Data Protection & Privacy Policy

Data Protection & Privacy Policy

PART A: PRIVACY INFORMATION


1. Who We Are
McNally Change and Transformation Consultants Ltd (MCTC), trading as Do It Better, is a company incorporated in Scotland with company number SC619958 and registered office at 2 Tupper Court, Hamilton, South Lanarkshire, ML3 7ZU

MCTC provides programme management, governance and transformation consultancy services.

For the purposes of data protection law, MCTC may act as a data controller in relation to its own business data and may act as a data processor when processing personal data on behalf of clients.


Further information about our services can be found at https://www.doitbetter.uk

Contact for data protection enquiries
Email: barry.mcnally@doitbetter.uk


2. What Information We Collect
We may collect and process the following categories of personal data:

  • Name and contact details
  • Professional and business information
  • Client engagement documentation
  • Associate consultant details
  • Supplier and payment information
  • Website enquiry information submitted via our website
  • Technical data such as IP addresses and website usage information

We do not intentionally collect special category data. Where such data is disclosed as part of a client engagement, it will only be processed where lawful and subject to appropriate safeguards.


3. How We Use Your Information
We use personal data to:

  • Deliver consultancy services
  • Communicate regarding client engagements
  • Manage contracts and payments
  • Administer associate and supplier relationships
  • Respond to enquiries made through our website
  • Comply with legal and regulatory obligations

4. Lawful Basis for Processing
We process personal data under one or more of the following lawful bases under UK GDPR:

  • Performance of a contract
  • Legitimate interests
  • Legal obligation
  • Consent where required

Where MCTC acts as a data processor on behalf of a client, processing will be carried out in accordance with client instructions and contractual terms.


5. Who We Share Your Information With
We may share personal data with:

  • Associate consultants engaged on client assignments
  • Professional advisers including accountants and legal advisers
  • IT service providers and secure cloud storage providers
  • Regulatory authorities where legally required

We do not sell personal data.

All third parties are required to maintain appropriate confidentiality and security standards


6. International Transfers
Where personal data is transferred outside the United Kingdom, appropriate safeguards are implemented in accordance with UK GDPR requirements.

7. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected.

Typical retention periods include:

  • Client engagement documentation 6 years from completion
  • Financial and accounting records 6 years
  • Associate consultant records duration of engagement plus 6 years
  • Website enquiry information up to 12 months unless further engagement arises
     

8. Your Rights
Under UK GDPR, individuals have the right to:

  • Request access to personal data
  • Request correction of inaccurate data
  • Request erasure where appropriate
  • Object to processing
  • Request restriction of processing
  • Withdraw consent where processing is based on consent

Requests may be made by contacting barry.mcnally@doitbetter.uk.

If you are dissatisfied with how your data has been handled, you have the right to lodge a complaint with the Information Commissioner’s Office at www.ico.org.uk.

PART B: INTERNAL DATA PROTECTION CONTROLS
 

9. Data Protection Principles
MCTC processes personal data in accordance with the principles set out in UK GDPR and the Data
Protection Act 2018.


Personal data shall be:

  • Processed lawfully, fairly and transparently
  • Collected for specified and legitimate purposes
  • Limited to what is necessary
  • Accurate and kept up to date
  • Retained only as long as necessary
  • Protected against unauthorised or unlawful processing and accidental loss

10. Security Measures
MCTC implements appropriate technical and organisational measures including:
 

  • Password protection and multi factor authentication
  • Secure cloud storage platforms
  • Access controls based on business need
  • Device security and regular software updates
  • Encryption of devices where appropriate
  • Confidentiality obligations for associates and suppliers

Access to personal data is restricted to those who require it for legitimate business purposes.

11. Data Breach Procedure
Any suspected personal data breach must be reported immediately to the Managing Director.

MCTC will:

  • Assess and contain the breach
  • Investigate the cause
  • Notify affected individuals where required
  • Report to the Information Commissioner’s Office within 72 hours where legally required

12. Responsibilities
The Managing Director acts as Data Protection Lead and is responsible for:

  • Policy oversight
  • Breach management
  • Compliance monitoring
  • Ensuring appropriate contractual controls are in place where acting as a data processor

Associate consultants and subcontractors must:

  • Process personal data only for agreed purposes
  • Maintain confidentiality
  • Comply with security requirements
  • Report any suspected breach immediately

13. Regulatory Authority
MCTC recognises the Information Commissioner’s Office as the UK supervisory authority for data protection matters.

Where required by law, MCTC will cooperate fully with the Information Commissioner’s Office.

14. Review
This policy will be reviewed annually or sooner if there are changes in legislation, business activities or organisational structure.

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.