Privacy & Data Management Policy

Last updated: January 2026

ProcureWise Consulting (“we”, “us”, “our”) is committed to protecting the privacy, confidentiality, and security of all personal and commercial data processed through our consultancy services and via procurewiseconsulting.com. This policy explains how we collect, use, store, and protect information in line with UK GDPR and the Data Protection Act 2018.

1. About ProcureWise Consulting

ProcureWise Consulting provides procurement, contracting, bid management, negotiation, and supplier‑management services to public sector organisations, SMEs, and private clients. In delivering these services, we may process personal data and commercially sensitive information on behalf of clients.

This policy applies to all data processed through our operations and through our website.

2. Relevant Legislation

We comply with all applicable UK data protection laws, including:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

  • ICO guidance and best practice

3. Definitions

 3.1 Data

Any information processed electronically or manually as part of our service delivery.

 3.2 Personal Data

Information relating to an identifiable individual, such as CVs, contact details, or employment history.

 3.3 Commercial Data

Non‑public information relating to a client organisation, including:

  • Organisation charts

  • Business processes

  • Pricing models

  • Bid strategies

 3.4 Publicly Available Data

Information already in the public domain, such as company names or published accounts.

 3.5 Sensitive Personal Data

Special category data under UK GDPR, including health, ethnicity, political opinions, or criminal history.

 3.6 Processing

Any operation performed on data, including collection, storage, editing, sharing, or destruction.

 3.7 Data Controller

Usually our clients, who determine the purpose and lawful basis for processing personal data.

 3.8 Data Processor

ProcureWise Consulting, acting on behalf of clients to process data for consultancy and bid‑related services.

 3.9 Destruction

Secure deletion of electronic files and cross‑cut shredding of printed materials.

 3.10 Recipient

Any individual or organisation receiving data from us.

 3.11 Third Parties

Any party other than the data subject, the client, or ProcureWise Consulting.

4. Data Protection Principles

We follow the six principles of UK GDPR:

 4.1 Lawfulness, Fairness & Transparency

We:

  • Only process data necessary for delivering our services

  • Identify the lawful basis for processing

  • Inform clients and individuals how their data is used

  • Provide clear privacy information on our website

  • Respond transparently to data access requests

 4.2 Purpose Limitation

We only collect and use data for legitimate business purposes, such as:

  • Bid preparation

  • Procurement analysis

  • Contract management

  • Financial administration

We only share data where legally required or explicitly authorised.

 4.3 Data Minimisation

We collect only the minimum data required to deliver our services effectively.

 4.4 Accuracy

We:

  • Review data regularly

  • Ask clients to confirm accuracy of personal data used in bids

  • Update or delete outdated information promptly

 4.5 Storage Limitation

We retain personal data only for as long as necessary. Examples:

  • Payroll data: duration of employment + 6 years

  • Bid‑related personal data: retained only during evaluation unless otherwise agreed

Clients may request copies of their data or a certificate of destruction.

 4.6 Integrity & Confidentiality

We maintain strong security measures, including:

  • Password‑protected devices

  • Encrypted file storage

  • Access controls based on “need to know”

  • Secure destruction of physical documents

  • Staff training on data protection

5. Additional Principles

5.1 Publicly Available Data

Even publicly available information is only shared internally where relevant to client work.

 5.2 Sensitive Personal Data

We only process special category data where:

  • Required for a bid submission, and

  • Explicitly provided by the client

6. Data Provided Through Our Website

 6.1 Enquiries

Information submitted via our contact forms or email is used solely to respond to the enquiry. Individuals are not added to marketing lists unless they request it.

 6.2 Free Downloads

Where free resources are offered, users will be informed if downloading them adds their details to a marketing list. Consent is required before this occurs.

6.3 Marketing Preferences

Users may unsubscribe from marketing communications at any time.

7. Promotional Messages

We may send promotional messages to organisations where:

  • Information is sourced from publicly available data

  • There is a clear, legitimate interest

  • The message is relevant to the organisation’s services

We do not purchase data unless it is GDPR‑compliant.

8. Telephone Marketing

We may conduct business‑to‑business calls where:

  • The organisation is not listed on the Telephone Preference Service, or

  • An individual has invited contact

Opt‑out requests are always honoured.

9. Sharing Personal Data with Third Parties

We only share data where:

  • Required by law

  • Authorised by the client

  • Necessary for service delivery (e.g., accountants, marketing platforms)

We never sell personal data.

10. Subject Access Requests

Individuals may request access to personal data we hold about them. We respond within statutory timeframes.

Clients may also request information relating to their organisation or employees.

11. Training

All staff and associates receive data protection training on induction and annually thereafter.

12. Data Breaches

Any suspected or actual breach must be reported immediately to senior management. We will:

  • Contain the breach

  • Investigate promptly

  • Notify affected parties where required

  • Report to the ICO if legally necessary