At The Herd, looking after client and employee information is a core part of doing the job well. This policy sets out how personal and confidential data must be handled so that people are protected, clients can trust us, and The Herd meets its legal obligations under UK data protection law (including GDPR).

This policy applies to all employees and contractors of The Herd, regardless of role, contract type, or seniority, and covers information in any format (digital, paper, audio, video).

1. Purpose and scope

The aims of this policy are to:

• Protect personal and confidential information from loss, misuse, or unauthorised access.
• Set clear, practical rules for how data is collected, used, stored, shared, and deleted.
• Make sure everyone understands their responsibilities under data protection law.
• Provide a clear route into management or disciplinary processes if data is mishandled.

This policy sits alongside The Herd's IT & Acceptable Use Policy, Conflict of Interest Policy, Disciplinary & Grievances Policy, and Employee Handbook.

2. What data is covered?

2.1 Personal data

Personal data is any information that can identify a living person, directly or indirectly. Common examples include:

• Names, contact details, job titles.
• Email addresses, usernames, online identifiers.
• HR records, CVs, performance notes, payroll details.
• IP addresses or device identifiers when they can be linked to a person.

2.2 Special category data

Some personal data is more sensitive and needs extra care. This includes information about:

• Health (including sickness notes and reasonable adjustments).
• Racial or ethnic origin.
• Religious or philosophical beliefs.
• Sexual orientation.
• Trade union membership.
• Biometric data used for identification.

2.3 Confidential information

Confidential information includes non‑public information about:

• The Herd's strategy, pricing, processes, financials, and internal operations.
• Clients' campaigns, plans, budgets, performance data, and customer insights.
• Supplier terms and any other material marked or understood as confidential.

All of the above must be treated as confidential and only used for legitimate work purposes.

3. Data protection principles

When handling personal data at The Herd, everyone must follow these principles:

• Lawfulness, fairness, transparency: Only collect and use data where there is a valid reason and be honest about how it is used.
• Purpose limitation: Only use data for the specific purpose it was collected for, unless a new compatible purpose is agreed.
• Data minimisation: Collect and keep the minimum amount of data needed to do the job.
• Accuracy: Keep data accurate and up to date; correct or flag known inaccuracies promptly.
• Storage limitation: Do not keep personal data longer than necessary; delete or anonymise when it is no longer needed.
• Integrity and confidentiality: Protect data using appropriate technical and organisational measures so it is not accessed, altered, or lost unlawfully or accidentally.

4. Practical rules for handling data

4.1 Collecting and using data

When you collect or use personal data:

• Only collect what you genuinely need for the task or project.
• Avoid adding extra fields "just in case" when designing forms or data captures.
• Make sure there is a clear basis for processing (for example, a client contract, an employment need, or a legal obligation).
• Do not re‑use data for a new campaign or purpose without checking it is covered by the original basis or that new permissions are in place.

4.2 Storing data

• Use approved Herd systems (for example, company email, shared drives, HR and finance platforms, project tools) to store personal and confidential data.
• Restrict access to people who need the information to do their job ("need to know" basis).
• Avoid storing large volumes of client data on local drives; if you must, make sure devices are encrypted and protected with strong passwords.
• Keep paper records in locked storage when not in use; do not leave them on printers, desks, or in shared spaces.

4.3 Sharing data

• Share only the minimum amount of data necessary to achieve the purpose.
• Use secure channels to send personal or confidential information (for example, secure file transfer, password‑protected files where appropriate).
• Check email recipients carefully, especially when sending spreadsheets or attachments with personal data.
• Do not send personal or confidential data to personal email accounts, personal cloud storage, or unapproved tools.
• Do not disclose information to anyone (inside or outside The Herd) who does not have a legitimate need to know.

5. Working remotely with data

When working from home or another remote location:

• Position screens so others cannot easily see sensitive information; use a privacy filter where appropriate.
• Avoid reading out or discussing confidential information where you can be overheard by people who are not authorised to know it.
• Use secure Wi‑Fi where possible; avoid unknown public networks for sensitive work unless you are using an approved VPN.
• Keep paper notes and printouts secure and out of sight when not in use; shred or securely dispose of them when no longer needed.

6. Confidentiality obligations

• You must not use Herd or client data for personal purposes, side projects, or work for other organisations.
• You must not disclose confidential or personal data to friends, family, or any third party unless it is part of your role and properly authorised.
• You must continue to respect confidentiality after leaving The Herd. All company property and data (including copies on personal devices or accounts) must be returned or securely deleted when you leave.
• If you are unsure whether information is confidential, treat it as confidential and check before sharing.

7. Data breaches and security incidents

A data breach is any incident that results in the accidental or unlawful:

• Destruction, loss, or alteration of personal data; or
• Unauthorised disclosure of, or access to, personal data.

Examples include:

• Sending an email containing personal data to the wrong recipient.
• Losing a laptop, phone, or USB drive that contains or can access client or employee data.
• Unauthorised access to files or systems (for example, a compromised account).
• Malware or ransomware affecting systems that hold personal data.

7.1 What you must do

If you suspect or become aware of a possible data breach or security incident, you must:

• Report it immediately to your line manager and the nominated data/IT contact (for example, via the HR Portal or incident channel). Do not wait to see if it "sorts itself out".
• Follow instructions to help contain the issue (for example, changing passwords, revoking access, contacting the unintended recipient).
• Preserve relevant information (emails, logs, screenshots, times) to help with investigation.

The Herd will assess the incident, decide on next steps, and handle any required notifications to individuals, clients, or regulators.

8. Individual data rights

People whose data we handle (including employees and clients' customers) have rights under data protection law, such as:

• The right to access their personal data.
• The right to have inaccurate data corrected.
• In some cases, the right to deletion, restriction, or to object to certain types of processing.

If someone makes a request like this to you:

• Do not ignore it or make promises about the outcome.
• Do not delete or change data in an ad‑hoc way.
• Acknowledge the request and pass it promptly to HR or the nominated data contact, who will coordinate the response.

9. Third‑party tools, suppliers, and transfers

• Only use third‑party tools and services for personal or confidential data if they have been approved by The Herd.
• Do not upload client or employee data into new platforms, apps, or services without checking that security, contracts, and data protection obligations are addressed.
• Where you manage a supplier that processes personal data on The Herd's or a client's behalf, you must follow any internal guidance on contracts, due diligence, and security.
• If you are unsure whether a tool or supplier is approved for use with personal data, check with your line manager or IT/HR before using it.

10. Training, responsibilities, and support

• All employees are expected to complete any mandatory data protection and security training assigned to them and refresh it when asked.
• Managers are responsible for modelling good data‑handling behaviours, reinforcing this policy in their teams, and escalating recurring issues.
• Everyone is responsible for raising concerns early if they spot risky practices or potential issues.

If you are unsure how to handle data in a particular situation:

• Speak to your line manager; or
• Contact HR or the nominated data/IT contact for advice before acting.

11. Breaches of this policy

The Herd takes data protection and confidentiality seriously. Breaches of this policy, whether deliberate or due to serious negligence, may lead to action under The Herd's Disciplinary & Grievances Policy, up to and including dismissal.

Examples of serious breaches include (non‑exhaustive):

• Deliberately sharing personal or confidential data with unauthorised people.
• Using Herd or client data for personal gain, side hustles, or external work without approval.
• Ignoring security instructions or disabling security controls in a way that leads to, or significantly increases the risk of, a data breach.
• Failing to report a suspected data breach promptly.

Where required by law or contract, The Herd may also need to inform regulators, clients, or other third parties about significant data protection failures.

12. Questions

If you have any questions about this policy or how it applies in practice:

• Speak to your line manager; or
• Contact HR or the nominated data/IT contact.

If in doubt, pause and ask before acting.