GDPR and Data Protection Policy for Leaderbeing

Version 1.0 | Last Updated: February 2025

1. Introduction

Leaderbeing is committed to protecting the privacy and security of personal information. In compliance with the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, this policy outlines how we collect, use, and manage personal data in a manner consistent with our mission to empower leadership through integrity and transparency. This policy applies to all employees, associates, contractors, and stakeholders whose personal data we process.

This policy covers all personal data collected, processed, and retained by Leaderbeing, including but not limited to data relating to employees, clients, and partners. Personal data refers to any information that can identify a natural person either directly or indirectly (e.g., names, contact information, identification numbers, online identifiers).

3. Data Protection Principles

Leaderbeing adheres to the following principles in processing personal data:

1. Lawfulness, Fairness, and Transparency: We process personal data lawfully and provide clear information on how data is used.
2. Purpose Limitation: Data is collected for specific, legitimate purposes and not processed in a manner incompatible with those purposes.
3. Data Minimisation: We collect only the data necessary to fulfil the stated purpose.
4. Accuracy: We take reasonable steps to ensure that data is accurate and kept up to date.
5. Storage Limitation: Data is retained only for as long as necessary for the stated purpose.
6. Integrity and Confidentiality: We apply appropriate security measures to protect personal data from unauthorised access, alteration, or destruction.

4. Roles and Responsibilities

• Data Protection Officer (DPO): Oversees compliance with data protection laws and this policy, and handles data protection inquiries. Our named DPO is Rachael Kóhne-Lau, Head of Learning, [email protected] 
• All Associates: Must follow data protection procedures and report any breaches or risks to the DPO.
• Leadership: Responsible for ensuring a culture of compliance and providing adequate resources for data protection.

Leaderbeing processes personal data based on one or more of the following legal grounds:

• Consent provided by the data subject.
• Performance of a contract.
• Compliance with legal obligations.
• Legitimate business interests that do not override data subject rights.

Individuals have the following rights under GDPR:

• Access: The right to obtain confirmation of whether their data is being processed and access to that data.
• Rectification: The right to request correction of inaccurate data.
• Erasure (Right to be Forgotten): The right to request deletion of data under certain conditions.
• Restriction: The right to restrict the processing of their data.
• Portability: The right to receive their data in a commonly used format and transfer it to another data controller.
• Objection: The right to object to data processing based on legitimate interests, direct marketing, or research.

Requests to exercise these rights should be made to the DPO. Leaderbeing will respond within one month, as mandated by GDPR.

Leaderbeing employs technical and organisational measures to secure personal data. Measures include:

• Access controls and authentication protocols.
• Encryption of sensitive data.
• Regular data protection audits and risk assessments.

In the event of a data breach, associates must immediately report the incident to the DPO. Breaches involving personal data will be assessed for severity and reported to the Information Commissioner's Office (ICO) within 72 hours if necessary.

Leaderbeing may transfer personal data outside of the UK or EEA. Such transfers are carried out in compliance with GDPR, using mechanisms like Standard Contractual Clauses to ensure data protection.

Personal data is retained in line with Leaderbeing’s data retention schedule. When data is no longer required, it will be securely deleted or anonymised.

Internet and Electronic Tool Acceptable Use Policy

Version 1.0 | Last Updated: February 2025

At Leaderbeing, we empower leadership by providing the tools needed to operate in a dynamic, secure, and ethical environment. This policy outlines the standards for acceptable use of the internet and electronic tools to ensure that all digital activities are conducted with integrity and aligned with our core values of kindness, curiosity, and disruption for positive change.

This policy applies to all associates, employees, contractors, and authorised users who access Leaderbeing’s electronic tools and systems. It governs the use of devices, internet access, email, collaboration platforms, and other business-related digital resources. The purpose is to maintain a secure digital environment that promotes productivity and protects sensitive information.

• Use company resources primarily for business purposes. Minimal personal use is allowed but should not interfere with work responsibilities.
• Protect passwords and access credentials. Do not share or allow unauthorised access to Leaderbeing systems.
• Avoid accessing inappropriate websites, including those related to gambling or adult content.
• Do not engage in illegal activities, harassment, or unauthorised data sharing using company systems.

Monitoring and Privacy

Leaderbeing reserves the right to monitor the use of its electronic systems to ensure compliance with this policy and relevant laws. Monitoring will be carried out in a proportionate manner, respecting privacy where possible, and with clear guidelines on the collection and storage of personal data.

Cyber Security Incident Response Policy

Version 1.0 | Last Updated: February 2025

At Leaderbeing, safeguarding the integrity of our digital infrastructure is essential to supporting effective leadership and innovation. This policy provides guidelines for responding to cybersecurity incidents to minimise risks to data, operations, and reputation.

A cyber security incident is defined as any event that compromises the confidentiality, integrity, or availability of Leaderbeing's digital resources. Examples include unauthorised access, malware attacks, data breaches, and denial-of-service (DoS) attacks.

• Reporting: Associates must immediately report suspected incidents to the IT Security Team or designated incident response officer, namely: [email protected] 
• Containment: The IT team will isolate affected systems to prevent further damage.
• Investigation: A detailed analysis will be conducted to identify the root cause and extent of the incident.
• Notification: If personal or sensitive data is compromised, affected individuals and relevant authorities will be notified in compliance with GDPR and UK law.

Once containment is achieved, systems will be restored from secure backups. A post-incident review will be conducted to update policies, improve safeguards, and prevent future occurrences.

This policy will be communicated to clients in proposal documents with the following words: By confirming my acceptance of this proposal, you are agreeing to the use of personal and company data given for the purposes of the contract by Leaderbeing Ltd. and that you consent to Leaderbeing Ltd. storing such data in order to carry out the obligations of the assignment until such time as you request its erasure.