Data Protection

This data protection policy applies generally to any data held by Practical HR and for data relating to clients.

Practical HR places the highest importance on personal data, information security and confidentiality; and we are committed to complying with Data Protection laws and regulations.

We will process data relating to clients on the terms set out in this document that forms our Data Protection policy. This policy will act as a written agreement between Practical HR and the Client for the purposes of EU Regulation 2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3).

We will act as a Data Processor for clients, for any personal data provided to Practical HR relating to the employees of clients. Such data (referred to as Personal Data in this agreement) may be provided to Practical HR to enable advice to be provided and to carry out our contractual obligations to the Client. This may include personal data (e.g., name, address, contact details, dates of birth, sensitive personal data) as well as employment data (e.g., terms of employment, salary, absence records etc).

Please note that Practical HR record telephone conversations with clients for quality and training purposes. These will be managed in line with the Practical HR data protection policy and recordings will generally be deleted after 12 months unless there is an ongoing case relating to the call.

The Client may provide Personal Data in relation to any of the services outlined above (see general terms).

Practical HR (the Data Processor) will only process such data from clients (the Data Controller):

Data Protection Compliance

Practical HR shall act only on instructions from the Data Controller unless required by law to do otherwise (as per Article 29 of the GDPR).

Practical HR will promptly comply with any request from the Data Controller requiring Practical HR to amend, transfer, delete, or otherwise dispose of the Personal Data. Practical HR will transfer all Personal Data to the Client (or make data available) on the Client’s request in the format agreed.

Both Parties shall always comply with GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under GDPR.

The Client hereby warrants, represents, and undertakes that the Personal Data shall comply with GDPR in all respects including, but not limited to, its collection, holding, and processing.

Practical HR will provide reasonable assistance to the Client in complying with its obligations under GDPR with respect to the security of processing, the notification of personal data breaches and in dealings with the Information Commissioner’s Office (ICO). Costs associated with complying with such obligations shall be met by the Client and will be invoiced at the current consultancy rates.

When processing the Personal Data on behalf of the Client, Practical HR will:

Data Subject Access, Complaints and Breaches

Practical HR will, at the Client’s cost, assist the Client and co-operate fully with the Client in complying with its obligations under GDPR with regard to data subject access requests, complaints and data breaches.

Practical HR will notify the Client without undue delay if it receives:

Practical HR will notify the Client immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.

Responsible Person for Data Protection

The Data Processor has appointed Fiona Haworth to be responsible for Data Protection relating to clients’ Personal Data. Paula Fisher is responsible for all other areas of Data Protection within Practical HR.

Liability and Indemnity

The Client shall be liable for, and shall indemnify (and keep indemnified) Practical HR in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees), or damage suffered or incurred by, awarded against, or agreed to be paid by, Practical HR and any Sub-Processor arising directly or in connection with:
Practical HR shall be liable for, and shall indemnify (and keep indemnified) the Client in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or damage suffered or incurred by, awarded against, or agreed to be paid by, the Client arising directly or in connection with Practical HR’s Personal Data processing activities that are subject to this Agreement:
Nothing in this Agreement shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under GDPR. Furthermore, Practical HR hereby acknowledges that it shall remain subject to the authority of the Information Commissioner’s Office (ICO) and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the GDPR may render it subject to the fines, penalties, and compensation requirements.


Practical HR shall maintain the Personal Data provided by the Client in confidence. All employees and Associates of Practical HR are subject to confidentiality agreements in respect of GDPR and Personal Data. Practical HR shall not process or make any use of any Personal Data supplied to it by the Client other than in connection with the provision of the Services.
Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

Appointment of Sub-Processors

Practical HR shall not sub-contract any of its obligations or rights under this Agreement without the prior written consent of the Client (such consent should not be unreasonably withheld).
Practical HR will use the following Sub-Processors and third parties to deliver products and services:
If Practical HR appoints other Sub-Processors, the Data Processor shall:

Deletion and/or Disposal of Personal Data

Practical HR shall delete (or otherwise dispose of) the Personal Data (and any copies of Personal Data held) in line with the Practical HR Data Retention Policy or as required by law.

Practical HR will not retain data for longer than is required and in order to fulfil our contractual obligations with the Client.  There will be varying retention periods for different data. As a general rule, PAYG clients’ data will only be held for 6-12 months following the end of any Service (which may be support with a particular employment situation). For Retained clients, data will be held for 2 years. The Practical HR Data Retention policy is available on request.

All Personal Data to be deleted or disposed of under this Agreement shall be deleted or disposed of securely.

Data Subject Access Request

Please note that if a Data Subject Access Request is made to Practical HR as a result of Practical HR providing services to the Client, the time associated with responding to the request and providing information will be charged to the Client.

Data Protection Policy May 2024