PICCASO Data Protection Notice

PICCASO is a not-for-profit organisation, however, it is more than just a network, it is a growing, values-driven community where people across privacy, InfoSec, compliance come together to share ideas, challenge norms, and shape the future of our industry and inspire the Next Generation. Whether you’re leading strategy, implementing operations, or just starting out in the industry, if you care about building an ethical, human-first approaches to data, AI, privacy, infosec, compliance and technology, there’s space for you here.

 

Who is it for? 

 

Our members include DPOs, CPOs, CISOs, GCs & legal, compliance and risk professionals, regulators, strategists, students, and those exploring the edges of AI, governance, ethics, and digital responsibility. If you spend your time thinking about how data impacts people, process, technology, organisations, and society - you belong here.

PICCASO brings together these industry leaders, practitioners, and innovators to collaborate on solutions for today’s privacy, AI, compliance and cybersecurity challenges, equipping organisations to protect data and respect individuals’ rights in an increasingly complex digital and regulatory landscape. 

 

This is done through three key areas of focus: 

  1. Facilitating thought leadership and innovation (PICCASO Privacy Labs)

  2. Elevating our industries and recognising excellence (The PICCASO Awards)

  3. Inspiring and guiding the next generation (Apprenticeships)

We are a data controller for the purposes of the UK GDPR and this notice sets out the way in which we collect and handle personal data.

 

Our contact details 

Name: PICCASO Limited

Registered Address:

Wright Vigor Chartered Accountants, 15 Newland, Lincoln, Lincolnshire, LN1 1XG

E-mail: Privacy@PICCASO.org

 

The type of personal information we collect 

We currently collect and process the following information:

  • Name
  • Address
  • Company Name
  • Company Size
  • Company Industry
  • Email address
  • Telephone Number
  • Enquiry details
  • Event details
  • Membership details
  • Sponsorship details
  • Nomination details
  • Communication preferences (Post, email, web, social)
  • Marketing communications (newsletters, updates, invitations to participate in events or initiatives)
  • Providing information and offers from carefully selected sponsors and partners (with your consent)
  • Membership management and renewals
  • Research, surveys, and feedback to improve our services
  • Volunteer/Champion activities, including working groups and content creation
  • Apprenticeships, training, and mentoring opportunities
  • Fundraising, payment details and donations (if applicable)
  • Website and digital engagement analytics

Note: PICCASO services are not intended for children under 16. We do not knowingly collect personal data from minors.

 

How we get your personal information and why we collect it

Most of the personal information we process is provided to us directly by you for one of the following purposes – 

To send you updates about PICCASO activities, events, and initiatives, promotions, donations, sponsorship. 

To provide information and offers from carefully selected sponsors and partners, where you have consented. Including:

  • Event registration and administration
  • Name, Company Name, Email and contact details as above
  • Community registration and administration
  • Awards nominations, attendance and administration
  • General enquiries
  • Sponsorship
  • Marketing communications – to send you newsletters, thought-leadership pieces, surveys, and invitations to events.
  • Sponsor and partner engagement – to provide information, offers, and opportunities from carefully selected sponsors and partners (with your consent).
  • Membership management – to administer your membership, renewals, billing (if applicable), and preferences.
  • Research and surveys – to understand community needs, improve our services, and shape future events and initiatives.
  • Website and digital engagement – to analyse how our website, newsletters, and event platforms are used (cookies, analytics, tracking pixels).
  • Volunteer/Champion involvement – to coordinate contributions, volunteering opportunities, and working groups.
  • Apprenticeship and training opportunities – to connect individuals with skills programmes, courses, and mentoring (where opted-in).
  • Fundraising and donations – to process voluntary donations or financial contributions (if applicable to PICCASO).

 

Occasionally, and only where appropriate, we may also receive personal information indirectly, from the following sources in the following scenarios:

  • Publicly available sources (such as LinkedIn, professional directories, or organisational websites), where individuals have published their details and we use this to invite them to participate in events, awards, or community initiatives.
  • Event and registration platforms (e.g. Eventbrite, Zoom, Microsoft Teams, Hopin, Event Brite, Survey Monkey, Active Campaign, Google Forms, others) which provide us with attendee registration details when you sign up to a PICCASO event/download through those platforms. Sometimes we receive these attendees lists from the host sponsor for example following a law firm event, they will send us the final attendee list.
  • Sponsors and partners, where you have registered your interest in an event, webinar, or dinner through a sponsor’s campaign or website, and they share this with us to confirm your attendance.
  • Referrals and nominations from community members, partners, or sponsors where your details are submitted as part of an award nomination, volunteering opportunity, or programme involvement.
  • Media and press outlets where individuals are publicly nominated, recognised, or referenced in connection with awards or industry activities that PICCASO is hosting.

 

Who We May Share Your Information With

We may share your personal information with trusted third parties, but only where it is lawful and with appropriate safeguards. This includes event partners and sponsors (with your consent), service providers who support our operations, and professional advisers. We do not share your information with sponsors or partners for their own marketing purposes unless you have given us consent.

We may share personal information with the following PICCASO Partners / third parties, but only where necessary, proportionate, for a particular purpose, and with appropriate safeguards in place:

  • Event partners and sponsors, where you have consented or registered to attend a specific event, webinar, dinner, or other engagement. This may include:
    • Iron Mountain
    • Dentons LLP
    • GRC World Forum
    • Privado
    • Cognizant
    • Other confirmed event sponsors and partners relevant to the specific event you register for.
  • Marketing and IT service providers who enable us to run our community and events, for example:
    • Email campaign and newsletter providers (e.g. Mailchimp, ActiveCampaign).
    • Event registration and hosting platforms (e.g. Eventbrite, Zoom, Teams).
    • Website hosting and analytics providers.
  • Professional service providers who support our operations, such as accountants, auditors, and legal advisers.

We will not share your personal information with sponsors or partners for their own marketing purposes unless we have your consent.

 

Lawful Bases for Processing

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing personal information are:

(a) Your consent – for sending marketing communications (such as newsletters, updates, and invitations) and for sharing your details with sponsors or event partners. You can withdraw your consent at any time by contacting Privacy@PICCASO.org

(b) Contractual obligation – where it is necessary to administer event registrations, sponsorship agreements, or membership arrangements you have entered into with us.

(c) Legal obligation – where we are required to comply with applicable law (for example, maintaining records for tax, audit, or regulatory purposes).

(f) Legitimate interests – where processing is necessary for the operation of our community, events, and awards programmes. We only rely on legitimate interests where we have conducted a Legitimate Interests Assessment (LIA) to ensure your rights are not overridden.

Note: PICCASO does not perform public tasks under Article 6(1)(e), so this basis is not used. PICCASO does not carry out automated decision-making or profiling that produces legal or similarly significant effects.

 

How We Store Your Personal Information

Your information is securely stored on cloud-based services located within the UK and the European Economic Area (EEA), with appropriate technical and organisational security measures in place to protect your data.

Where personal data is transferred outside the UK/EEA (for example, to cloud providers or event platforms located elsewhere), such transfers are subject to appropriate safeguards, such as adequacy decisions or Standard Contractual Clauses (SCCs).

We retain personal information for no longer than is necessary.

  • Event and webinar data – retained for up to 24 months after the event, unless you renew your engagement or opt in for further communications.
  • Membership, community, and sponsorship details – retained for the duration of your active relationship with PICCASO and for up to three years after your last engagement, unless you request deletion sooner.
  • Marketing and consent records – retained until you withdraw your consent or for up to three years of inactivity, whichever comes first.
  • Awards nominations and related information – retained for up to 36 months following the close of the awards cycle, for audit and transparency purposes.

After these periods, we securely delete or anonymise your personal information. We periodically review our retention schedule to ensure data is not kept longer than necessary for the purposes stated.

 

Your Data Protection Rights

Under data protection law, you have the following rights in relation to your personal information:

  • Right of access – you can request copies of the personal information we hold about you.
  • Right to rectification – you can ask us to correct any information you believe is inaccurate, or to complete information you believe is incomplete.
  • Right to erasure – you can request that we erase your personal information in certain circumstances.
  • Right to restrict processing – you can ask us to restrict the processing of your personal information in certain circumstances.
  • Right to object to processing – you can object to the processing of your personal information in certain circumstances, including where we rely on legitimate interests.
  • Right to data portability – you can ask us to transfer the information you gave us to another organisation, or to you, in certain circumstances.
  • Right to withdraw consent – where we rely on your consent (for example, to send you marketing communications or share your details with sponsors), you can withdraw this consent at any time.

 

You are not required to pay any fee for exercising your rights. We will respond to your request within one month.

If you would like to exercise any of these rights, please contact us at:

Email: Privacy@PICCASO.org

We may update this notice periodically to reflect changes in our practices or legal obligations. The most recent version will always be published on our website.

 

How to Complain

If you have any concerns about our use of your personal information, we encourage you to contact us first so that we can try to resolve the matter with you.

You can contact us at:

Email: Privacy@PICCASO.org

Write to: PICCASO, Wright Vigor Chartered Accountants, 15 Newland, Lincoln, Lincolnshire, LN1 1XG

If you are not satisfied with our response, or believe we are processing your personal data unlawfully, you can also complain to the UK’s independent regulator, the Information Commissioner’s Office (ICO):

Address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Website: www.ico.org.uk