Privacy & Data
Privacy & data protection policy in accordance with the EU General Data Protection Regulation (GDPR), tailored by the Data Protection Act 2018
INTRODUCTION AND APPLICATION
Lygon Group gathers and processes data on individuals and companies for the purposes of executive search and for the purposes of executive mentoring.
This policy describes how personal data must be collected, handled and stored in order to meet Lygon Group’s data protection standards and to comply with GDPR. Lygon Group takes the privacy rights of individuals, whether members of staff, candidates or clients, seriously and aims to protect them and act with transparency at all times.
This policy protects the rights of staff, candidates and clients.
This policy applies to all employees of Lygon Group. All Lygon Group employees are data processors. This policy applies to all data that the company holds relating to identifiable individuals.
Third party providers to Lygon Group are required to confirm that they comply with the provisions of GDPR and the terms of this policy as a data processor on Lygon Group’s behalf.
A data processor is an employee of Lygon Group who is responsible for processing personal data on behalf of the company. Third party IT providers contracted by Lygon Group are also data processors for the purposes of the legitimate services they provide to Lygon Group. Third party providers to Lygon Group are bound by the provisions of this policy and confirm their compliance with it.
For the purpose of the Data Protection Act 1998 and any successor statute and the GDPR,tailored by the Data Protection Act 2018, the data controller is Lygon Group (Lygon Partners Ltd) of 10 Brook Street, London W1S 1BG.
The term ‘Lygon Group employee’ refers to any full or part time member of Lygon Group, whether on a permanent or temporary contract.
LEGAL BASIS FOR PROCESSING PERSONAL DATA
Personal data will only be collected and processed by Lygon Group for the legitimate purposes of:
the execution of an executive or non-executive search
the provision of mentoring services
business development activities pursuant to winning search or mentoring assignments
Lygon Group staff and company administration
Wherever possible, Lygon Group attempts to secure consent from an individual to store and process their data. Consent is sought when an individual writes to a member of staff at Lygon Group pursuant to job opportunities. Individuals are replied to by a named and contactable employee of Lygon Group with an email that seeks explicit approval to retain a copy of their CV on its database so that staff from Lygon Group can contact them about relevant searches at some point in future.
Consent is implied and assumed when an individual actively engages in a search process pursuant to a job opportunity. The fact that their personal data and interest in the appointment is going to be shared with a client is explained explicitly to the candidate.
CATEGORIES OF PERSONAL DATA
Personal data for the purposes of Lygon Group’s legitimate business interests includes:
Date of birth
Performance and suitability assessments
Telephone, email, social media and Skype contact details
Formal and informal references
Profile picture sourced online
Lygon Group does not typically process sensitive personal data, such as ethnic origin, political opinions, religious beliefs or physical or mental health. In the event that a client of Lygon Group wishes to see diversity statistics for a search, we will seek a candidate’s explicit consent to store this information. Diversity statistics on topics of sensitive personal data will be anonymous when shared with the client and will not be attributable to an individual candidate.
CATEGORIES OF INDIVIDUALS
Personal data is collected by Lygon Group about:
potential and actual candidates
potential and actual clients
referees, both named and informal
potential and actual mentors
SOURCE OF DATA
The personal data processed by Lygon Group is sourced via one or more of the following methods:
Direct telephone, email, online, and in-person contact with the individual in question
Third party individuals, such as referees
The client interview process
Public company records, websites and press releases
Subscription databases, such as BoardEx and Capital IQ
CATEGORIES OF RECIPIENTS OF PERSONAL DATA
Personal data collected for business development, mentoring, and executive search purposes will only be shared on a need-to-know basis with:
Potential and actual candidates
Potential and actual clients
Potential and actual mentors
Individuals employed by Lygon Group
The transfer of personal data to a client outside the EU will only be carried out with the explicit consent of the individual.
LENGTH OF TIME DATA IS RETAINED FOR
For the legitimate business interests of Lygon Group and its data controllers, personal data about clients and candidates is stored securely indefinitely, unless a candidate requests otherwise. Retaining contact with clients and candidates (prospective or actual), and understanding the course of an individual’s career and their respective experiences and personal progression is a critical factor in Lygon Group’s ability to carry out its legitimate business interests.
Each time personal data is processed by a Lygon Group employee, that employee will take all reasonable measures to ensure the data is up to date. Measures may include: contacting the individual about whom the data is being processed, accessing databases to which Lygon Group subscribes, and using publically available information.
DATA STORAGE AND ACCESS
Lygon Group stores personal data as follows:
FileFinder – a licenced internal database to which only Lygon Group employees have access and to which access is password protected
Hand written records are either securely shredded (via an outsourced provider) or are stored in locked filing cabinets at Lygon Group’s offices
Additional data is stored (documents, emails, and contacts) via Lygon Group’s IT system, which includes outlook and a shared drive
Lygon Group employees will have access to personal data stored about candidates and clients (actual or potential). Employees access this data via Lygon Group’s on-premise IT equipment and mobile devices.
Lygon Group employees must follow comprehensive guidelines regarding the entry and processing of data onto and through FileFinder. FileFinder is licenced from and maintained by Dillistone Systems. Individual personal data may be accessible by Dillistone Systems for the purpose of File Finder maintenance.
Lygon Group outsources its IT management and data security provision to Blue Diamond, which carries out annual assessments of system and data security in-line with GDPR regulations. Individual personal data may be accessible by Blue Diamond for the purpose of its IT service provision.
Other third party providers may have limited access to personal data held and processed by Lygon Group for specific and limited purposes, such as for employee pay roll.
SHARING OF PERSONAL DATA OUTSIDE THE EU
In the event that a client of Lygon Group is based outside the EEA (EU member states, and Norway, Iceland and Liechtenstein), personal data will be transferred only if all safeguards in this policy are met. Lygon Group will endeavour to seek consent from individuals before such a transfer.
RIGHT OF ACCESS AND OBJECTION
Individuals about whom Lygon Group processes data are entitled to:
confirmation that their data is being processed
access to their personal data
a copy of Lygon Group’s privacy and data protection policy
Individuals who request access to their personal data in writing will be provided with their data within three weeks of their request.
An individual who has reviewed the personal data held on them by Lygon Group has the right to have their personal data rectified within four weeks if it is inaccurate or incomplete, in which instance Lygon Group will inform any third party who has received the data in question of the rectification where possible.
An individual has the right to object to the processing of their personal data at any point by emailing: email@example.com. In that instance, Lygon Group will continue to store their data but will not process it for any purpose. The right to object explicitly forms part of Lygon Group’s initial consent request (see above).
An individual has the right to object to the storage of their personal data at any point by emailing: firstname.lastname@example.org. In that instance, Lygon Group will destroy/delete the data stored on the individual unless it is required to retain this information for a period of time, such as in the case of a placed candidate or for regulatory purposes. The right to object explicitly forms part of Lygon Group’s initial consent request (see above).
In the event of a data breach about which Lygon Group becomes aware, it will report the details of the breach to the Data Commissioners Office and any individual(s) and client(s) affected within 72 hours, where feasible or as soon thereafter as possible.
HOW TO MAKE A COMPLAINT
Individuals can write to Lygon Group’s data protection officer with details of their complaint: email@example.com. A written response will be provided after an internal investigation and within 30 days.
Individuals also have the right to raise their concerns with the Information Commissioner’s Officer (ICO) at