GDPR Compliance

Skylite Associates Ltd

UK GDPR Compliance Statement – 2025

At Skylite Associates Ltd, we recognise the importance of safeguarding personal data and upholding the trust placed in us by our clients, partners, and employees. We are fully committed to compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant guidance issued by the Information Commissioner’s Office (ICO).

This statement sets out our approach to data protection and describes how we meet our legal and ethical obligations when processing personal data.

Our website address is: https://www.skylite-associates.co.uk.

Our website has full and up to date SSL protection – Let’s Encrypt SSL Protection enabling your data to be securely saved.

1. Data Protection Principles

We process all personal data in accordance with the seven core principles of UK GDPR:

Lawfulness, fairness, transparency – processing is carried out on a valid lawful basis and in a way that is clear to individuals.
Purpose limitation – data is collected only for specific, explicit and legitimate purposes, and not further processed in incompatible ways.
Data minimisation – only the minimum personal data necessary is collected and used.
Accuracy – reasonable steps are taken to keep data accurate and up to date.
Storage limitation – data is retained only as long as necessary for its intended purpose.
Integrity and confidentiality (security) – data is processed securely, protecting against unauthorised access, loss or damage.
Accountability – Skylite Associates Ltd is responsible for, and able to demonstrate, compliance with these principles.

2. Lawful Bases for Processing

We process personal data only where a lawful basis applies, as defined under UK GDPR:

Contractual necessity – to deliver consultancy services under a client agreement.
Legal obligations – to comply with UK law, including record-keeping and reporting requirements.
Legitimate interests – to manage our business, maintain client relationships, and ensure service quality, provided these do not override individual rights.
Consent – where explicit and informed consent has been obtained (e.g. for marketing communications).

3. Categories of Data Processed

Depending on the nature of our services, we may collect and process:

Client contact information – names, job titles, business contact details.
Contractual data – service agreements, correspondence, project records.
Financial data – invoicing details, payment information.
Employee/associate data – HR and payroll records (for staff and contractors).
Special category data – only where necessary for consultancy purposes and with appropriate safeguards.

4. Data Subject Rights

Individuals whose personal data we process are entitled to:

Right of access – to obtain a copy of their personal data.
Right to rectification – to have inaccurate data corrected.
Right to erasure – to request deletion where data is no longer necessary.
Right to restrict processing – in certain circumstances.
Right to object – to certain processing based on legitimate interests or direct marketing.
Right to data portability – to receive their data in a structured, commonly used, machine-readable format where applicable.
Right to withdraw consent – at any time where consent is the lawful basis.

Requests can be made by contacting us (see Section 10). We will respond in accordance with statutory timeframes (normally within one month).

5. Data Security & Technical Measures

We implement appropriate technical and organisational measures to safeguard personal data, including:

Secure electronic storage with role-based access controls.
Encryption of sensitive information during transmission and storage where appropriate.
Firewalls, anti-malware and regular system monitoring.
Regular data backups with secure offsite storage.
Staff training on confidentiality and data protection.
Policies covering use of devices, remote working, and information sharing.

6. Data Sharing & Third Parties

Personal data is shared only where necessary, proportionate, and lawful.
Third-party service providers (such as IT, cloud hosting, or accountancy firms) are engaged under binding contracts requiring compliance with UK GDPR.
We do not sell or trade personal data.
Where international data transfers occur (e.g. use of cloud services outside the UK), we ensure that appropriate safeguards (such as the UK International Data Transfer Agreement or adequacy regulations) are in place.

7. Data Retention

Personal data is retained only as long as necessary for the purpose for which it was collected.
Retention periods are determined by legal obligations, professional standards, and operational requirements.
At the end of a retention period, data is securely deleted or anonymised.
A retention schedule is reviewed and updated regularly.

8. Governance & Accountability

We ensure compliance through:

A designated Data Protection Lead responsible for oversight of compliance.
Documented policies and procedures covering data protection, security, and retention.
Data Protection Impact Assessments (DPIAs) where processing presents a high risk.
Staff awareness and training programmes.
Regular internal reviews of data protection practices.
Annual compliance reviews in line with ICO guidance and legal developments.

9. Breach Management

We maintain procedures for identifying, reporting, and managing personal data breaches.
All staff are trained to escalate incidents promptly.
Where required, breaches are reported to the ICO within 72 hours, and to affected individuals without undue delay.

10. Cookies & Website Data

Our website may use cookies and similar technologies to enhance user experience, analyse website performance, and deliver relevant content.

Essential cookies – required for the basic functioning of the website. These do not require consent.
Analytics/performance cookies – help us understand how visitors use our site and improve functionality. These are used only with user consent.
Functionality cookies – remember user preferences (e.g. language settings).
Marketing/third-party cookies – may be used, with consent, to provide relevant advertising or social media integration.

11. Cookie Management

On first visit, users are presented with a cookie consent banner allowing them to accept, reject, or manage cookie preferences.
Users can change cookie settings at any time via the website’s cookie control tool or by adjusting browser settings.
Detailed information on the cookies we use is provided in our Cookie Policy, which is reviewed and updated regularly.

12. Email Handling & Encrypted Communications

Email is a core channel for our consultancy services. To protect personal data exchanged via email, Skylite Associates Ltd uses Rackspace’s Encrypted Email Service.

Encryption – All outbound and inbound emails containing sensitive or confidential information are encrypted in line with UK GDPR requirements.
Secure delivery – Clients and partners receive encrypted messages via Rackspace’s secure portal or through direct encryption to compatible email systems.
Confidentiality – Email access is restricted to authorised personnel only, with multifactor authentication enabled.
Data integrity – Encrypted transmission prevents interception or alteration of data in transit.
Client reassurance – Recipients are provided with clear instructions on accessing encrypted communications securely.

This ensures that consultancy-related correspondence, particularly where personal or commercially sensitive data is exchanged, is handled in compliance with data protection obligations.

13. Contact Information

For any queries regarding this statement, or to exercise your data protection rights, please contact:

Data Protection Lead
Skylite Associates Ltd

UK Registered Company VAT No. 24857663

louise@skylite-associates.co.uk
T: 07808 277767

If you are not satisfied with our handling of your request, you have the right to raise a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.