GDPR Compliance

Our commitment to data protection under the UK General Data Protection Regulation

Our Commitment

BPR Consultancy Ltd is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We process personal data lawfully, fairly, and transparently in connection with the delivery of the Structural Capability Index™ assessment service.

Data Controller

BPR Consultancy Ltd acts as the Data Controller for all personal data processed through this platform. Your organisation's Client Sponsor may also act as a joint controller in respect of the assessment data for their participants.

Lawful Basis for Processing

Data Type	Lawful Basis	Purpose
Name, email, job title	Legitimate Interest / Contract	Account creation, communication, service delivery
Questionnaire responses	Contract / Consent	Delivery of SCI diagnostic assessment
AI-generated analysis	Legitimate Interest	Automated scoring and insight generation as part of the service
Login and session data	Legitimate Interest	Security, fraud prevention, access control

Data Minimisation

We only collect the minimum data necessary to deliver the SCI assessment service. We do not collect sensitive personal data (special category data). Questionnaire responses relate to organisational and structural observations, not personal characteristics.

Data Storage Location

All personal data is processed and stored within the United Kingdom on servers operated by Amazon Web Services (AWS) in the London (eu-west-2) region. Data does not leave the UK for storage purposes.

When AI analysis is performed, anonymised response data is transmitted to OpenAI's API for processing. This is covered under OpenAI's enterprise data processing agreement, which ensures data is not retained or used for model training.

Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

SSL/TLS encryption for all data in transit
AES-256 encryption for data at rest on AWS infrastructure
Passwords stored using bcrypt hashing (never in plain text in production)
Automatic session expiry after 30 minutes of inactivity
Rate-limited login attempts to prevent unauthorised access
Role-based access controls (participants cannot see other participants' data)
Full audit trail of all administrative actions and data changes
Firewall-restricted server access (SSH, HTTP, HTTPS only)
Regular automated backups stored in the UK region

Data Sharing

We do not sell, rent, or share your personal data with any third party for their own purposes. Data is only shared in the following limited circumstances:

With your organisation's Client Sponsor — who can see assessment results after administrative release
With the platform administrator — for scoring, quality assurance, and report generation
With OpenAI — response data only, for AI-assisted analysis (under data processing agreement)
With law enforcement — only if required by law or valid legal process

Your Rights Under GDPR

As a data subject, you have the following rights:

Right of Access — request a copy of the personal data we hold about you
Right to Rectification — request correction of inaccurate or incomplete data
Right to Erasure — request deletion of your data where there is no compelling reason for continued processing
Right to Restrict Processing — request limitation of how we use your data
Right to Data Portability — request your data in a structured, machine-readable format
Right to Object — object to processing based on legitimate interest
Rights Related to Automated Decision-Making — AI-generated scores are always subject to human review and can be overridden by an administrator before release

Automated Decision-Making

The platform uses AI (OpenAI) to assist with scoring and analysis of questionnaire responses. However:

AI-generated scores are preliminary recommendations, not final decisions
All AI outputs are reviewed by a human administrator before being used
The administrator can override, edit, or reject any AI-generated score or insight
No decisions with legal or similarly significant effects are made solely by automated means

Data Breach Procedures

In the event of a personal data breach, we will:

Notify the Information Commissioner's Office (ICO) within 72 hours where required
Notify affected individuals without undue delay where the breach is likely to result in high risk
Document all breaches, their effects, and remedial actions taken

Contact and Complaints

To exercise any of your rights or raise a concern about how your data is handled:

BPR Consultancy Ltd

You also have the right to lodge a complaint with the Information Commissioner's Office:

ICO
Website: ico.org.uk
Helpline: 0303 123 1113