Security & Transparency

Last updated: 27 May 2026

GLF Digital Law handle regulatory notices, privacy matters, and sensitive communications on behalf of our clients. Protecting this information is core to how we operate.

At GLF Digital Law, we operate a deliberately small, highly controlled processing footprint. Our role is to provide accurate and practical legal and strategic compliance advice to clients in relation to UK and EU data protection and digital regulatory laws. 

This page explains, in clear and practical terms, how we handle that data and how we keep it secure.

1. Purpose of Processing

We process personal data solely to:

• Establish a legal relationship with clients

• Communicate with clients in relation to consulting services

• In some cases, liaise with authorised third parties on behalf of clients, such as data protection regulators and data subjects

• Other, ancillary reasons that permit us to undertake our role as professional advisers

We do not collect data for our own purposes.

2. What We Receive

We only hold the information necessary to deliver our services as advisors. Where possible, we minimise, pseudonymise, or avoid collecting data entirely. Depending on your regulators and end users, we may receive:

• emails from you and members of your team

• emails from regulators or data subjects

• postal mail (scanned securely)

• phone calls or voicemails

• supporting documents included in those messages

Special category data may appear within those messages, but we do not extract, store, or analyse it.

3. How We Handle It

• We act only on the instructions of our clients

• We do not run analytics, automation, AI, or call transcription

• We do not share information with any unauthorised third party whatsoever

• We retain only what is necessary for compliance and audit purposes

4. Our Processors (Minimal and Controlled)

GLF Digital Law uses a very small set of carefully selected processors:

• Google Workspace — email and secure storage

• 1st Formations (UK) — backup mail handling

• Various professional consultants such as legal, accounting and insurance brokers / providers

We do not use any third-party analytics, AI, or machine-learning services using any client confidential information.

5. International Transfers

If you are located outside the EU/UK/EEA, GLF Digital Law will act only on your documented instructions.

Where personal data is involved, you, as the Data Controller, remain responsible for ensuring appropriate safeguards in your own jurisdiction. GLF Digital Law does not process personal data for its own purposes. 

GLF Digital Law does not transfer data to third countries for its own purposes.

6. Retention

Regarding personal data GLF Digital Law has processed as part of providing services to any client (as detailed in a separate client agreement), such processing, use, and retention, we typically retain relevant personal information for at least six years from the date of our last interaction with a client, or for longer where we are required to do so according to any relevant regulatory obligations or professional indemnity obligations.

7. Security Measures

• Encrypted email and storage (at rest and in transit)

• 2FA on all systems

• Robust access controls

• No automated transcription, scanning, or analytics

• Minimal processor model

If you require more detail, we maintain an internal Record of Processing Activities and can make a summary available on request. If you have any security questions, or wish to report an issue, please contact neil@glfdigital.law.