This policy was last update 21 June 2021. If you have any general questions about the Site or the information we collect about you and how we use it, you can contact us at:

The Research Desk Limited

Forma House, 40 Bowling Green, London EC1R 0NE

Telephone Number: 0207 871 3836



The Research Desk Limited (also referred to as “we” or “us”) is serious about protecting your privacy and maintaining the security of any personal information collected or received from you. When you submit information to us, this is kept confidential and used to support our activities as required (including but not limited to the delivery of client projects, recruitment of staff and associates, business development and marketing, and human resource management).

The General Data Protection Regulation (GDPR) and, in the UK context, the Data Protection Act (DPA) 2018 allow us to process your data (i) when it is necessary for the performance of a contract to which you are party; (ii) in order to take steps at your request prior to entering into a contract; (iii) to carry out research after you have signed a consent form; (iv) to carry out any activity at your explicit request (e.g. you may email us to ask to be kept up to date with the outcomes of a project).

The GDPR applies directly to EU member states, while the UK DPA 2018 deals with the application of the GDPR to the UK context and its transposition into UK law. It should be noted that the UK DPA 2018 covers the role of the Information Commissioner’s Office (ICO) with respect to the collection, management, and processing of personal data, including its duties, functions, powers, and enforcement provisions.  

This Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by The Research Desk Limited. We are committed to processing data lawfully, fairly, and transparently, to retain data only until it is necessary, and to protect it from unauthorised use.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. 

Information Collected

The Research Desk Limited may collect personal data when undertaking a number of activities related to the provision of its services, including personal identifiers, contacts and characteristics (for example, name and contact details). Most of the personal information we process is provided to us directly by you for one of the following reasons:

1. With respect to projects, The Research Desk Limited only collects personal data necessary to provide consulting services to client, stores personal data only in so far as required to provide its services to clients, and seeks to obtain informed consent from the data subjects prior to collecting personal information.

2. With respect to our other activities, such as recruitment, business development, marketing, and human resource management, we collect personal data necessary to conduct and grow our business and to fulfil our legal obligations. All personal information we gather for activities other than projects is held only after seeking consent (verbal or written, based on the situation) from the data owner. Note that we do not need consent to process data when we are fulfilling a legal obligation.

We will not share personal information with any third-party organisation, unless we are obliged to do so by contract, by law, or the disclosure is ‘necessary’ for purposes of national security, taxation, and criminal investigation, or we have your consent.

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

(a) Your consent. You can withdraw your consent at any time. You can do this by contacting

(b) We have a contractual obligation.

(c) We have a legal obligation.


Obtaining Consent

Before asking you to share personally identifiable information, we will seek to obtain your consent. You may withdraw your consent or restrict data processing at a later stage by contacting us at and under your GDPR rights to erasure or to restrict processing.



Our website does not track you in any way, nor do our email messages (i.e., we do not track whether you click links). If you follow a shortened link (‘shortlink’) within our website we may track the click for statistical purposes, but no other information associated with you (i.e., we will not collect data on who clicked the link, just the fact that the link was followed).

Our website may use web analytics (e.g., Google Analytics) from time to time, however, this will only collect anonymised statistical data and does not enable the identification of any individual.



All information is handled and managed in compliance with the GDPR; any information we hold is protected through our secure systems and processes.

All information you provide to us is stored on Microsoft OneDrive cloud servers, which are a part of the Microsoft Office 365 package. Such servers are located in the territory of the European Union and subjected to GDPR. Access to such data is password-protected. All devices also have McAfee® LiveSafe™ installed on them.


The Research Desk Limited will not keep personal data longer than is necessary to fulfil its legal or contractual obligations. This means that, unless otherwise indicated when seeking consent from clients, we will delete personal data no later than 24 months after the conclusion of a project.

Where the lawful basis to process personal information is contractual rather than by consent, we will delete the personal information once the objective(s) stated in the contract have been achieved.

This policy does not apply to data about legal entities, which does not constitute personally identifiable information.

Cross-Border Processing

In all cases where we collect and/or process data arising from more than one country (‘Cross-border processing of personal data’), the lead supervisory authority for the purposes of the GDPR shall be the United Kingdom’s Information Commissioner’s Office.

Cross-border processing of personal data will be agreed in all relevant contracts and when seeking consent from project participants.

Third Party Collection of Information

Our policy only addresses the use and disclosure of information we collect from you. To the extent you disclose your information to other parties or sites throughout the internet, different rules may apply to their use or disclosure of the information you disclose to them. Accordingly, we encourage you to read the terms and conditions and privacy policy of each third party that you choose to disclose information to.

This Privacy Policy does not apply to the practices of companies that we do not own or control, or to individuals whom we do not employ or manage, including any of the third parties which we may disclose information as set forth in this Privacy Policy.


We may use your Personal Information, such as your name, email address, telephone number, etc. ourselves or by using our third-party subcontractors for the purpose of providing you with promotional materials, concerning our services, which we believe may interest you. 

We will only contact you for marketing purposes if you have given your permission for us to do so. If you unsubscribe, we will remove your email address or telephone number from our marketing distribution lists.

Please note that even if you have unsubscribed from receiving marketing emails from us, we may send you other types of important e-mail communications without offering you the opportunity to opt out of receiving them. These may include customer service announcements or administrative notices.

Client Feedback

All client feedback provided will be treated in confidence. Client feedback will only be shared externally in aggregated and anonymised form, except where testimonials are voluntarily provided for marketing purposes. 

Corporate Transactions

We may share information in the event of a corporate transaction (e.g., sale of a substantial part of our business, merger, consolidation, or asset sale). In the event of the above, the transferee or acquiring company will assume the rights and obligations as described in this Privacy Policy.

Other Websites

The content we publish on our company website blog may contain links to other websites that are outside our control and are not covered by this Policy. If you access other sites using the links provided, the operators of these sites may collect information from you that will be used by them in accordance with their privacy policy, which may differ from ours.

Data Protection Officer

The Research Desk Limited does not have a data protection officer. Article 37 of the GDPR details the cases where one is needed, and The Research Desk Limited does not fit within any of the cases mentioned: we do not carry out systematic monitoring of data subjects nor do we process special categories of personal data.

Your Legal Rights

You have a legal right under the GDPR to request access to any information that we hold that can be identified as yours (right to information and access). This request should be put in writing to the details below:

The Research Desk Limited

Forma House, 40 Bowling Green, London EC1R 0NE

Telephone Number: 0207 871 3836


We will respond within no more than 30 days of receiving your message. The GDPR details a number of exemptions from disclosure and, should we be unable to fulfil your request, we will provide a full explanation in writing.

  • You have a right to rectification or completion of personal information you think is inaccurate or incomplete and can request this at the above address for response within no more than 30 days of receiving your request.
  • You have a right to data portability and to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances. When providing data to you, we will do so in a commonly used and machine-readable format (e.g., a csv spreadsheet).
  • You have the right to ask us not to process your personal data for marketing purposes. Should we wish to do so, or should we wish to disclose your information to third parties for such purposes, we shall inform you before collecting your data. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at
  • The GDPR also gives you the right to erase your data and/or restrict its processing. Please get in touch at should you wish to exercise these rights.
  • Please note that you are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Data Breaches and Information Security Incidents

The Research Desk Limited recognises that, at times, ‘things go wrong’ and breaches of security may occur. We recognise our responsibilities to:

  • Provide advice to any associates to contain breaches and manage the risks related to these.
  • Determine whether any control actions are needed.
  • Consider whether The Research Desk Limited has a responsibility to notify the ICO and the individual(s) affected by the breach or incident.
  • Evaluate any lessons learnt and areas for improvement.

Incidents are defined by the GDPR as a “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  We therefore consider the following three scenarios:

  • Breach of confidentiality, where there is an unauthorised or accidental disclosure of, or access to, personal data.
  • Breach of availability, where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
  • Breach of integrity: where there is an unauthorised or accidental alteration of personal data.

Whenever an incident is identified, Tracy Page (Managing Director) is notified, and the issue is dealt with as a priority. Based on the level of risk, The Research Desk Limited will decide how to address the incident. Risk is assessed considering a number of factors, including:

  • The type of breach.
  • The nature, sensitivity, and volume of personal data.
  • Ease of identification of individuals.
  • Severity of consequences for individuals.
  • Special characteristics of people that may be affected.
  • The number of affected individuals.
  • Nature of breach (e.g., error, mistake, or intentional action and malicious); and financial or legal implications.

Where an incident is deemed to be ‘high risk’, i.e., a breach of sensitive personal or confidential personal or business data and high risk and impact to individuals, a decision is made on whether the incident must be reported to data subject, the ICO or both, as appropriate.

Updates or Amendments to this Privacy Policy

We reserve the right to periodically amend or revise the Privacy Policy; material changes will be effective immediately upon the display of the revised Privacy Policy. The last revision will be reflected in the "Last modified" section. Your continued use of the Platform, following the notification of such amendments on our website, constitutes your acknowledgment and consent to such amendments to the Privacy Policy and your agreement to be bound by the terms of such amendments.



If you have any concerns about our use of your personal information, you can make a complaint to us at

You can also complain to the ICO if you are unhappy with how we have used your data via:

Information Commissioner’s Office

Wycliffe House

Water Lane




Helpline number: 0303 123 1113

ICO website: