Data Protection & UK GDPR Policy

Internal governance for the lawful handling of personal data

Document ownerData Protection Lead

Applies toAll employees, workers, contractors and anyone processing data on our behalf

Version1.0

Effective date1 June 2026

Next reviewAnnually, or on material change

Related documentsPrivacy Policy; Cookie Notice; information security measures; data breach procedure

This internal policy ensures that Synchronous Ltd (“Synchronous”, “the Company”) handles personal data in compliance with the UK General Data Protection Regulation and the Data Protection Act 2018, and that everyone working for or on behalf of the Company understands their responsibilities.

1. Purpose and commitment

Synchronous is committed to protecting the privacy and rights of individuals. Compliance is everyone’s responsibility. Breaches can harm individuals, damage trust, jeopardise client relationships and lead to enforcement action and fines.

2. Scope

This policy applies to all personal data the Company processes, in any format, and to all personnel. It applies wherever work is carried out, including at client sites, at home and on mobile devices.

3. The data protection principles

Everyone must comply with the six principles in Article 5 of the UK GDPR. Personal data must be:

Lawful, fair and transparent: processed with a valid lawful basis and clear information to individuals.
Purpose limited: collected for specified, explicit and legitimate purposes and not used incompatibly.
Data minimised: adequate, relevant and limited to what is necessary.
Accurate: kept up to date, with inaccurate data corrected or erased without delay.
Storage limited: kept no longer than necessary.
Secure: protected with appropriate technical and organisational measures.

The Company must also be able to demonstrate compliance. This principle of accountability requires appropriate records and documentation.

4. Roles and responsibilities

Role	Responsibility
Director and senior management	Overall accountability; resources compliance and sets the culture
Data Protection Lead	Day-to-day oversight; maintains records; handles requests and breaches; advises staff
All staff and contractors	Follow this policy; complete training; report breaches and concerns promptly

The Company has assessed that it is not currently required to appoint a statutory Data Protection Officer under Article 37, and reviews that position if the nature or scale of its processing changes.

5. Lawful basis and records of processing

Before processing personal data for a new purpose, staff must confirm with the Data Protection Lead that a lawful basis under Article 6, and, for special category data, a condition under Article 9, has been identified and recorded.

The Company maintains a Record of Processing Activities describing what data it holds, why, the lawful basis, who it is shared with, retention periods and security measures. Staff must notify the Data Protection Lead of any new processing so this record stays current.

6. Special category and criminal offence data

Extra care applies to special category data, including health data in accident and health and safety records, and to criminal offence data. Such data may be processed only where both an Article 6 basis and an Article 9 or Schedule 1 condition apply, with the additional safeguards in the Company’s Appropriate Policy Document.

7. Data subject rights

Individuals have the rights summarised in the Privacy Policy: access, rectification, erasure, restriction, portability, objection, and rights regarding automated decision-making. Any request, however received, must be forwarded to the Data Protection Lead on the day it is received, because statutory deadlines are short.

Handling a subject access request

Acknowledge the request and verify the requester’s identity.
Respond within one month, extendable by two months for complex requests, with notice.
Provide the data free of charge in most cases; a fee may apply only where a request is manifestly unfounded or excessive.
Redact third-party personal data where appropriate.

8. Data security

Staff must protect personal data using the Company’s technical and organisational measures, including:

Strong, unique passwords and multi-factor authentication where available.
Encryption of devices and, where possible, of data in transit and at rest.
Access on a need-to-know basis.
Locking screens, securing physical documents, and never leaving data unattended on site or in vehicles.
Using only Company-approved systems; personal data must not be moved to personal accounts or unapproved tools.
Checking recipients before sending email, and using secure methods for sensitive data.

The Company aligns with recognised standards such as Cyber Essentials and, as it grows, intends to work towards an information security management system aligned to ISO/IEC 27001.

9. Working with processors and third parties

Where a third party processes personal data on the Company’s behalf, a written contract meeting Article 28 must be in place before any data is shared. The Data Protection Lead approves new processors and checks appropriate safeguards, including for any international transfer.

10. Data protection by design and DPIAs

Data protection must be considered at the start of any new project, system or process. Where processing is likely to result in a high risk to individuals, a Data Protection Impact Assessment must be completed before processing begins, in consultation with the Data Protection Lead.

11. Personal data breaches

A personal data breach is any security incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to personal data.

Anyone aware of an actual or suspected breach must report it to the Data Protection Lead immediately. Do not attempt to investigate or conceal it alone.

Breach response

Contain the breach and recover data where possible.
Assess the risk to individuals.
Where there is a risk to individuals, notify the ICO within 72 hours of becoming aware.
Where the risk is high, inform affected individuals without undue delay.
Record every breach in the breach log, whether or not it is reportable.

12. Retention and disposal

Personal data must be kept only as long as necessary, in line with the retention schedule in the Privacy Policy, and then securely destroyed or anonymised. Staff must not keep unnecessary copies.

13. Training and awareness

All staff complete data protection awareness training on induction and at regular intervals. The Data Protection Lead maintains training records.

14. Monitoring, breaches of policy and review

The Data Protection Lead monitors compliance. Failure to comply may be treated as a disciplinary matter and, in serious cases, as gross misconduct. This policy is reviewed at least annually and whenever the law or the Company’s processing changes.

Signed for and on behalf of Synchronous Ltd

Richard de Vere White

Managing Director, Synchronous Ltd

Date: 1 June 2026

Synchronous Ltd · Company no. 1724387320 Wenlock Road, London, N1 7GU