DPIA Policy

1. Project Details

• Project Name: AIC Professional Services Core Operations

• Organisation: AIC Professional Services UK Ltd

• Website: https://aicuk.ltd

• Project Owner: Managing Director

• DPIA Author: AIC Professional Services UK Ltd

• Date Created: 5 January 2026

• Last Review Date: 5 January 2026

Description of Processing Activity:
Processing of personal data to support the delivery of professional, technical, and consulting services, including client engagement, project delivery, supplier management, internal administration, and governance activities.

2. Why Are You Doing This DPIA?

This DPIA documents how AIC Professional Services UK Ltd processes personal data, identifies risks to individuals, and records the technical and organisational measures in place to mitigate those risks, in line with the UK GDPR and Data Protection Act 2018.

The DPIA supports customer assurance, third-party governance, and DCC-aligned control requirements.

3. What Data Are You Collecting?

Personal data processed includes:

• Names

• Business email addresses

• Business telephone numbers

• Job titles and organisation names

• User account identifiers (where applicable)

• IP addresses and basic security logs

Special category data:

• None intentionally collected or processed

Data subjects:

• Client and customer contacts

• Supplier and partner contacts

• Employees and contractors

4. How Will You Use and Store It?

• Purpose of processing:
  Service delivery, client communication, account management, security, billing, and legal or regulatory compliance.

• Processing activities:
  Collection, secure storage, controlled access, limited sharing where necessary, and secure deletion.

• Storage location:
  UK-hosted and EU-hosted secure cloud services and internal business systems.

• Retention period:
  Personal data is retained only for the minimum period necessary to meet business, contractual, and legal obligations.

• Access controls:
  Role-based access control, least-privilege principles, strong authentication, and access logging where appropriate.

5. Risks to People

Identified risks include:

• Unauthorised access to personal data

• Accidental loss or disclosure

• Retention beyond business need

• Insufficient transparency regarding processing activities

6. How Will You Reduce Those Risks?

Mitigations implemented:

• Encryption at rest and in transit where supported

• Secure system configuration and patch management

• Access restricted to authorised personnel only

• Data minimisation and purpose limitation

• Defined retention and deletion practices

• Incident response and breach notification procedures

Residual risk after mitigation:

• Low

7. Legal Basis (Article 6 UK GDPR)

Lawful bases relied upon:

• Contract – necessary to deliver contracted services

• Legitimate Interests – business operations, security, and relationship management

Processing is proportionate and aligned with reasonable expectations of data subjects.

8. International Transfers

• Routine international transfers: No

Where cloud service providers operate within the UK or EU, processing is covered by UK adequacy regulations and appropriate contractual safeguards.

9. Sign-Off & Review

• DPIA Outcome: Approved

• Approved By: Managing Director

• Role: Senior Responsible Owner

• Date: 5 January 2026

Review Cycle:
Reviewed annually or upon any material change to processing activities, systems, or risk profile.