Thank you for reading this.
On this page you will find a general privacy statement and some specific references to this website as well as glossary of terms relating to data privacy rules.
In a book called Valuing Your Customers, the founder of Stepping Stones, Angus Jenkinson wrote a prescient chapter in 1995 about the need to respect customers and their privacy. It includes the statement:
While there will always be a tension between those whose aims and values are driven solely by the desire to generate business – on the real basis that businesses need business to survive – and those who stand for a moral or environmental lobby, both these positions must be seen against reality. While many are very happy to have sweepstakes, discounts and lurid promises of a better life, many others are increasingly cynical and disenchanted, a trend which is increasing. Consumers (business or private) will always want value, but when they come to believe that the promises of companies can’t be trusted or that their activities are crossing boundaries of privacy, good taste or ethics then the result is trouble: legal claims, lost sales, bad PR.
Stepping Stones Consultancy Ltd Privacy Statement
This Stepping Stones Consultancy Ltd (“Stepping Stones”) Privacy Statement sets out your rights and the measures the company will take to protect your personal data. Stepping Stones also trades as “Thinking” and as “The Centre for Thinking Futures” and the same principles apply to any. If anything is not clear please let us know.
We have always and always will regarded your personal information as privileged and that we should treat it with respect. We only collect and use information for normal legitimate purposes: you are a friend, colleague, trading partner, client, a person interested in our services or working in a company that is. We use the information primarily of rpractical reasons and sometimes to keep in touch. Stepping Stones is a Data Controller as defined under data privacy legislation.
Stepping Stones will review and amend this privacy statement from time to time. You can always find the most up to date version on our website thinking.partners. Any terms with a specific definition used in this statement, are highlighted in italics and are explained in the Glossary section.
What follows is a more formal explanation.
What is personal data?
Personal data means any information relating to an individual who can be directly or indirectly identified by reference to the information. Individuals are referred to as Data Subjects under data privacy legislation. A wide range of information constitutes personal data including names, contact information, identification numbers such as National Insurance numbers, and online identifiers often referred to as ‘cookies‘ for example. This applies to both digital and paper-based information included within filing systems, or which is intended to be placed within a filing system.
What does processing mean?
The processing of personal data means any interaction with the information including viewing, collecting, sharing, storing, transferring or analysing it for instance. This can be by both a Data Controller, or a Data Processor.
Who holds your personal data?
Your personal data will be held by Stepping Stones in the UK. You can find information on how to contact us as well as further information on what Stepping Stones does, on our website. Thinking has appointed a Data Privacy Officer (DPO) and any data privacy queries which cannot be resolved through the information provided on our website can be directed to them.
The use of your personal data is covered by our registration with the UK Information Commissioner’s Office; registration number ZA159212.
Why is your personal data required?
When you request our services or information you may need to provide certain personal data to enable us to provide the service you want on an on-going basis. We may also hold personal data about you throughout our relationship with you; the requests you make or how you use our website for instance.
How will Stepping Stones use your personal data?
The General Data Protection Regulation (GDPR) legislation which applies across Europe only allows the processing of personal data if one or more conditions are met; this is known as a lawful basis for processing. There are six lawful bases provided under GDPR, which are included in the Glossary section. We will only process your personal data for the reasons it was provided for, and only where there is a lawful and friendly professional basis for allowing this.
What personal data will or may Stepping Stones use?
We use different types of personal data and have grouped them into the following categories:
How to contact you including your business address, sometimes where you live, your telephone number(s) and your email address (where relevant).
Personal information such as your gender, sometimes date of birth, occupation and/or role.
Special categories of personal data
GDPR categorises certain sensitive personal information as ‘special category’ personal data; this includes information about your health, political opinions, or sexual orientation for instance. Stepping Stones will not collect and use these types of data, unless there is a legal obligation to do so, or it is required to provide (or continue to provide) a service to you in accordance with legal or regulatory requirements.
Financial information such as your bank account number and transaction history when this is necessary for payments to or from you.
Details about the products or services we provide you personally, where relevant.
Notes of requirements and relevant operational information: this is routinely business-related information.
Where will your personal data be obtained from?
Our approach to collecting information is human not machine. Stepping Stones collects personal data that you provide when interacting with us. Sometimes we collect from social media when useful and allowed, but not by automated means, except if you have given us consent to do so through agreeing with any cookie statement on our website (if we use them), registration of your online activities, or requests for communication. Personal data that we have collected from you will include data you have provided when you:
- Request or discuss services;
- Talk to us on the phone or in person;
- Use our websites;
- Subscribe to a newsletter or other marketing messages;
- Send us e-mails or letters.
We may also obtain your personal data from third partieswe deal with if there is a lawful basis to do so, in which case you will be notified of how and why we will use them. This could include the following:
- Companies that introduce you to us or engage us as subcontractors or partners in their work with you.
- Public information sources;
- Agents working on your behalf;
- Companies who work for us on projects for you and collect information related to the project.
Who do we share your personal data with?
Members of our team including any third parties such as subcontractors or agents when it is relevant to the work they are doing.
We do not sell information about you.
How will personal data be shared?
Stepping Stones will only share your data if there is a lawful basis to do so. We will treat all your personal data as private and confidential and in accordance with data privacy legislation (even when you are no longer a customer). Information we hold about you will not be disclosed to anyone unless:
- we are legally required to disclose the information. This includes sharing your information with tax authorities and law enforcement agencies such as HMRC or the police for example;
- we need to disclose the information for the purposes of or in connection with any legal proceedings, or for the purposes of obtaining legal advice, or the disclosure is otherwise necessary for the purposes of establishing, exercising or defending legal rights;
- disclosure is required to protect our legitimate interests, or someone else’s legitimate interests (for example, to prevent fraud);
- the disclosure is made with your consent; and
- disclosure is to a third party for the purposes of providing administrative or processing services on behalf of Stepping Stones. If this is required, we will ensure that the third party protects your personal data in the same way that we do.
Why is your personal data shared?
We may need to share your personal data with other third party organisations to provide you with the service offering you have chosen or are asking us to propose.
The use of your personal data by third parties
When a third party Processorprocesses your personal data on our behalf, we ensure that they follow our instructions to process and protect your personal data. Third parties are required to sign agreements in which they commit themselves to safeguard your personal data, agree to only use the data to provide services to us specifically outlined in the agreement, and follow our instructions.
Your personal data will be shared with the following categories of third parties for the purposes described:
Administrative and professional services
Contact information, personal details, business requirements / contractual / transactional information
To provide you with the service you require
Market research and marketing communications companies
Contact information, socio-demographic information, personal details, financial information
To ensure that you receive the right marketing communication messages from us, at the right time and in areas that you are interested in.
Does Stepping Stones share your data outside of the European Economic Area?
Stepping Stones’ default position is that we will not disclose or transfer personal data to organisations outside of the European Economic Area (‘EEA’). However, where this is required we will inform you and confirm why we need to do this. When we do transfer personal data outside of the EEA, we will make sure that it is protected at the same level as within the EEA by using one of these safeguards:
- Transfer data to organisations in non-EEA countries (or states or provinces of these countries) with privacy laws in place providing the same level of data privacy protection as within the EEA;
- Transfer data to organisations that are part of Privacy Shield which is an international framework that sets privacy standards at a similar level as those of the EEA; or
- Put a contract in place with the recipient ensuring that they will process the data with the same level of data protection as within the EEA.
How we use your information to make automated decisions
We do not, except for website management, see below.
If you choose not to provide your personal data
Where personal data has been collected using your consent as the lawful basis for processing, you are free to withdraw your consent at any time and without any contractual or service delivery consequences other than the services you choose not to make use of.
From time to time we will send you information about our ideas, offerings, and the projects we do. We are careful to be sensible and legitimate in this and to respect your wishes.
If you are not yet a customer of Stepping Stones and want to receive marketing communications from us, you can request this. We will not give your personal data to anyone else for marketing purposes (other than those described above in ‘The use of your personal data by third parties’ and any lawful tool such as Eventbrite) without informing you and obtaining your consent.
We routinely use your business information for communication. The main exception is when you provide your personal contact details as a preferred alternative of yours.
A legitimate interest in a marketing context means that we will only send you marketing communications that may be of interest to you based on what we already know about you. We may use some form of market segmentsto assist this. Our legitimate interests will always be balanced with your interests, and you can ask us at any time to stop sending you marketing communications.
How long does Stepping Stones keep your personal data for?
As long as you are a customer, potential customer, network connection, partner, or potential partner (e.g. contractor) of Stepping Stones we will process your personal data to maintain contact. After you end any contract with Stepping Stones we may retain some or all of your personal data for up to 12 years (depending on the products or services you took out) for one or more of these reasons:
- To respond to any questions or complaints;
- To show that we treated you fairly; or
- To meet our ongoing legal and regulatory requirements.
We may keep your personal data for longer than 12 years if we cannot delete it for legal, regulatory or technical reasons. Personal data will be retained with the utmost care and security measures will be applied to ensure your privacy and security are maintained.
What are your rights?
GDPR entitles you to several rights in relation to your personal data, you can contact us using information on our websites.
The right to be informed
Individuals or data subjectsas they are referred to under data privacy legislation, have the right to be informed about the collection, use and sharing of their personal data. This Privacy Statement provides you with the information you are entitled to and we are required to give you.
The right to access your data
You have the right to access your data to establish what it is being used for and verify the lawfulness of any processing. Before providing access to your personal data we will ask you to verify your identity to protect you from identity theft and financial crime. We may also need to ask you some questions to ensure we have understood your request correctly.
The right to rectification (correcting mistakes and inaccuracies)
We believe it is important so far as possible that any personal data we use is accurate, up to date, and relevant. To ensure that your data is correct you have the right to access, correct and/or update your personal data at any time. If you think your data is incorrect or incomplete and you wish to correct your data or privacy settings, please contact us.
The right to erasure (the deletion of your personal data)
You have right to request that we delete your personal data if:
a) your personal data is no longer needed in relation to the purposes for which was collected;
b) you withdraw your consent and there are no other legal bases to process your personal data;
c) you object to us processing your personal data for direct marketing purposes;
d) you object to us processing your personal data for the legitimate interests of Stepping Stones;
e) you feel that your personal data is not being processed lawfully; and
f) your personal data needs to be deleted to comply with legal requirements.
As a financial services provider operating in the UK, Stepping Stones needs to keep your personal data for a certain period of time to provide you with our financial products and services, and to remain compliant with legal and regulatory requirements.
The right to restrict processing
You have the right to request the restriction of the processing of your personal data for a limited period and under certain circumstances. For example, this could apply if you feel that your personal data held by Stepping Stones is inaccurate, has not been processed lawfully, or is no longer needed for the purposes it was originally collected for. Stepping Stones has the right to store your personal data while your query is investigated.
The right to data portability
You have the right to receive your personal data in a structured, commonly used and machine-readable format. We are looking at the best way to achieve this for our customers and will provide more information when it is available.
The right to object to processing
You have the right to object to the processing of your personal data based on legitimate interests, direct marketing, and processing for historical research and statistical purposes. If you wish to exercise this right, please get in touch and we will consider your request. Stepping Stones is legally allowed to continue to process your data if one of the following can be demonstrated:
a) compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
b) processing is required for the establishment, exercise or defence of legal claims.
Rights related to automated decision making, including profiling
Stepping Stones does not undertake any processing which includes decisions made by solely automated means, including profiling.
How to Complain
Please contact us in the first instance if you have any concerns with how we have processed your personal data. Details on how to do this are included in our website. You also have the right to lodge a complaint directly with the ICO; please visit their website (https://ico.org.uk/for-the-public/) for further details on how to do this.
See Glossary below
Contact & Communication
Adverts and Sponsored Links
Social Media Platforms
Shortened Links in Social Media
A message given to an Internet Browser by a Server, which is stored in a text file; the message is then sent back to the Server each time the Browser requests a webpage to be opened.
Cookies are used to identify users of webpages and to customise content where applicable.
Customer segmentation is the process of dividing customers into groups based on common characteristics, so organisations can market to each group effectively and appropriately.
An individual or organisation which determines why personal data needs to be processed, and the manner it is processed in.
Data Privacy Officer
A position within an organisation responsible for ensuring that personal data is processed in accordance with UK data privacy requirements.
An individual or organisation which processes personal data on behalf of a data controller, in accordance with instructions from the data controller.
An individual who can be identified from the personal data i.e. the person the data is about.
European Economic Area (EEA)
The European area which provides for the free movement of persons, goods, services and capital; it is made up of EU members plus other countries within Europe which have agreements in place with the EU.
GDPR – General Data Protection Regulation
The legal framework that sets the guidelines and requirements for the collection, processing and storage of personal data of identifiable individuals within the European Union (EU). The GDPR legislation was adopted in April 2016 and comes into force across the EU on 25 May 2018.
Information Commissioner’s Office (ICO)
The independent UK authority set up to uphold data privacy rights in the public interest.
Lawful basis for processing
One of six allowable lawful bases for processing must be satisfied for Stepping Stones to process your personal data. The six lawful bases are:
- Consent – the individual has given clear consent
- Contract – processing is necessary for a contract to be provided
- Legal obligation – processing is necessary to comply with the law
- Protect life – processing is necessary to protect someone’s life
- Public interest – processing is necessary to perform a task in the public interest
- Legitimate interest – processing is necessary for Stepping Stones’ legitimate interests, or the legitimate interests of a third party, unless there is a good reason to protect the individual’s data which overrides these legitimate interests.
Stepping Stones operates from the UK and follows UK data privacy requirements set by the UK government and the ICO.
The business reason for Stepping Stones to use your information. It must not conflict unfairly with your rights and interests.
Any information relating to an identified or identifiable natural person (an individual).
Special Categories of Personal Data
Personal data which relates to particular characteristics including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health or medical information, sexual life or orientation.
Additional protection is required for personal data falling into this category, and both a general and specific lawful basis for processing are required. This means that one of the six general GDPR lawful bases for processing is needed, as well as one of the following which relate specifically to special categories of personal data:
- explicit consent
- processing is necessary for meeting obligations under employment, social security and social protection law
- processing is necessary to protect the vital interests of someone who is unable to provide consent
- processing is carried out during legitimate activity by a Foundation, Association or other not-for-profit body with a political, philosophical, religious, or trade union-based aim and processing relates to current or former members of that organisation, and that personal data is not disclosed outside of that organisation
- processing relates to personal data which has been disclosed by the individual
- processing is necessary in connection with legal claims
- processing is necessary for substantial public interest
- processing is necessary for preventative or occupational health
- processing is necessary for public interest in the area of public health
- processing is necessary for archiving purposes in the public interest such as scientific, historic or statistical research
Organisations external to Stepping Stones who undertake services and activity on our request such as our business partners, suppliers and affiliates.