Data Protection

Penman Consulting General Data Protection Regulation (GDPR) Statement

“Penman Consulting” is the group consisting of Penman Consulting Ltd, Penman Consulting BVBA and Active Steward Ltd. Also “We”, “our” and “Us”, below.

Penman Consulting welcomes the introduction of GDPR in May 2018 and the Data Protection Act 2018 and is compliant. We take information security seriously, including any obligations as a personal data processor or controller.

Penman Consulting already holds all client data inside the European Economic Area (EAA) or to equivalent standards, as set out in the original UK Data Protection Act.


Penman Consulting has examined its obligations under GDPR as a:

  1. data controller of its own employee data;
  2. potential data controller or processor of third party data such as activity relating to marketing, and industry, Consortium and SIEF communications;
  3. software as a Service (SaaS) supplier;
  4. business that develops software.

An outline of our GDPR compliance arrangements is set out below. For further information please contact us at our UK office using the means set out on our contact page.

Compliance arrangements

  • Penman Consulting collects personal data only for specific purposes and does not keep personal data once its purpose is fulfilled.
  • Personal data that we hold is pseudonymised, usually by encryption.
  • We are not required to appoint a Data Protection Officer but will review this decision if future growth necessitates it. In the meantime, our IT and Data Manager maintains overall responsibility for GDPR compliance.
  • Breaches of personal data in usable form will be reported to the correct supervisory authority. This forms part of our Information Security Management System (ISMS) Incident Response Plan.
  • Should we undertake the relevant processing of personal data, suitable records will be kept and presented to the supervisory authorities upon request. Currently no relevant processing occurs.
  • Data protection is designed into our services and products (“data protection by design and default”) as part of our comprehensive ISMS.
  • Individuals and employees can exercise any of their rights to erasure, portability, rectification and subject access by contacting Penman Consulting at our UK office using the means set out on our contact page.

Derogations and exceptions

Penman Consulting is smaller than 250 employees, and any data processing is not likely to result in a risk to the rights and freedoms of data subjects, is occasional, and does not include any “special categories” of data. This severely limits our obligation to hold processing records, though we are committed to do so wherever this will best serve stakeholders.

Penman Consulting relies on “alternatives to consent” (Article 6(1)) for almost all data processing activities. This is because almost all personal data we hold is one of:

  • a contract with the individual or to fulfil obligations under an employment contract;
  • compliance with a legal obligation;
  • legitimate interests including commercial benefit (Article 6(1)(f)), and not outweighed by harm to the individual’s rights and interests.

Supervisory authorities

Penman Consulting’s supervisory authorities are:

  • The Information Commissioner’s Office of the UK: This is our primary regulator and the body to whom complaints should be directed if they cannot be resolved with us.
  • The Privacy Commission of Belgium:
For more information on Data Protection and Penman Consulting please contact us
Contact Us