©2018 by Hope and May. Proudly created with


Our Privacy Policy


Data Protection

Hope and May is committed to protecting personal data. To ensure the processing of data is lawful, Hope and May ensure they process data in accordance with the EU General Data Protection Regulation (GDPR), the Privacy, Data Protection and Electronic Communications Regulation 2019 (UK GDPR), the Privacy and Electronic Communications Regulation (PECR) and any other relevant data protection legislation.   


This Data Protection policy explains the types of personal data we may process when we conduct business. It also explains how we store and handle that data and keep it safe.


First of all, here’s a few terms we may use in this document to explain ourselves.


“Personal data” is information relating to a living, identifiable individual. So, this could be anything from a postal address to a telephone number or date of birth. 


“Processing data" includes various operations that may be carried out on information, including collecting, recording, organising, using, disclosing, storing and deleting it. 


“Condition for. processing. data” is essentially the justification for processing the data, for example we may ask a data subject to agree for us to send marketing information, in this instance we may ask that person for Consent, but normally only if they are a sole trader or partnership. Generally, we deal with organisations and the current legislation does not require Consent (PECR) to be collected for organisation to organisation communications. However, we are committed to protecting all data and this includes the personal information of employees of organisations with which we may communicate. 


The law requires us:


  • To process data in a lawful, fair and transparent way;

  • To only collect data for explicit and legitimate purposes;

  • To only collect data that is relevant, and limited to the purpose(s) we may have indicated;

  • To ensure that data is accurate and up to date;

  • To ensure that data is only kept as long as necessary for the purpose(s) we have indicated;

  • To ensure that appropriate security measures are used to protect the data.


It is likely that we will need to update this Policy from time to time, updates are published on our website and are available upon request.


Hope and May

It is an organisation that delivers advice, guidance and support services to organisations. These services relate to the legal obligations of those organisations concerning the protection of data, privacy and confidentiality. Hope and May operates across the World and is able to work with any organisations in any Country.  


The Purposes of Processing data

The law on data protection sets out a. number of different reasons or conditions for which an organisation may collect and process personal data. When collecting personal data, we will always where required make a case for processing. We will process data in the organisation’s legitimate interest unless there is a legal obligation such as employment law or a contractual obligation. 


Special Category Data

Hope and May does not set out to collect sensitive information about its clients or their staff, customers, supporters, beneficiaries or members. We have no need for this information. However, we are mindful that information of the type may be available to us from time to time. For example, if an organisation reveals to us a staff file, or the details of a beneficiary or service user of a charity. We do not process this data and therefore do not control it. Any observations made as part of our service are justified in our general terms and conditions of business which forms the necessary contractual understanding. We may however process this data concerning our own staff. For the avoidance of doubt, these categories of information include;


  • Racial or ethnic origin;

  • Political opinions;

  • Religious or philosophical beliefs;

  • Trade union membership.

  • Genetic data; 

  • Biometric data(e.g. fingerprints) for the purpose of uniquely identifying someone;

  • Data concerning health; 

  • Data concerning someone's sex life or sexual orientation.


We may process special categories of personal data of staff in the following circumstances:

  • With their explicit written consent; or

  • Where it is necessary in the substantial public interest, and further conditions are met;

  • Where the processing is necessary for archiving purposes in the public interest, or for scientific or historical research purposes, or statistical purposes, subject to further safeguards of fundamental rights and interests specified in law;

  • Where there is a legal obligation.


Further legal controls apply to data relating to criminal convictions and allegations of criminal activity. We may process such data on the same grounds as those identified for“Special Categories” referred to above.


Hope and May collects personal data. Occasions will include, but are not limited to:

  • When an individual works with the Hope and May team;

  • When an individual visits our offices or an event is organised;

  • When an individual or organisation supplies good and services;

  • When an individual writes to us about any subject by any means;

  • When an individual posts, likes, follows or reply on any of our social media feeds; 

  • When an individual’s vehicle number plate is recorded on our CCTV system;

  • When an individual or an organisation is a client of Hope and May and uses our services;

  • When an individual is part of an audience which Hope and May may address;

  • When an individual has engaged with asks us to send a communication;

  • When an individual accesses or engages with our website.


Hope and May collects personal data in order to manage its business and deliver its service to its clients. The data collected is most likely in electronic format but can also be in paper form.


When an individual visits our website, we may collect the IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information. This information is used solely for web server monitoring and to deliver the best visitor experience. We may use technology such as cookies to. help us deliver relevant and interesting content in our communications in the future. We may profile individuals to find out more about them but in the least most intrusive way. We may use information we collect to display the most interesting content on our website we may use data we hold about previous visits. 


We may also collect social media usernames if data subjects interact with us through these channels in order to help us respond to comments, questions and feedback. The data privacy laws allow this as part of our legitimate interest in understanding our audience.


For security reasons, we use all appropriate organisational and technical security controls to safeguard data.

When we interact with data subjects, we may also collect notes from conversations with them, and details of any complaints or comments made. 


Hope and May is committed to the data protection rights


There are eight important rights detailed in the GDPR and the Data Protection Act 2018. Hope and May is committed to uphold these rights. For further details please contact our offices. 

  • Retention 

Whenever we collect or process personal data, we will only keep it for as long as is necessary for the purpose for which it was collected. The Information Asset Register includes retention periods and this Register will indicate the types of data concerned and clearly indicate the period it will be retained. Annual reviews will ensure that retention schedules are followed. At the end of the retention period, data will either be deleted completely, put beyond use or anonymised. In some cases, personal data may be kept in perpetuity.


  • Your data outside the EEA

Occasionally we will need to share personal data with a third party or suppliers outside the European Economic Area (EEA). The EEA includes all EU Member countries as well as a number of other countries that have received an Adequacy Decision from the EU Commission. We have put in place the necessary safeguards to ensure the data is protected on these occasions. These include but are not limited to, Model Clauses and data sharing agreements for both Data Processors and those that may be Joint Controllers. This section will be updated in due course in accordance with the outcome of Brexit.  


  • Accountability

We regularly review our data protection policies, procedures and staff guidance. This helps us to ensure we continue to comply with the law and that our intended processing is both clearly explained, necessary and absolutely transparent. Where we rely on Consent, we ensure it is gathered in accordance with the law. When we rely on other conditions, we consider the Rights of others before we proceed. We assess the risks we may, from time to time create, when processing data to ensure we uphold the Rights and Freedoms of every individual. This is especially true when we process data in a new way. 


We only share data where we have a defined purpose to do so and a data sharing agreement is in place. International transfers are safeguarded with Standard Contractual Clauses where necessary. We keep extensive records of our processing. For example, Activity and Incident logs measure our compliance and help us to identify any weaknesses in our procedures. We actively consider the opinion and advise of others both here, in the EU and beyond. We monitor case law and the guidance of the ICO and the EDPB.


Hope & May is registered with the ICO as a data controller and has appointed a Data Protection Officer under reference ZA432708. They are an expert in data protection law and is experienced in the third sector. We positively welcome enquires from the public concerning their personal information.To ensure we protect personal information we constantly review our security measures, both technical and physical and have instigated appropriate safeguards. This includes regularly training our staff. Access to data is based on the ‘Least Privileged’ principle (POLP). We have appointed an identifiable ’Accountable person’ to oversee our processing.’ We are registered with the ICO as a data controller and have a clear breach reporting policy. 


  • Stopping us from processing your data

Although there is no strict obligation upon us to inform employees of organisations with which we are contractually delivering a business service or wish to deliver such a service about our processing of data and our processing activities that may identify them, we aim to be ethically compliant. Therefore, an individual can stop Hope and May from processing personal data that may identify them by contacting us using the information below. 


It must be remembered; some administrative communications cannot be stopped due to a legal or contractual obligation.


  • To complain about our processing of data

If you feel that data has been handled incorrectly by Hope and May, a complaint can be made to the Information Commissioner’s Office (ICO) which regulates the use of information in the UK.


They can be contacted on 0303 123 1113 or by going online to 

If the organisation is based outside the UK, the complaint should be directed to the relevant data protection supervisory authority in that Country.