peopleforge

Data Protection Procedure

This Data Protection Procedure sets out the operational steps PeopleForge Ltd ("we", "us", "our") follows to safeguard personal data belonging to candidates and clients across our recruitment activities. It complements our Privacy Policy by describing how data protection principles are applied in practice.

This procedure is reviewed annually and updated whenever our processing activities or applicable law materially change. It applies to all PeopleForge staff, contractors, and any third party acting on our behalf.

Last reviewed: May 2026

Scope

This procedure covers personal data processed in connection with:

  • Candidate registration, screening, and placement
  • Client onboarding, vacancy management, and shortlisting
  • Reference checks, right-to-work verification, and compliance records
  • Marketing and business development communications
  • Internal record-keeping required to operate the business

Roles and Responsibilities

Data Protection Lead — the Director responsible for overall compliance with UK GDPR and the Data Protection Act 2018, and the primary point of contact for any data protection matter.

All staff — every member of the PeopleForge team is responsible for handling personal data in line with this procedure and for reporting any incident or concern without delay.

Processors — third-party suppliers (such as our applicant tracking system, email provider, and hosting platform) are bound by written data processing agreements that mirror the obligations in this procedure.

Data Collection and Consent

We collect only the personal data we need to deliver our recruitment services. At the point of collection, candidates and clients are provided with clear privacy information and, where relevant, asked to provide explicit consent.

  • Consent is captured separately for each distinct purpose, including CV submission to a named client
  • Candidates may withdraw consent at any time without affecting the lawfulness of prior processing
  • Records of consent are retained alongside the candidate record for audit purposes

Data Storage and Access Controls

Personal data is stored within UK or EEA-based systems wherever possible. Access is restricted on a least-privilege basis and reviewed quarterly.

  • All accounts require strong, unique passwords and multi-factor authentication
  • Devices used to access candidate or client data are encrypted at rest
  • Sensitive documents (such as right-to-work evidence) are stored in access-controlled folders with audit logging
  • Paper records, where unavoidable, are stored in locked cabinets and securely destroyed when no longer required

Data Sharing

Candidate data is only shared with a prospective employer after the candidate has given specific consent for that submission. Each share is logged in the candidate record, capturing the recipient, date, and material shared.

Client data is shared internally only with the team members involved in delivering the engagement, and with processors strictly necessary to provide our services.

We do not sell, rent, or trade personal data with any third party.

Retention Schedule

We retain personal data only for as long as it is needed for the purpose it was collected, or to meet legal and regulatory obligations.

  • Active candidates: retained while engaged with PeopleForge and for 24 months after the last meaningful interaction
  • Placed candidates: retained for 6 years after placement to support contractual and tax record-keeping obligations
  • Unsuccessful applicants for a specific role: retained for 12 months unless consent is given for longer-term consideration
  • Client contacts: retained for the duration of the relationship and for 6 years thereafter
  • Marketing contacts: retained until consent is withdrawn or the contact becomes inactive for 24 months

At the end of each retention period, records are securely deleted or fully anonymised. A retention review is carried out at least once a year by the Data Protection Lead.

Subject Access and Other Data Subject Rights

Individuals may exercise any of their UK GDPR rights by contacting our Data Protection Lead. Requests are acknowledged within 5 working days and responded to within one calendar month.

  1. Verify the identity of the requester using a proportionate method
  2. Log the request in the data protection register, including date received and rights invoked
  3. Locate and review all relevant data across our systems and any processors
  4. Apply any necessary redactions to protect the rights of third parties
  5. Provide the response in a clear, accessible format and confirm receipt

Where a request is complex or numerous, we may extend the response period by up to two further months and will inform the requester of the reason for any extension.

Personal Data Breach Procedure

A personal data breach is any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. All staff must report suspected breaches to the Data Protection Lead immediately upon discovery.

  1. Contain the breach and recover affected data where possible
  2. Assess the likelihood and severity of risk to individuals
  3. Where a risk to individuals is likely, notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware
  4. Where the risk to individuals is high, notify affected data subjects without undue delay
  5. Record the facts, effects, and remedial actions in our breach register, regardless of whether notification was required
  6. Conduct a post-incident review and update controls or training as needed

Working with Processors and Sub-processors

Before engaging any new processor, we carry out due diligence proportionate to the sensitivity of the data involved. A written data processing agreement is signed before any personal data is shared.

  • Processors must demonstrate appropriate technical and organisational measures
  • Sub-processors are only permitted with our prior authorisation
  • International transfers rely on UK adequacy regulations or appropriate safeguards such as the UK International Data Transfer Addendum
  • Processor performance is reviewed annually as part of our supplier review

Training and Awareness

All staff receive data protection training when they join PeopleForge and refresher training at least annually. Additional training is provided whenever this procedure is materially updated or following any significant incident.

Review and Continuous Improvement

This procedure is reviewed at least once every 12 months, and whenever there is a change to our services, technology, or applicable law that affects how we process personal data. The outcome of each review is recorded by the Data Protection Lead.

Contact

For any question about this procedure, to make a subject access request, or to report a suspected breach:

Email: louis.daeschler@peopleforge.co.uk

Location: Brighton, UK

You also have the right to lodge a complaint directly with the Information Commissioner's Office (ICO) at ico.org.uk.