Privacy policy

Data Protection Policy

Last updated 7th April 2022

Hope and May is committed to protecting the privacy and the security of personal data. To ensure the processing of data is lawful, Hope and May ensure they process data in accordance with UK Data Protection Law which includes but may not be limited to the UK General Data Protection Regulation (UK GDPR), the Privacy and Electronic Communications Regulation (PECR), The Data Protection Act 2018 and any other relevant data protection legislation according to where you may reside or where your organisation may be established.

This Data Protection Notice explains the types of personal data we may process when we conduct business. It also explains how we store and handle that data and keep it safe.

First of all, here’s a few terms we may use in this document to explain ourselves. “Personal data” is information relating to a living, identifiable individual. So, this could be anything from a postal address to a telephone number or date of birth.

“Processing” data includes various operations that may be carried out on information, including collecting, recording, organising, using, disclosing, storing and deleting it. A “Condition for processing data” is essentially the justification for processing the data, for example we may ask a data subject to agree for us to send marketing information, in this instance we may ask that person for Consent, but normally only if they are a sole trader or partnership. Generally, we deal with organisations and the current legislation does not require Consent (PECR) to be collected for organisation-to-organisation communications unless that organisation has opted out of such communications. However, we are committed to protecting all data and this includes the personal information of employees of organisations with which we may communicate.

The law requires us:

To process data in a lawful, fair and transparent way –

To only collect data for explicit and legitimate purposes –

To only collect data that is relevant, and limited to the purpose(s) we may have indicated –

To ensure that data is accurate and up to date –

To ensure that data is only kept as long as necessary for the purpose(s) we have indicated –

To ensure that appropriate security measures are used to protect the data.

It is likely that we will need to update this Policy from time to time, updates are published on our website and are available upon request.

Who is Hope and May?

It is an organisation that delivers advice, guidance and support services to organisations. These services relate to the legal obligations of those organisations concerning the protection of data, privacy and confidentiality. Hope and May operates across the World and is able to work with any organisation in any country. For the purposes of UK Data Protection Law, we are a Data Controller.

The Purposes of Processing data

The law on data protection sets out a number of different reasons or conditions for which an organisation may collect and process personal data. When collecting personal data, we will always where required make a case for processing. We will process data in the organisation’s legitimate interest unless there is a legal obligation such as employment law or a contractual obligation.

Special Category Data

Hope and May does not set out to collect sensitive information about its clients or their staff, customers, supporters, beneficiaries or members. We have no need for this information. However, we are mindful that information of the type may be available to us from time to time. For example, if an organisation reveals to us a staff file, or the details of a beneficiary or service user of a charity. We do not process this data and therefore do not control it. Any observations made as part of our service are justified in our general terms and conditions of business which forms the necessary contractual understanding. We may however process this data concerning our own staff. For the avoidance of doubt, these categories of information include –

Racial or ethnic origin

Political opinions

Religious or philosophical beliefs

Trade union membership

Genetic and biometric data (e.g. fingerprints) for the purpose of uniquely identifying someone;

Data concerning a health condition

Data concerning someone’s sex life or sexual orientation.

We may process special categories of personal data of staff in the following circumstances:

With their explicit written consent; or

Where it is necessary in the substantial public interest, and further conditions are met

Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards of fundamental rights and interests specified in law.

Where there is a legal obligation.

Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for “Special Categories” referred to above.

What data does Hope and May collects?
occasions will include, but are not limited to:

When an individual works with the Hope and May team

When an individual visits our offices or an event is organised

When an individual or organisation supplies good and services

When an individual writes to us about any subject by any means

When an individual posts, likes, follows or reply on any of our social media feeds

When an individual’s images or vehicle number plate is recorded on our CCTV system

When an individual or an organisation is a client of Hope and May and uses our services

When an individual is part of an audience which Hope and May may address

When an individual has engaged with asks us to send a communication

When an individual accesses or engages with our website.

Hope and May collects personal data in order to manage its business and deliver its service to its clients. The data collected is most likely in electronic format but can also be in paper form.
When an individual visits our website, we may collect the IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience. We may use technology such as cookies to help us deliver relevant and interesting content in our communications in the future. We may profile individuals to find out more about them but in the least most intrusive way. We may use information we collect to display the most interesting content on our website we may use data we hold about previous visits.

We may also collect social media usernames if data subjects interact with us through these channels in order to help us respond to comments, questions and feedback. The data privacy laws allow this as part of our legitimate interest in understanding our audience.

For security reasons, we use all appropriate organisational and technical security controls to safeguard data.

When we interact with data subjects, we may also collect notes from conversations with them, and details of any complaints or comments made.

Hope and May is committed to the data protection rights

There are eight important rights detailed in the UK GDPR and the Data Protection Act 2018. Hope and May is committed to uphold these rights.

For further details please contact our offices.

Sharing data with Hope and May

Hope and May considers business to business communications to be outside of the scope of the UK GDPR. However, it acknowledges that some personal data may be contained in business correspondence. Hope and May publishes opt-out information in such circumstances. Any individual can ask to be forgotten and Hope and May will respect this decision unless there is a professional or legal obligation to retain such information. However, in the course of consultancy and DPO service delivery some personal information may be shared between the client and Hope and May that identify donors, volunteers, staff, (in ways not necessarily connected with business matter) and beneficiaries, members and clients (as individuals). If the sharing of data necessitates a determination or decision by Hope and May, then Hope and May will be a data controller of such information and will apply the terms of this policy when processing the data. In some instances, Hope and May may be a Third Party as defined by the UK GDPR and therefore neither a controller or processor of data for which our client is the controller.


Whenever we collect or process personal data, we will only keep it for as long as is necessary for the purpose for which it was collected. The Information Asset Register includes retention periods and this Register will indicate the types of data concerned and clearly indicate the period it will be retained. Annual reviews will ensure that retention schedules are followed. At the end of the retention period, data will either be deleted completely, put beyond use or anonymised. In some cases, personal data may be kept in perpetuity.

Your data outside the EEA

Occasionally we will need to share personal data with a third party or suppliers outside the European Economic Area (EEA). The EEA includes all EU Member countries as well as a number of other countries that have received an Adequacy Decision from the EU Commission or the UK in the future. We have put in place the necessary safeguards to ensure the data is protected on these occasions. These include but are not limited to, the data protection transfer Addendum in conjunction with EU Standard Contractual Clauses (SCCs), UK International Data Transfer Agreements (IDTAs) and relevant agreements for both Data Processors and those that may be Joint Controllers. All such transfers may be subject to Transfer Risk Assessments (TRAs). This section is likely to be updated regularly.


Hope and May takes the UK GDPR seventh principle of data protection very seriously. It ensures compliance with this lawful requirement by recording events and continually documenting its compliance journey. These records include Records of Processing Activity, Events log and Breach reporting log. Hope and May reviews its data protection policies every three months or sooner where required. It is registered with the ICO as a data controller and has appointed a Data Protection Officer under reference ZA432708.

Stopping us from using your data

Although there is no strict obligation upon us to inform employees of organisations with which we are contractually delivering a business service or wish to deliver such a service about our processing of data and our processing activities that may identify them, we aim to be ethically compliant. Therefore, an individual can stop Hope and May from processing personal data that may identify them by contacting us using the information below.

It must be remembered; some administrative communications cannot be stopped due to a legal or contractual obligation.

Complaining about our processing of data

If you feel that data has been handled incorrectly by Hope and May, a complaint can be made to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK.

They can be contacted on 0303 123 1113 or by going online to

If you would like to discuss your concerns directly with us please call 0330 111 0013 or us the contact us form at the bottom of this page.

If the organisation is based outside the UK, the complaint should be directed to the relevant data protection supervisory authority in that Country.

Get in touch