Skip to main content
Skip table of contents

Data Protection Policy

13th April 2023

1. Introduction

Storyteq needs to collect and use certain types of information when using its software, this may include client employee contact information and that of their customers. It may also be required by law to collect and use certain types of information to comply with statutory obligations of Local Authorities, government agencies and other bodies.

This personal information must be dealt with properly, no matter how it is collected, recorded, and used whether on paper, IT-based, or recorded on other material. Safeguards must be in place to ensure all activity complies with the applicable data protection legislation.

Storyteq regards the lawful and correct treatment of personal information as vital to successful operations and is committed to maintaining confidence between our company and those with whom we have dealings. Storyteq ensures the organisation treats personal information lawfully and correctly.

Most businesses hold personal data on their customers, employees, and partners. The increase in the use of the internet, electronic communication and computerisation of business data has led to an increase in the importance of privacy. Breaches of computerized data security have prompted the introduction of legislation on a national and European level.

These include:

  • Human Rights Act 1998.

  • Freedom of Information Act 2000.

  • Privacy and Electronic Communications Regulations 2003.

  • Regulation of Investigatory Powers Act 2000.

  • Telecommunications (Lawful Business Practice) Interception of Communications.

  • Regulations 2000.

  • General Data Protection Regulation.

  • Computer Misuse Act 1990.

As Storyteq is an international organisation other legislation must also be considered and factored into any data processing activity. More detail on the relevant legislation can be found in the Legal and Regulatory Policy, that can be obtained by request from

2. How Storyteq will manage Data Protection

Storyteq will, through appropriate management, strict application of criteria and controls:

  • Observe fully the conditions regarding the fair collection and use of information.

  • Meet its legal obligations to specify the purposes for which information is used.

  • Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.

  • Ensure the quality of information used.

  • Apply strict checks to determine the length of time information is held, this will be dictated in specific Data Processing Agreements.

  • Ensure that the rights of people about whom information is held can be fully exercised under the DPA 18 and GDPR. This is detailed in 4.4 under subject access.

  • Take appropriate technical and organisational security measures to safeguard personal information.

  • Provide individuals that request it, within a maximum of 30 days from request, access to personal information held about them for no initial fee. Should the data subject require more detailed information that is beyond the reasonable access requirements, then an administration fee may be added.

  • Correct or erase any information on an individual that is inaccurate or misleading, as per 4.4.

  • Not use information for a purpose that is incompatible with the original purpose for which permission was given by the data subject.

  • Obtain clear, express permission for handling and using 'sensitive' personal data, such as race, ethnicity, political opinions, religious beliefs, trade union membership, state of health (both physical and mental), sexual orientation, criminal convictions and sentences and allegations of criminal behaviour.

  • Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information.

  • Set out clear procedures for responding to requests for information.

  • Allocate such resources as may be required to ensure the effective operation of the policy.

  • All data breaches will be fully investigated and reported to the relevant authority within 72 Hours.

  • Data Privacy Impact Assessments will be carried out on all medium/high risk processes that may affect the rights and freedoms of individuals.

In addition, Storyteq ensures that:

  • There is someone with specific responsibility for Data Protection within the group.

  • Everyone managing and handling personal information understands they are contractually responsible for following good data protection practice.

  • Everyone managing and handling personal information is appropriately trained to do so and supervised.

  • Anybody wanting to make enquiries about handling personal information knows what to do.

  • Queries about handling personal information are promptly and courteously dealt with.

  • Methods of handling personal information are clearly described.

  • A regular review and audit are made of the way personal information is held, managed and used.

  • Methods of handling personal information are regularly assessed and evaluated.

  • Performance in handling personal information is regularly assessed and evaluated.

  • A breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against the members of staff concerned.

3. General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 18)

On 25 May 2018, the GDPR and DPA 18 came into effect in the UK; both cover data protection in the UK and must be read side by side. The main differences, according to the Information Commissioner's Office (ICO) are that: The GDPR has direct effect across all EU member states and has already been passed. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country; from the 1st of Jan 21, the UK will write EU GDPR into UK legislation, it will be known as the UK GDPR and carry the same controls.

The UK, as of the 28th of June 2021, has an approved adequacy with the EU meaning the UK GDPR provides an adequate level of data protection controls to allow data to freely flow between the UK and EU.

Storyteq has offices in both the EU and the UK and ensures that the same controls are in place to make sure data subjects rights are fully protected under the UK GDPR (UK DPA 18) and EU GDPR.

3.1 Guiding principles of data protection

Below are the seven guiding principles of the GDPR and DPA 18. These are the foundations to processing personal data:

  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data minimisation

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality (security)

  • Accountability

These principles lie at the heart of our approach to processing personal data.

3.2 How Storyteq addresses DPA 18 and GDPR

Storyteq conducts the following controls in line with the GDPR and DPA 18 on all accounts that process personal data:

  • Data Flow Mapping – this is used to understand all the data touchpoints and where data moves from one system to another.

  • Subject Access Requests – this includes all other data subject rights and how they will be answered.

  • Data Processing Agreements – this document details how data will be processed for the data controller. It is clear and simple and allows all parties to know their responsibility.

  • Data Privacy Impact Assessments – These assessments are used to identify and manage any associated data management risk

  • Breach Procedure – The reporting of any confirmed data breach, either to the data controller or, if ITG is the data controller, an assessment to whether the breach needs to be reported to the ICO, within the statutory 72 hours.

These controls will be developed and changed in line with data protection legislation and any new guidance from the ICO.

4. Guiding principles

4.1 Fair obtaining and processing

Storyteq will ensure that, as far as practicable, all individuals whose details are processed by Storyteq are aware of the way in which that information will be obtained, held, used and disclosed. Whenever possible, individuals will be informed of the potential recipients of the information. Processing of personal information by Storyteq will be fair and lawful and, in addition, it is ITG’s policy that individuals will not be misled regarding the purposes to which Storyteq will process the information.

4.2 Notification

Storyteq will not use or process personal information in any way that contravenes its notified purposes, or in any way that would constitute a breach of the GDPR. When appropriate, Storyteq v will notify the

Information Commissioner of any amendments to the existing Storyteq policy, or of new purposes to be added to the Notification Register entry.

4.3 Information quality and integrity

Storyteq will endeavor to process personal information that is accurate, current and is of good quality. Information obtained by Storyteq will be adequate and not excessive for the purpose for which it is processed. In addition, information will be kept by Storyteq for no longer than is necessary for the purpose or purposes for which it was obtained.

All retention and data types held will be detailed in Data Processing Agreements with all data controllers. Where Storyteq is the data controller, the Storyteq Privacy Policy will apply.

4.4 Subject access

Storyteq will respond positively to subject access requests, replying as quickly as possible, and in any event within the 30-day time limit. Whereas individuals have a general right of access to any of their own personal information that is held, Storyteq will be mindful of those circumstances where an exemption may apply.

Storyteq will only disclose personal data to those recipients listed in the Notification Register, or whenever it is otherwise permitted by law to do so. Storyteq will always endeavor to seek the permission of the data subject where it is required by law to do so.

Under GDPR the following data subject rights apply and will be managed throughout by the group DPO:

  • The right to be informed

  • The right of access

  • The right to rectification

  • The right to erasure

  • The right to restrict processing

  • The right to data portability

  • The right to object

  • Rights in relation to automated decision-making and profiling

4.5 Technical and organisational security

Storyteq has in place appropriate security measures as required by the Data Protection Act. Information systems are installed with adequate security controls, and company employees who use these systems will be properly authorised to use them for company business.

4.6 Computer misuse

The Computer Misuse Act 1990 makes it an offence to gain unauthorised access to a computer, even if no damage is done and no files are deleted or changed. Anyone who accesses a computer without authorisation, for example by guessing a password, faces a maximum six-month prison sentence, a maximum fine of £2,000, or both.

If an individual gains unauthorised access with the intent to commit a further offence, for example accessing a bank account online to transfer money, they face five years' imprisonment and/or a fine.

This Act also makes it an offence to purposefully change files on a computer with intent and without authorisation. This could include deleting files or even changing computer settings. Anyone who does so, even if there is no intent to defraud or do damage, faces a maximum prison sentence of five years and/or an unlimited fine.

4.7 Controlling access

Storyteq has tightened physical access to data by restricting it to employees needing to access specific data in order to carry out their jobs. Storyteq takes steps to prevent accidental loss or theft of personal data by using server backup processes and increased security at our offices.

4.8 Transfer of Data

All data transfer must be via secure means in line with the Storyteq /ITG Group Cryptography policy and in line with sub-processors detailed and applicable data protection legislation.

The Schrems II decision has also changed the way EU data can be transferred to the US, this can no longer be done under the protection of the EU-US Privacy shield.

The Schrems II Decision is a key ruling by the Court of Justice of the European Union (CJEU), in July 2020 they declared that Privacy Shield, the EU-US personal data transfer mechanism, was no longer lawful. The Schrems II decision specifically looked at Privacy Shield and standard contractual clauses (SCCs).

Any transfer of EU citizens data outside of the EU must have binding corporate rules or standard contractual clauses in place to ensure data protection compliance. The data controller must also have approved any such transfer in line with any Data Processing Agreements (DPA) and Data Privacy Impact Assessment (DPIA) findings and recommendations.

As the UK left the EU before June 2021 it did not implement the new EU SCC’s; for transfers from the UK to non-adequate third countries (mostly countries not in the EEA), the ICO has released the International Data Transfer Agreement (IDTA) and draft guidance on transfer risk assessments.

The IDTA is considered to be a replacement of former SCCs and facilitates transfers from the UK to non-adequate third countries.

Storyteq will replace any current transfer agreements under the old EU SCC’s by Sept 22 and either replace them with the new EU SCC’s or UK IDTA, depending what is applicable.

4.9 Sub-processors and compliance

All sub-processors of personal data are subject to compliance with the applicable data protection legislation associated to the data subject’s location and/or client requirements, in line with any DPA or MSA agreements.

Systems are hosted in Google Cloud Platform (GCP), normally hosted within the EU, unless specifically requested for alternative hosting location within client agreements. Any integrations that may process personal data is fully GDPR compliant in line with this Agreement.

If you require any further information on sub-processors or hosting locations, please contact the ITG Group DPO –

5. International Data Protection Legislation

As an international organisation offering a range of marketing activities, Storyteq must consider international data protection legislation. As GDPR is currently the most stringent of these legislations, Storyteq tries to ensure all data processing is done in line with GDPR, where this is not possible, other relevant legislation types are risk assessed and the required controls applied.

Any transfer or processing must be fully risk assessed by the group DPO to ensure the correct protection is given to the data processing activity.

5.1 US Data Protection

Storyteq and ITG Group has 2 offices in the US, Chicago and New York. The main federal legislation is the CAN-SPAM, as federal law it covers all states and requires the following compliance:

  • Make sure you have a way to collect and manage opt-outs.

  • And make sure your emailing partners are honouring opt-outs too

  • Check your unsubscribe link.

  • Is your mailing address correct?

  • Evaluate your email content.

The focus of the law is to reduce spam and allow data subjects to control how many emails they receive. Most states then have subsequent data protection laws to add additional controls, the most stringent being New York and California.

More detail on US legislation can be found in the ITG Group Legal and Regulatory Policy, with state laws being detailed.

The European Court of Justice has recently invalidated the EU-US Privacy Shield, meaning that this cannot be used to govern the transfer of data to the US. As stated in para 4.8 binding corporate rules or standard contractual clauses must now be used.

More detail on specific US state data protection legislation comparison can be found here:

5.2 Canadian Data Protection

Canada has the Canada’s Anti-Spam Legislation (CASL) and the Personal Information Protection and Electronic Documents Act (PIPEDA) that governs the sending of emails and electronic communication in connection with commercial activity i.e. Commercial Electronic Messages (CEM’s) and the required data protection measures for the protection of personal data.

The main rules behind CASL state:

  • Determine if you are sending CEMs.

  • Identify the channels through which you send CEMs.

  • Assess if you have implied or express consent to send CEMs or if an exemption applies.

  • Develop a plan to obtain any required consents.

  • Make sure your CEMs contain the content required by CASL.

  • Determine how CASL may affect your policies, processes, customer relationship management (CRM) and other IT systems, and staff training and awareness programs.

  • Revise your policies, processes and systems as required Keep an audit trail, since CASL contains a “due diligence” defence.

Storyteq ensures all its systems and processes are compliant with data protection legislation including CASL and PIPEDA. All systems and associated services have all required data protection legislation assessed and compliance requirements applied.

Any questions or additional requirements, such as a DPA or DPIA, can be sent to either Storyteq on or the group DPO on

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.