General Data Protection Register (GDPR) Policy 


This policy is in place to demonstrate how HydroCo meet requirements of EU General Data Protection Regulation (GDPR) and Data Protection Act (2018).

HydroCo is committed to high standards of information security, privacy and transparency. We place a priority on protecting and managing data in accordance with accepted standards including ISO 9001. The company will comply with applicable regulations in relation to management and use of personal data.

HydroCo carries very little personal information, the data it holds is primarily personnel information.  HydroCo request from its clients that any personal information be removed or anonymised prior to it being issued to us.


HydroCo has a robust ISO-based Integrated Management System (IMS) and in order to ensure compliance will implement additional controls to meet data protection requirements within the IMS using internal and external advisors.

We will ensure our information security policies and procedures are kept up to date building upon existing management systems (including ISO 9001) and the Information and Confidentiality policy, data risk assessments and supported by communication and training programmes.

Data will only be shared with external third parties when there is a specific business need, for example we might share data would be if we were to outsource an aspect of work, or employee data will be shared with the pension provider or share team competency information with clients.

We will monitor potential data risks and data processers (including any sub-contractors) to ensure data export arrangements protect the integrity of personal data at all times.

The company has undertaken risk assessments to include more detailed consideration of the data types we hold and a data protection impact analysis of personal information stored.

There should be no impact on the individual as a result of our processing. We aim to always be fair, transparent and ensure that people know how their information will be used. Data security is a key consideration and we do everything we can to protect the data we hold.  This applies whether the personal data was obtained directly from the data subjects or from other sources.

Accountability lies with the Directors.

The Lawful Bases of our data processing

The lawful bases for our data processing activity are a combination of Legitimate Interest and Contractual for activities relating to staff, suppliers, existing customers and other stakeholders.

In general terms the purpose of processing information is to enable us to provide our service to customers, to support and manage our employees, and maintain our own accounts and records.

Legitimate Interests:

  • We use people’s data in ways they would reasonably expect in order to carry out our business and communicate with them.
  • Processing is necessary as we could not provide consultancy services to new or existing customers without processing this information.
  • We have balanced our commercial interests against the individual’s interests, rights and freedoms. Our processing has a minimal privacy impact.


  • We have a contract with an individual and need to process their personal data to comply with our obligations under the contract ie employment contract, sub-contracting contract.
  • We haven’t yet got a contract with an individual, but if they have asked us to do something as a first step (eg provide consultancy service information) and we need to process their personal data to do what they ask.

We will explain our lawful basis for processing personal data when we answer a ‘subject access’ request.


The right to complain

We always seek to treat an individual’s data fairly, however, individuals have the right to complain to us and we will investigate and respond accordingly within one month. Complaints should be sent addressed to:

HydroCo Ltd.

Langstone Technology Park



Should the response not be resolved to the satisfaction of the complainant, the individual can also take up their issue with the Information Commissioner’s Office (the ICO) at the following address:

The Information Commissioner’s Office,

Wycliffe House, Water Ln, Wilmslow SK9 5AF

Or via EMAIL:


David Acres – Managing Director