Where contractual relationships already exist, a separate data processing agreement covering the same areas shall be prepared and supplied with all deliberate speed.
  2. Where The Purposeful Leader acts as data controller, it shall require suppliers who process personal data on its behalf to produce a data processing agreement that complies in every relevant particular with this data protection policy. This must provide sufficient guarantees that the requirements of the GDPR shall be met and the rights of data subjects protected. It must also provide for the secure disposal of all personal data or its return to The Purposeful Leader at the conclusion of the contract.
  3. Where The Purposeful Leader acts as a data processor, it will support the data controller in meeting all requirements under the GDPR.
  4. Where subcontractors are used to supporting The Purposeful Leader in its capacity as a data processor, the data controller shall be notified if those subcontractors change.
  5. There must be no material changes to the handling of data that The Purposeful Leader either controls or processes without that having been communicated to and agreed upon by the controller.
  6. Where clients, suppliers, or other third parties request changes in the way data is processed, the data protection [officer/representative] must be consulted on and approve the change.
  7. Where a DSAR relates to data controlled by a client of The Purposeful Leader, the data protection officer must ensure that the client is notified about the request in the event that it is fulfilled.


  1. The data protection officer/representative is responsible for supervising procedures relating to a data security breach.
  2. Unauthorized sharing of information within or outside the company constitutes a disciplinary offense.
  3. In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, The Purposeful Leader shall promptly assess the risks to data subjects’ rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office as quickly as possible within the statutory timescale.
  4. Where a reportable breach occurs and The Purposeful Leader is the data processor, The Purposeful Leader will notify the data controller that this has taken place.
  5. There shall be at least annual reviews of data security during the preceding 12 months.


Cookies Policy

Last updated: October 02, 2022

The Purposeful Leader (“us”, “we”, or “our”) uses cookies on the website (the “Service”). By using the Service, you consent to the use of cookies.

Our Cookies Policy explains what cookies are, how we use cookies, how third parties we may partner with may use cookies on the Service, your choices regarding cookies, and further information about cookies.

What are cookies

Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third party to recognize you and make your next visit easier and the Service more useful to you.

Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your personal computer or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser.

How The Purposeful Leader uses cookies

When you use and access the Service, we may place a number of cookie files in your web browser.

We use cookies for the following purposes:

  • To enable certain functions of the ServiceWe use both session and persistent cookies on the Service and we use different types of cookies to run the Service: Essential cookies. We may use essential cookies to authenticate users and prevent fraudulent use of user accounts.

What are your choices regarding cookies?

If you’d like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser. As a European citizen, under GDPR, you have certain individual rights. You can learn more about these rights in the GDPR Guide.

Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.

Where can you find more information about cookies?

You can learn more about cookies and the following third-party websites: