To begin your story contact Joan on: 07752 906070


LifeAttic Limited, (the “Company”) is required to comply with applicable laws relating to the processing of personal data including under the General Data Protection Regulation (GDPR). The aim of this policy is not to provide a detailed technical analysis of how we deal with personal data in every situation but rather to provide a high-level overview of the Company’s obligations. 

What does this policy apply to?

This policy applies to all personal data processed in the context of our UK business irrespective of where in the world it is stored, accessed or controlled. In broad terms, as a business, we process the following categories of information:

• Personal data relating to our clients, including information about their life biographies; 

• Personal data relating to people who are part of our clients’ life biographies ; and 

• Personal data relating to our suppliers, contractors and other business contacts.

The policy primarily relates to electronic information, but we do retain some hard copy records which Joan makes when she collects information about people when writing their life biography. 

When we talk about the “processing” of personal data we mean collecting, recording, storing, organising, amending, accessing, disclosing or disclosing/sending to someone else outside the Company. This term also covers the destruction or the simple retention/so of information.

Who is responsible for this policy?

The Company has delegated responsibility for data protection compliance to Joan Potts. It is the responsibility of the data protection lead to:

• Ensure that we have a lawful basis for the processing of personal data and can demonstrate compliance.

• Ensure that we vet all our third party vendors and have appropriate contracts in place with them. 

• Submit any required notifications and pay any required fees.

• Ensuring that technologies and processes are used in line with the principles of data protection by design and default.

• Coordinating the response to any information security breaches and determining whether to notify data subjects and/or the Information Commissioner’s office. 

• Carrying out data protection impact assessments where required. 

• Liaising with the Information Commissioner’s Office and ensuring that any necessary fees are paid to them. 

What do I need to know?

We aim to process data fairly, lawfully and in a transparent manner consistent with the following principles:

Limited Purpose: personal data may only be used for limited purposes which are consistent with the specified, explicit and legitimate purpose for which the data was originally collected. You should consult with the data protection lead before:

– rolling out new technology or processes which impact personal data.

– disclosing of personal data to third parties.

Minimal and Accurate: personal data must be accurate, up to date, adequate, relevant and not excessive. In other words, we should only process the personal data which we really need and which is high quality.

Retention: we should delete information once we no longer need it and in compliance with our Data Retention Policy. We usually keep soft copies of our client stories on file for one year after publication, in case clients decide they would like further copies of their book. We can arrange to retain the stories for longer periods at the request of the client. 

Notice: we are required to inform data subjects on the uses to which we put their personal data and, especially, if those uses might not be obvious. 

Security and confidentiality: we are subject to legal duties to take good care of personal data and apply security measures which are consistent with its sensitivity.

Data Subject Rights: data subjects have rights of access, rectification, deletion, restriction, portability and objection. 

Use of Vendors: we are required to ensure that third party vendors who handle personal on our behalf and other third parties to whom we disclose personal data comply with these principles. 

Transfers outside the EU: we are required to ensure that EU personal data is not transferred outside the EU (or remote access given to those outside the EU) unless one the various exceptions apply. 

• • Sensitive personal data: we must take particular care of sensitive personal data that is personal data concerning race, ethnic origin, political opinions, religious/philosophical beliefs, health, biometric data, sexual life/orientation, criminal records or trade union membership. 

Data security breaches: in the unlikely event that personal data is lost, accidentally deleted or accessed by a third party without authority then please immediate inform the Data Protection Lead.

Right of Access: question from individuals about their personal data should be passed to the Data Protection Lead. 

Further details are available from the Information Commissioner who has a range of useful materials to help business understand their obligations - 

This notice may be updated as necessary from time to time and does not form part of any contract to provide services.