GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

FEBRUARY 2025

1. Introduction

1.1 The Beacon ("we," "our," or "us") is committed to ensuring the protection and privacy of personal data in compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. As a specialist PR and communications agency, we handle confidential client information, media contacts, and employee data responsibly and transparently. This policy outlines how we collect, process, store, and protect personal data.

2. Scope

2.1 This policy applies to all personal data processed by The Beacon, including data from clients, employees, media contacts, suppliers, and other stakeholders. It covers all processing activities, whether automated or manual, and applies to the actions of all employees, freelancers, and contractors working on behalf of The Beacon.

3. Data We Collect

3.1 As a PR and communications agency, we collect and process:

  • Client Data:

Names, job titles, company details, and contact information.

Project details, communication preferences, and correspondence records.

Sensitive business information provided for PR strategy and campaign execution.

  • Media & Stakeholder Data:

Journalist, influencer, and stakeholder contact details (names, emails, publication/organisation).

Communication preferences and media engagement history.

Publicly available professional data used for press outreach.

  • Employee & Contractor Data:

Name, address, contact details, payroll data and tax information.

Emergency contact details, performance records, and HR correspondence.

IT and system access logs (where applicable).

  • Website & Marketing Data:

IP addresses, cookies and analytics data.

Event RSVPs and social media marketing engagement data.

4. Lawful Basis for Processing

4.1 We process personal data based on the following lawful grounds:

  • Contractual necessity: Managing client projects, employee records, and supplier contracts.

  • Legitimate interest: Media relations, client servicing, PR outreach, and marketing activities.

  • Legal compliance: Retaining financial records and HR documentation as required by law.

  • Consent: Gaining explicit consent for email marketing, press outreach, and media lists.

5. How We Use Personal Data

5.1 We process personal data to:

  • Deliver PR & marketing and media relations services to clients.

  • Manage press office activities, media outreach, and journalist relationships.

  • Conduct marketing activities, including email newsletters and event invitations.

  • Manage contracts, invoicing, and supplier relationships.

  • Handle employee recruitment, HR administration, and payroll processing.

6. Data Protection Measures

6.1 To safeguard client and employee data, we implement:

  • Access Controls: Limiting access to sensitive data based on role and necessity.

  • Data Encryption: Protecting stored and transmitted data through encryption methods.

  • Secure Storage: Storing files in GDPR-compliant cloud systems (The Beacon uses Microsoft Teams a GDPR compliant file storage system) with appropriate security settings, operating regular checks to ensure proper configuration of retention policies and governance settings.

  • Confidentiality Agreements: Ensuring all employees, freelancers, and suppliers sign NDAs where required.

  • Regular Training: Educating employees on GDPR compliance and secure data handling

7. Data Sharing & Third Parties

7.1 We do not sell personal data. However, we may share necessary information with:

  • Media Contacts & Journalists: For PR purposes and with client permission, based on professional interest and legitimate business needs.

  • Service Providers: For IT services, email marketing platforms, HR systems, and finance management.

  • Legal & Regulatory Authorities: If required by law or for compliance audits.

7.2 We ensure that all third parties handling personal data comply with GDPR through appropriate contracts and agreements.

8. Data Retention Policy

8.1 Client and project-related data is retained for 20 years after project completion for reference and compliance purposes.

8.2 Employee records are retained for a minimum of six years after employment ends, as per legal requirements.

8.3 Media lists are reviewed every 12 months to remove outdated contacts and ensure compliance with GDPR principles.

9. Individual Rights

9.1 Individuals have the right to:

  • Access their personal data.

  • Request corrections to inaccurate information.

  • Request deletion of data where it is no longer necessary.

  • Restrict processing in certain circumstances.

  • Withdraw consent for marketing or media outreach activities.

  • Requests to exercise these rights can be submitted to hello@thebeaconuk.com. Please put the subject of the email as ‘GDPR Request’. 

10. Data Breach Policy

10.1 In the event of a data breach, The Beacon will:

  • Assess the scope and impact of the breach.

  • Notify affected individuals and the Information Commissioner's Office within 72 hours if required.

  • Alter those affected by said breach. 

  • Take remedial action to prevent further risk.

11. Contact Information

For GDPR-related queries or requests, please contact:

The Beacon Data Protection Officer (DPO)

Ellie Hall

The Beacon

Email: hello@thebeaconuk.com

This statement has been approved by The Beacon Limited’s Directors, who will review and update it as required.