1. The CDI's Commitments
The CDI are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place, which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the demands of UK GDPR and the Data Protection Act.
The CDI are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for UK GDPR.
We are currently working on the development and implementation of a Digital Transformation Project, which includes new, robust and effective CRM and CMS systems (expected to go live in March 2023). These systems will ensure greater security and protection for the personal information that we hold.
This project will be carried out by the CDI Digital Project team, which reports to a Digital Project Board consisting of four Board Executives and the Chief Executive (contact details are available on request).
Our work to date and objectives for GDPR compliance are summarised in this statement.
Data Officer – the CDI have appointed a Data Officer and will provide them with support and training where available.
Information Audit – as part of the Digital Project and transition to a new CRM, we will carry out a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed. (Initial work completed, secondary work to clarify the value of collected data and it's future use ongoing.)
Policies & Procedures - revising data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:
Our main policy and procedure document for data protection has been revised to meet the standards and requirements of GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities.
We are reviewing our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. (Review to be completed by Q4 2026). We have dedicated erasure procedures in place and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
Our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time in line with ICO guidance.
- International Data Transfers & Third-Party Disclosures
The CDI does not store or transfer personal information outside of the UK. We do not share our data with third parties with the exception of partnering event organisers, where there is a data sharing agreement in place.
Any data stored by the CDI undergoes a rigorous security process, both physical and digital, to ensure maximum safety and protection. No CDI server exists on siteThe data is secured via three seperate data structures;
- Dedicated Web Server, Shared DB Cluster: Production website hosted on a dedicated virtual server, database hosted on shared physical database cluster supported by CDI digital partner, IDHL.
- Rackspace Redundant Webservers: Utilising load balancers and multiple availability zones (AZs), which direct traffic to healthy servers and ensure high availability in case of a server or data center failure.
- Cloudflare: Providing security support by filtering bad traffic (like DDoS attacks, bots) and caching content closer to users for faster loading, providing an "immune system for the internet" through DDoS protection, Web Application Firewall (WAF), Content Delivery Network (CDN), DNS, and serverless computing (Workers).
- Microsoft server security utilising data encryption on rest (BitLocker, AES 256-bit) and in transit (TLS/SSL) for cloud protection, Authentication & Authorization through Microsoft 365 identity (Azure AD) and uses role-based access (Read, Edit, Full Control) for sites, lists, folders, and individual items, and Microsoft physical security found across their data centres.
All CDI data utilizes the following forms of data protection and security.
- Physical Firewalls
- Intrusion prevention
- VLAN network segregation
- Individual databases per client
- WithSecure Anti-virus
- IPSec VPN for management
- Redundant Webservers
- DDoS protection
- Web Application Firewall (WAF)
- Content Delivery Network (CDN)
- DNS protection
- CloudFlare Pro
- Subject Access Request (SAR)
A user has the right to access information kept about them by the CDI, including but not limited to personal and organisation details, organisation connections, training and event records, financial transactions with the CDI, marketing preferences and history and website activity history.
The Membership and Marketing department is responsible for dealing with data subject access requests. We promise to accommodate the revised 30-day timeframe for providing the requested information, subject to the correct circumstances and are aware of the circumstances when we can extend the time limit to respond to a request. We also understand when to consider if a request includes information regarding others and any implications this may have.
Legal Basis for Processing
We are reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. The deadline for this review is Q4 2026. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Act are met. See below for a summary of processing activities:
| | Category of personal data |
| | Name, address, organisation , contact details, invoice information, qualification details, demographic information |
| Compliance with marketing agreements | Name, organisation connections, contact details, marketing preferences |
| Training records, site licensing, training attendance evidence | Name, address, organisation connections, contact details, invoice information, training records, |
| Training records, contractual agreements | Name, address, organisation connections, contact details, invoice information, qualification details, evidence portfolios for assessment and moderation |
| Contractual agreements, CPD records | Name, address, organisation connections, contact details, invoice information, qualification details, CPD records |
| | Name, address, organisation connections, contact details, invoice information, NI number, Registration information, Tax codes |
In Q4 2025, we successfull revised our Privacy Notice(s) to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
We are revising our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We are developing stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time. Work has begun, with expected deadline of Q4 2026
The CDI performs direct marketing by the Section 11(3) DPA definition “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. This includes but is not limited to; promotional material, sector updates, offers on CDI products and events, updates on training courses and qualifications, and related career-sector information. This marketing is delivered primarily through email content, but can also include blanket social media coverage where appropriate.
- Data Processing - The CDI processes personal data fairly and lawfully with content mechanisms to ensure marketing emails are categorised correctly and authorised by the user.
- Reasonable Expectations - Any personal marketing data collected by the CDI will only be used to send relevant information within reasonable expectations of the sector and will not be used for incompatible purposes.
- Third-party Marketing - The CDI does not perform third-party marketing and will not share your data with other organisations. However, third-party organisations can provide content to be included in CDI mailings or the CDI can send out a dedicated email to our database on the organisation’s behalf, both at a cost to the organisation.
- Accurate Data – The CDI makes every effort to maintain the accuracy of the marketing data, and allows members to access and update their data through a robust and accessible Members Area portal. Undeliverable and bounce-back emails are actioned within 14 days of receipt, removing the members data from the mailing portal, attempting alternate contact, and if further contact isn’t possible, closing the members account where appropriate.
- Withdrawal of Consent – The CDI gives the individual the right to prevent their personal data being processed for marketing. Withdrawal of consent is an accessible process that is actioned within 14 days of receipt of the withdrawal, and will make every attempt to acknowledge the cessation of marketing. Withdrawal of marketing consent does not cease emails relevant to the application, renewal or invoicing of CDI membership.
- Data Protection Impact Assessments (DPIA)
Where we process personal information that is considered high risk, includes disciplinary procedures or complaints, or involves large scale processing or includes special category/criminal conviction data; we are revising our documentation processes that record each assessment, this will allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).
Where we use any third-party to process personal information on our behalf (i.e., Payroll, Recruitment, hosting etc.), every care has been taken to ensure all parties are compliant with the GDPR and are aligned to the CDIs ongoing commitment. These measures have included initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR.
Special category data is only processed where necessary and is only processed where we have first identified the appropriate Article 9(2) basis or the Data Protection Bill Schedule 1 condition. Where we rely on consent for processing, this is explicit and is verified by a signature, or is provided directly by an employee with the right to modify or remove consent being clearly signposted. The only Special Category data we collect falls under Demographic Data which we use to inform research and effectively monitor the sector as a Professional Body, and all Demographic Data is considered optional.
