JOIN SLL
LONDON - LCRS LOGO FINAL 2026-2

HomeLCRS DATA PROTECTION POLICY &#...

LCRS DATA PROTECTION POLICY & PROCEDURES

Effective Date:

01 May 2026

Last Reviewed:

01 May 2026

1. Introduction

The London Centre for Risk & Sustainability (LCRS) is committed to ensuring that all personal data is handled in a lawful, fair, and transparent manner in accordance with the UK GDPR and the Data Protection Act 2018.

LCRS recognises that effective data protection is fundamental to:

  • Organisational integrity
  • Stakeholder trust
  • Responsible governance and risk management

2. Purpose

This policy establishes:

  • The principles governing data protection at LCRS
  • Procedures for handling personal data securely and lawfully
  • Responsibilities for all individuals handling data
  • Controls supporting the Sustainability Leadership League (SLL) and other activities

3. Scope

This policy establishes:

  • All LCRS employees, contractors, volunteers and partners
  • All systems, platforms, and processes
  • All personal data processed by LCRS

Including:

  • Client and stakeholder data
  • SLL submissions and organisational data
  • Communication and marketing data
  • Research and engagement data

4. Data Protection Principles

LCRS adheres to the following principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

5. Governance & Responsibilities

5.1 Leadership Responsiblity

LCRS leadership is responsible for:

LCRS leadership is responsible for:

  • Ensuring compliance with data protection laws
  • Providing oversight and accountability
  • Allocating responsibility for data protection management

5.2 Operational Responsibility

All individuals handling data must:

  • Process data only as required
  • Maintain confidentiality
  • Follow defined procedures
  • Report incidents or risks immediately

6. Lawful Basis for Processing

LCRS processes personal data under:

  • Consent – e.g. subscriptions, SLL registration
  • Contractual necessity – delivery of services
  • Legitimate interest – research, engagement, improvement
  • Legal obligations where applicable

 Special Category Data

Where processed:

  • Additional safeguards are applied
  • Processing is strictly limited and justified

7. Data Collection & Minimisation

LCRS ensures:

  • Data collected is relevant and necessary
  • No excessive data is requested
  • SLL data is limited to organisational assessment needs

8. Data Retention & Deletion

8.1 Retention Principles

Retention periods may vary depending on contractual, legal, or regulatory requirements. Data is retained only as long as necessary and is securely deleted or anonymised thereafter.

8.2 Retention Categories

Data Type

Retention

Contact data

Duration of engagement + 2 years

SSL data

SSL data

Financial/Legal data

As required by the law

8.2 Deletion Procedures

  • Annual data review
  • Secure deletion or anonymisation
  • Responsibility assigned to designated personnel

9. Data Security Controls

9.1 Technical Controls

  • Secure systems and platforms
  • Password protection and authentication
  • Encrypted storage where required

9.2 Organisational Controls

  • Restricted access based on roles
  • Controlled sharing of sensitive data
  • Secure handling of devices

9.3 Storage Rules

  • Data stored only on approved systems
  • No unauthorised personal device storage
  • Physical and digital safeguards applied

10. Data Processing Procedures

All data must be:

  • Accessed only when required
  • Used for defined purposes
  • Stored securely
  • Not shared without authorisation

10.1 SLL-Specific Processing

Data submitted through SLL is used for:

  • Maturity assessment
  • Insight development
  • Benchmarking (anonymised and aggregated)

LCRS ensures:

  • No misuse of organisational data
  • No unauthorised disclosure
  • No commercial resale of data

11. Third-Party Data Processing

Where third parties are engaged:

  • Data Processing Agreements must be in place
  • Roles must be clearly defined:
  • Data Controller
  • Data Processor
  • Joint Controller
  • Third parties must meet required data protection standards

12. Data Protection Impact Assessments (DPIA)

LCRS conducts DPIAs when:

  • Processing high-risk data
  • Introducing new systems
  • Handling sensitive or special category data

13. Subject Access Request (SAR) Procedure

When a request is received:

  • Verify identity
  • Log the request
  • Retrieve relevant data
  • Respond within legal timeframe
  • Provide data securely

14. Data Breach Management

In the event of a breach:

  • Immediate reporting internally
  • Containment of the breach
  • Risk assessment
  • Notification to the Information Commissioner's Office where required
  • Communication with affected individuals where necessary

15. Training & Awareness

LCRS ensures:

  • Staff understand personal and sensitive data
  • Staff know how to protect data
  • Staff can identify and report risks

Training is:

  • Risk-based
  • Regularly reviewed
  • Updated as needed

17. Monitoring & Compliance

LCRS will:

  • Monitor compliance with this policy
  • Conduct periodic reviews
  • Update controls as required

18. Policy Review

This policy will be:

  • Reviewed at least annually
  • Updated based on:
  • Legal changes
  • Operational developments
  • Lessons learned

19. Related Documents

This policy should be read alongside:

  • Privacy Policy
  • Terms & Conditions
  • IT & Cybersecurity Policy
  • Anti-Slavery Policy
Shopping Basket