Social Value Consultancy Ltd (registered in England & Wales, Company No. 11325322) 
Policy owner: Data Protection Lead (with IT Lead) 
Approved by: Managing Director 
Version: 1.0 
Last updated: 16 September 2025 
Next review: 16 September 2026 
Contact: info@socialvalueconsultancy.co.uk 

1) Who we are 

Social Value Consultancy Ltd (“we”, “us”, “our”) uses cookies and similar technologies on our websites and online services to help them work, to improve performance, and to understand how they’re used. 

2) What are cookies? 

Cookies are small text files placed on your device by a website. They can be first-party (set by us) or third-party (set by another provider, e.g., analytics or video hosting). Similar technologies include pixels, tags, SDKs and local storage. 

3) Legal basis (UK) 

Under PECR, we can store or read strictly necessary cookies without consent. All non-essential cookies (e.g., analytics, advertising, social media) require your consent. Where personal data is processed, the legal basis under UK GDPR is consent or legitimate interests, as applicable. 

4) How we use cookies (categories) 

• Strictly necessary – required for core functions (security, load balancing, session management, cookie consent). 

• Preferences – remember your choices (language, region). 

• Analytics/performance – help us understand usage and improve our services. 

• Advertising/social – measure campaigns or enable social features (we don’t currently use these unless stated in the cookie list). 

5) Managing your choices 

• Use the “Manage Cookies” link in our footer to give, refuse, or withdraw consent at any time. 

• You can also block cookies in your browser settings. Blocking some cookies may impact site functionality. 

• If you clear cookies, your preferences may reset. 

6) Third-party cookies 

Some features are provided by third parties (e.g., analytics, video, chat). These providers may set cookies when you view content on our site. We only load these where you’ve consented (unless they are strictly necessary for a feature you request). 

7) Data retention for cookies 

Cookie lifetimes vary by purpose (see the cookie list). We store a record of your consent preferences and changes so we can demonstrate compliance. 

8) Changes to this policy 

We may update this policy as our use of cookies evolves. Significant changes will be communicated where appropriate. 

9) Contact 

Questions about this policy: info@socialvalueconsultancy.co.uk (please include “FAO: Data Protection Lead” in the subject). 

10) Cookie list 

Keep this section current. Replace or add rows to reflect the actual cookies used on your site. 

5) Data classification 

• Public: approved for public release. 

• Internal: everyday business information not for public release. 

• Confidential: client data, personal data, financials. 

• Restricted: highly sensitive (e.g., credentials, encryption keys). 
  Handling rules strengthen from Public → Restricted (e.g., encryption and strict access for Confidential/Restricted). 

6) Access control & authentication 

• User access is approved by managers, provisioned by IT, and reviewed at least quarterly. 

• Joiner–Mover–Leaver process: prompt updates; accounts removed within 24 hours of departure. 

• Multi-factor authentication (MFA) is required on email, cloud platforms, admin panels, and remote access. 

• Passwords: passphrases of 12+ characters, no reuse, store in an approved password manager. 

• Privileged accounts: separate admin identities; no day-to-day work on admin accounts. 

7) Devices, BYOD & encryption 

• Company devices are full-disk encrypted, auto-lock in ≤ 10 minutes, and run approved EDR/anti-malware. 

• BYOD is permitted only if enrolled in our mobile/device management, with remote-wipe enabled for business data. 

• Do not store Restricted data locally on personal devices or removable media. 

8) Remote & hybrid working 

• Use only trusted networks; if in doubt, use company VPN. 

• Be mindful of shoulder surfing and conversations in public spaces. 

• Keep paperwork and devices secure; avoid printing Confidential/Restricted data off-site. 

9) Data handling & transfer 

• Store business data only in approved systems (no shadow IT). 

• Use encryption for Confidential/Restricted data at rest and in transit. 

• Use approved secure file-sharing; avoid sending sensitive data unencrypted by email. 

• Disposal: securely wipe or shred when no longer needed, per the Data Retention Schedule. 

• International transfers follow our Privacy Policy (UK IDTA/SCCs and transfer risk assessments). 

10) Network & cloud security 

• Firewalls enabled; unnecessary ports/services disabled. 

• Cloud services are hosted with providers that hold ISO 27001 or equivalent certifications; this does not imply our own certification. 

• Separate production and non-production environments where applicable. 

11) Logging & monitoring 

• Security and access logs are retained for at least 12 months. 

• Privileged access, MFA events, and anomalous activity are monitored; alerts are investigated promptly. 

12) Patch & vulnerability management 

• Critical security patches: ≤ 14 days; High: ≤ 30 days; others on a monthly cycle. 

• Quarterly vulnerability scans of internet-facing assets; annual independent penetration test (or after major changes). 

• Track remediation to closure. 

13) Backup & recovery 

• Critical data is backed up daily, encrypted in transit and at rest. 

• Backups are tested quarterly for restore integrity. 

• RPO/RTO targets are defined in the Disaster Recovery Plan (typical targets: RPO ≤ 24 hours; RTO ≤ 2 business days). 

14) Secure development (where applicable) 

• Source control with branch protection and mandatory peer review. 

• Dependency and secret scanning; vulnerabilities triaged per §12. 

• Separate dev/test/prod environments; no live secrets in code. 

15) Supplier & third-party management 

• Pre-contract due diligence (security, privacy, resilience). 

• Contracts include data processing agreements, confidentiality, breach notification, and right to audit where appropriate. 

• Annual review of critical suppliers; prompt off-boarding when services end. 

16) Incident management & reporting 

• Report suspected incidents within 24 hours to the DPL/IT Lead via info@socialvalueconsultancy.co.uk. 

• Triage, contain, eradicate, and recover; preserve evidence and logs. 

• Personal data breaches are assessed without delay; if reportable, the ICO is notified within 72 hours and affected individuals are informed when required. 

• Conduct post-incident reviews and implement lessons learned. 

17) Training & awareness 

• Mandatory induction and annual refresher training on security, phishing, and privacy. 

• Targeted training for privileged users and developers. 

18) Acceptable use rules (summary) 

• Use company systems primarily for business; limited personal use is permitted if lawful and low-risk. 

• Do not share credentials, install unauthorised software, bypass security controls, or use unapproved cloud tools. 

• Do not upload client confidential data or personal data to public generative AI tools without written approval. 

• Report lost/stolen devices or suspected phishing immediately. 

19) Compliance & enforcement 

Breaches of this policy may lead to disciplinary action or contract termination. Suppliers must meet equivalent standards. 

20) Review & related documents 

This policy is reviewed annually or after significant changes. 
Related document: Privacy & UK GDPR Policy,