Breakthrough Partners Data Protection Policy


1. Introduction

Breakthrough Partners is committed to protecting the rights and freedoms of individuals by safely and securely processing their data in accordance with all of our legal obligations.

We hold personal data about our employees, prospects, clients, suppliers and other individuals for a variety of business purposes.

This policy sets out how we seek to protect personal data and ensure that our staff understand the rules governing their use of the personal data to which they have access in the course of their work. In particular, this policy requires Breakthrough Partners staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

2. Definitions

Busienss purposes

The purposes for which personal data may be used by us:

Personnel, administrative, financial, regulatory, payroll and business development purposes.

  • Compliance with our legal, regulatory and corporate governance obligations and good practice
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or reques
  • Ensuring business policies are adhered to (such as policies covering email and internet use)
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
  • Investigating complaints
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
  • Monitoring staff conduct, disciplinary matters
  • Marketing our business
  • Improving services
Personal data

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data we gather may include: individuals' phone number, email address, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.

Data controller ‘Data controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law.
Data processor ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Processing ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Supervisory authority This is the national body responsible for data protection. The supervisory authority for our organisation is the UK Information Commissioners Office.

3. Scope

This policy applies to all Breakthrough Partners staff, who must be familiar with this policy and comply with its terms.

We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.

Our Data Protection Officer (DPO) has overall responsibility for the day-to-day implementation of this policy. You should contact the DPO for further information about this policy if necessary. The Breakthrough Partners DPO can be contacted on

4. The Principles

Breakthrough Partners shall comply with the principles of data protection (the Principles) enumerated in the EU General Data Protection Regulation. We will make every effort possible in everything we do to comply with these principles. The Principles are:

# Principle Meaning of Principle
1 Lawful, fair and transparent Data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
2 Limited for its purpose Data can only be collected for a specific purpose.
3 Data minimisation Any data collected must be necessary and not excessive for its purpose.
4 Accurate The data we hold must be accurate and kept up to date.
5 Retention We cannot store data longer than necessary.
6 Integrity and confidentiality The data we hold must be kept safe and secure.

5. Our Procedures

Fair and Lawful Processing

Breakthrough Partners will process personal data fairly and lawfully in accordance with individuals’ rights under the first Principle. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.

If we cannot apply a lawful basis (as explained below), Breakthrough Partners will not process the personal data of any individual. We recognise that any processing that does occur where there is no consent or lawful basis will be deemed unlawful. It is recognised that Data subjects have the right to have any data unlawfully processed erased.

Controlling and Processing of Data

Breakthrough Partners is classified as a Data Controller. As such we maintain an appropriate registration with the Information Commissioners Office in order to continue lawfully controlling and processing data.

Lawful Basis for Processing Data

Breakthrough Partners will only process data if it has a lawful basis to do so. We will process data only when:

# Basis Explanation
1 Lawful, fair and transparent Data collection must be fair, for a legal purpose and we must be open and transparent as to how the data will be used.
2 There is a Contract The processing is necessary to fulfil or prepare a contract for the individual.
3 We have a Legal Obligation We have a legal obligation to process the data (excluding a contract).
4 There are Vital Interests Processing the data is necessary to protect a person’s life or in a medical situation.
5 It’s Necessary to Carry Out a Public Function Processing necessary to carry out a public function, a task of public interest or the function has a clear basis in law.
6 There is Legitimate Interest The processing is necessary for our legitimate interests. This condition does not apply if there is a good reason to protect the individual’s personal data which overrides the legitimate interest.

How We Decide Which Legal Basis Applies

When we make an assessment as to whether there is a lawful basis to process the data of an individual, we first establish if the processing is necessary. It is only deemed as necessary if there is not an alternative approach we could reasonably have taken to achieve the same purpose without processing the data. If we deem through this analysis that processing is necessary, we will make the decision as to whether we will process the data and under which legal basis this data will be processed by answering and documenting our answers to the following questions:

  • What is the purpose for processing the data?
  • Can it reasonably be done in a different way?
  • Is there a choice as to whether or not to process the data?
  • Who does the processing benefit?
  • After selecting the lawful basis, is this the same as the lawful basis the data subject would expect?
  • What is the impact of the processing on the individual?
  • Are we in a position of power over them?
  • Are they a vulnerable person?
  • Would they be likely to object to the processing?
  • Are you able to stop the processing at any time on request, and have you factored in how to do this?

Based on our commitment to the principle of Lawful, Fair and Transparent processing, we will ensure that we have documented the assessment of these questions, the decision we have made to process or not process the data, the logic that we have based this decision on and which lawful basis on which the decision to made (if the decision was made to proceed) to process the data. Breakthrough Partner’s recognises that it is our responsibility to ensure that individuals whose data is being processed by us are informed of the lawful basis for processing their data, as well as the intended purpose. In the case of personal data captured via our web-site, this is done at the point of entry of that personal data. Individual are presented with a disclaimer to acknowledge before the details are processed which conveys both the reason for collecting the data and the legal basis for on which data is processed. This applies whether we have collected the data directly from the individual, or from another source.

Special Categories of Personal Data

As a policy, Breakthrough Partners does not process special categories of Personal Data such as race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID

6. Our Responsibilities

Overall Responsibilities

In summary, Breakthrough Partners has the following responsibilities in relation to Data Protection:

  • Analysing and documenting the type of personal data we hold;
  • Checking procedures to ensure they cover all the rights of the individual;
  • Identifying the lawful basis for processing data;
  • Ensuring consent procedures are lawful;
  • Implementing and reviewing procedures to detect, report and investigate personal data breaches;
  • Storing data in safe and secure ways; and
  • Assessing the risk that could be posed to individual rights and freedoms should data be compromised;

Specific Additional Responsibilities of the Breakthrough Partners’ Data Protection Officer

  • Keeping the Breakthrough Partners board updated about data protection responsibilities, risks and issues;
  • Reviewing all data protection procedures and policies on a regular basis;
  • Arranging data protection training and advice for all staff members and those included in this policy;
  • Answering questions on data protection from staff, board members and other stakeholders;
  • Responding to individuals such as clients and employees who wish to know which data is being held on them by Breakthrough Partners; and
  • Checking and approving with third parties that handle the company’s data any contracts or agreement regarding data processing.

Specific Additional Responsibilities of the Breakthrough Partners’ Chief Technical Officer

  • Ensuring all systems, services, software and equipment meet acceptable security standards;
  • Checking and scanning security hardware and software regularly to ensure it is functioning properly; and
  • Researching third-party services, such as cloud services the company is considering using to store or process data.

Specific Additional Responsibilities of the Breakthrough Partners’ Marketing Manager

  • Approving data protection statements attached to emails and other marketing copy;
  • Addressing data protection queries from clients, target audiences or media outlets; and
  • Coordinating with the DPO to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy.

7. Accuracy and Relevance

Breakthrough Partners will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

If you believe that Breakthrough partners holds information that is inaccurate please inform us by sending an e-mail to the DPO on We target to review all requests to correct data we hold within 48 hours. Please supply some justification as to why the information is inaccurate.

8. Transferring Data Internationally

EU Data Protection Legislation (GDPR) requires that Personal Data must not be transferred to a country or territory outside the European Economic Area (i.e. the member states of the EU plus Iceland, Liechtenstein and Norway), unless that country or territory or organization ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.

In accordance with this legislation Breakthrough Partners shall not transfer Personal Data to any country outside of the EEA without prior written consent from the individual, except for transfers to and from any country which has a valid adequacy decision from the European Commission.

9. Data Security and Sub-Processors

Breakthrough Partners will take every reasonable step to keep personal data secure against loss or misuse. The DPO with the support the Breakthrough Partners Board will ensure through internal procedures that that the following controls are enforced:

  • Where Personally Identifiable Data is stored on printed paper, it will be kept in a secure place where unauthorised personnel cannot access it;
  • Printed Personally Identifiable Data will be shredded when it is no longer needed;
  • Personally Identifiable Data stored on a computer will be protected by strong passwords that are changed regularly;
  • Personally Identifiable Data stored on CDs or memory sticks will be encrypted or password protected and locked away securely when they are not being used;
  • Personally Identifiable Data stored in the cloud will be stored only with vendors with ISO27001 or equivalent accreditation;
  • Personally Identifiable Data will be regularly backed up to secure cloud storage in line with the company’s backup procedures;
  • Personally Identifiable Data is never saved directly to mobile devices such as laptops, tablets or smartphones unless that data is encrypted at rest; and
  • All services containing Personally Identifiable Data are protected by security software.

Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third-party organisations.

Currently Breakthrough Partners uses a small number of data sub-processors and we have entered into written agreements with these sub-processors containing privacy, data protection, and data security obligations that provide a level of protection appropriate to their processing activities.

Specifically, Breakthrough Partners utilizes the services of the following sub-processors to process Personal Data as part of its marketing activities and to complete the necessary processing needed to provide its training and consulting services:

  • Keap (formally Infusionsoft) – Breakthrough Partners uses this marketing automation/CRM tool to deliver e-mail campaigns to clients, subscribers and other interested parties. Keap has the necessary provisions in place to be compliant with GDPR requirements and other data protection regulations. Read more at
  • Calendly – Breakthrough Partners uses the appointment boking service offered by Calendly to schedule appointments with potential prospects. Calendly has the necessary provisions in place to be compliant with GDPR requirements and other data protection regulations. Read more at
  • Getsitecontrol – Breakthrough Partners uses the web-site widget capabilities offered by Getsitecontrol to enable sign-up for newsletters and to provide chat services on the web-site. Getsitecontrol has the necessary provisions in place to be compliant with GDPR requirements and other data protection legislation. Read more at
  • Zapier – Breakthrough Partners utilises Zapier to connect the secure services of its sub-processors as required to complete the chain of processing. Zapier has the necessary provisions in place to be compliant with GDPR requirements and other data protection regulations. Read more at
  • Stripe – Breakthrough Partners utilises Stripe to collect and process payments from clients. Stripe has the necessary provisions in place to be compliant with GDPR requirements and other data protection regulations. Read more at
  • Xero – Breakthrough Partners utilises Xero to manage the billing of clients and track and report financial results. Xero has the necessary provisions in place to be compliant with GDPR requirements and other data protection regulations. Read more at

10. Rights of Individuals

Individuals have rights to their data which Breakthrough Partners will respect and comply with to the best of our ability. These rights are:

# Right What Breakthrough Partners Will Do:
1 Right to be Informed
  • Provide privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, that are written in clear and plain language.
  • Keep a record of how we use personal data to demonstrate compliance with the need for accountability and transparency.
2 Right of Access
  • Enable individuals to access their personal data and supplementary information
  • Allow individuals to be aware of, and verify the lawfulness of, the processing activities
3 Right to Rectification
  • Rectify or amend the personal data of the individual if requested if it is inaccurate or incomplete within one month of the request. Right to Rectification Requests should be made in writing to
4 Right to Erasure
  • Delete or remove an individual’s data if requested and there is no compelling reason for its continued processing. Right to Erasure Requests should be made in writing to
5 Right to Restrict Processing
  • Comply with any request to restrict, block, or otherwise suppress the processing of personal data. Right to Restrict Processing Requests should be made in writing to
6 Right to Data Portability
  • Provide individuals with their data so that they can reuse it for their own purposes or across different services. Right to Data Portability Requests should be made in writing to Data will be provided in in a commonly used, machine-readable format, and will be sent directly to another controller if requested.
7 Right to Object
  • Respect the right of an individual to object to data processing based on legitimate interest or the performance of a public interest task.
  • Respect the right of an individual to object to direct marketing, including profiling.
  • Respect the right of an individual to object to processing their data for scientific and historical research and statistics
  • Right to Object Requests should be made in writing to
8 Rights in Relation to Automated Decision Making and Profiling
  • Respect the rights of individuals in relation to automated decision making and profiling to object to such automated processing, have the rationale explained to them, and request human intervention. Right to Object Requests on the basis of Automated Decision making and Profiling should be made in writing to

11. Audit and Enforcement

The Breakthrough partners DPO will define a schedule of regular data audits and will maintain a data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

All employees of Breakthrough partners will comply with this policy. The Breakthrough Partners DPO has overall responsibility for this policy. Breakthrough Partners will keep this policy under review and amend or change it as required. It is the responsibility of every employee to notify the DPO of any observed breaches of this policy.

Any breach of this policy, or of data protection laws, must be reported as soon as practically possible. This means as soon as you have become aware of a breach. Breakthrough Partners will comply with legal obligation to report any data breaches to the Information Commissioners Office.