Privacy Notice

About Us

This website is operated by the Information Security Forum Limited (ISF), a company registered in England and Wales with company registration number 04822538.

Our registered address is: Our operational address is:
Information Security Forum Limited,

Highdown House,

Yeoman Way,

Worthing,

West Sussex,

BN99 3HH,

United Kingdom

 10 Eastcheap,

London,

EC3M 1AJ,

United Kingdom
Purpose of This Notice

This Privacy Notice explains how we collect, use, share, store, and protect your personal data when you interact with our services or visit our websites. It sets out our legal basis for processing your personal data, explains your rights under UK data protection law, and provides contact information for any queries or concerns you may have.

This Notice is designed in accordance with the requirements outlined in the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable UK data protection laws, ensuring we meet our obligations to you whilst protecting your data subject rights.

What is Personal Data?

Personal data is any information that relates to an identified or identifiable person. This includes obvious identifiers such as your name, age, address, date of birth and contact details, as well as less obvious information like online identifiers, IP addresses, device information, and data about your website interactions and preferences.

Personal data may contain information which is known as special category data, requiring additional protection under the law. This includes information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health and medical conditions, sex life or sexual orientation. In limited circumstances for security and compliance purposes, personal data may also include information relating to criminal convictions and offences.

Personal Data We Collect

When you communicate with us or use our services, we collect various types of personal data depending on the nature of our interaction. This typically includes your contact information such as name, job title, employer, email address and telephone number, along with any account information including login credentials, preferences and membership details.

We also collect communication data from your correspondence with us, including emails, phone calls, survey responses and feedback you provide. When you register for our events, we may need to collect special category data relating to dietary requirements and accessibility needs to ensure we can accommodate you appropriately.

Our websites automatically collect technical information including your IP address, browser type, device information, operating system details, and data about how you interact with our sites including pages visited, time spent, and navigation patterns. We use cookies and similar technologies to gather this information, as detailed in our separate cookies policy.

When you attend our events or participate in our activities, we may collect photographs, video recordings, audio recordings of presentations, written materials and direct quotes for use in our publications and promotional materials. Recordings, written materials and quotes will not be attributed to an individual without explicit consent from the individual prior to publication.

Why We Process Your Personal Data

We process your personal data for several purposes, each with a specific legal basis under UK data protection law. Our primary legitimate interests include operating and improving our business, responding to enquiries and providing information about our services, marketing relevant services to professionals in the information security sector, maintaining relationships with our Members and stakeholders, conducting research and developing new services, and protecting against fraud whilst ensuring the security of our systems.

When we have a contract with you, we process personal data to deliver the services you have requested, manage membership subscriptions and benefits, provide access to resources and research, facilitate event attendance, and process payments and billing. We also process data to meet our legal obligations, including conducting anti-money laundering and identity verification checks, maintaining records as required by law, responding to regulatory requests, and fulfilling tax and accounting obligations.

In certain scenarios, we will request your consent to process your data. This will particularly apply in relation to direct marketing communications where consent is required by law, the processing of special category data such as dietary requirements and accessibility needs for events, using non-essential cookies on our websites, and using photographs and media content from our events. You have the right to withdraw your consent at any time.

How We Collect Your Personal Data

We collect personal data through various channels depending on how you choose to interact with us. Most commonly, you provide personal data directly when you complete forms on our websites, register for our services or events, contact us by email or telephone, attend our events and networking activities, or exchange business cards and professional information.

We also collect data automatically through your use of our websites via cookies and analytics tools that track your interactions and preferences. In some cases, we receive personal data from third parties including introductions from our existing Members or business partners, publicly available professional directories and company websites, and event organisers when you register for events we sponsor or participate in.

Who We Share Your Personal Data With

We only share your personal data when necessary and always with appropriate safeguards in place. We work with carefully selected service providers who process data on our behalf, the details of whom can be found on our Trust Centre.

Where appropriate and with suitable consent, we facilitate introductions between our Members and may share contact details for professional networking purposes.

As part of providing services to Members, we may make use of partner organisations to support the delivery of these services. In some scenarios, we are not responsible for personal data that third parties collect directly from you, such as information collected by hotels during check-in, or data you provide directly to event sponsors.

We only share your personal data when necessary and always with appropriate safeguards in place. We work with carefully selected service providers who process data on our behalf, the details of whom can be found on our Trust Centre.

Where appropriate and with suitable consent, we facilitate introductions between our Members and may share contact details for professional networking purposes.

As part of providing services to Members, we may make use of partner organisations to support the delivery of these services. In some scenarios, we are not responsible for personal data that third parties collect directly from you, such as information collected by hotels during check-in, or data you provide directly to event sponsors.

International Transfers

We may transfer your personal data outside the UK to provide our services, facilitate international events and conferences, and enable global Member networking. When we transfer data internationally, we ensure appropriate safeguards are in place, including relying on adequacy decisions for countries recognised by the UK Government as having adequate data protection, using standard contractual clauses approved by UK authorities, or implementing other certification schemes and industry-recognised security standards.

How Long We Retain Your Personal Data

We retain personal data only as long as necessary for the purposes we collected it, with retention periods varying depending on the type of data and our relationship with you. For active Members, we retain data for the duration of Membership plus seven years to meet our regulatory and business obligations. Former Members’ data is typically retained for seven years from our last interaction.

Event attendees’ information is usually kept for three years to enable follow-up activities and future event marketing, whilst marketing contacts’ data is retained until they unsubscribe or object to processing, with regular reviews every five years to ensure continued relevance. Website analytics data is retained for 26 months in line with standard Google Analytics practices, and financial records are kept for seven years to meet tax and regulatory compliance requirements.

In special circumstances such as ongoing legal matters, we may need to retain data until resolution and/or statutory limitations expire, and where regulatory investigations are involved, we retain data as required by the relevant authorities.

Protecting Your Personal Data

We implement comprehensive security measures to protect your personal data against unauthorised access, use, disclosure, alteration or destruction. Our technical safeguards include end-to-end encryption for data in transit and at rest, multi-factor authentication for system access, regular security testing and vulnerability assessments, secure backup and disaster recovery procedures, and continuous network monitoring with intrusion detection systems.

We maintain strong organisational measures including comprehensive staff training on data protection principles, clear data handling policies and procedures, regular security awareness programmes, established incident response and breach notification procedures, and thorough vendor security assessments with appropriate contractual protections.

Our physical security measures include secure office premises with appropriate access controls, locked storage for any physical documents containing personal data, secure disposal procedures for confidential materials, and clean desk policies.

While we implement robust security measures reflecting current best practices, we recognise that no system can be completely secure. We continuously monitor and update our security practices to address evolving threats and maintain the highest practicable level of protection for your personal data.

Further information relating to our security practices and controls can be found in our Trust Centre.

Your Rights

Under UK data protection law, you have rights regarding your personal data. You have the right to be informed about how we use your personal data, which this Notice fulfils, and the right to request a copy of the personal data we hold about you, including details of what data we process, why we process it, who we share it with, and how long we keep it.

You can ask us to correct any inaccurate or incomplete personal data we hold about you, and in certain circumstances, you can request that we delete your personal data, particularly when it’s no longer needed for the original purpose or you withdraw consent where applicable.

You also have the right to ask us to limit how we use your personal data in certain circumstances, and where technically feasible, you can receive your personal data in a structured, machine-readable format to transfer to another organisation. You can object to processing based on our legitimate interests, including profiling, and you have an absolute right to object to direct marketing at any time.

We do not currently make decisions based solely on automated processing. If, in the future, we do make decisions based solely on automated processing you will have specific rights relating to this decision-making and profiling, including the right to have decisions reviewed by a human.

To exercise your rights, contact us using the details provided at the end of this Notice with sufficient information to identify you and specify which right you wish to exercise. We will respond within one month and may extend this by two months for complex requests, always explaining any delays or refusals. We may, as part of our response, require further identifying information before fulfilling any request.

We may refuse requests that are tenuous or excessive, would adversely affect others’ rights or prevent us from meeting our legal obligations.

Marketing Communications

We may send you marketing communications about industry insights and research, upcoming events and webinars, new services and offerings, and Member benefits and opportunities. Our legal basis for this is either your consent where required or our legitimate interests in communicating relevant professional information to those in the information security field.

You can opt out of marketing communications at any time by using unsubscribe links in our emails, updating your preferences in your account settings, or contacting us directly to request removal from marketing lists. Please note that even if you opt out of marketing communications, you will continue to receive essential service communications necessary for managing your Membership.

Cookies and Online Tracking

Our websites use cookies and similar technologies for various purposes including enabling essential site functionality, remembering your preferences and settings, analysing site usage to improve performance and user experience, and delivering relevant content where you have provided appropriate consent.

Essential cookies are necessary for our sites to function properly and cannot be switched off, whereas other cookies assist with marketing and personalisation activities where you have given consent for these purposes.

You can manage your cookie preferences through your browser settings or directly on sites where non-essential cookies are utilised..

Children’s Privacy

Our services are designed for business professionals and are not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected personal data from a child, please contact us immediately so we can take appropriate action to remove it from our systems.

Changes to This Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, new legal requirements, feedback from regulators or users, or technological developments. When we make changes, we will post the updated Notice on our website and update the “Last Updated” date below.

For significant changes that materially affect your rights or how we process your personal data, we will notify you by email and may seek fresh consent where required by law. We encourage you to review this Notice periodically to stay informed about how we protect your personal data.

Complaints and Concerns

If you have concerns about how we handle your personal data, we encourage you to contact us first using the details below so we can try to resolve any issues promptly and fairly. We are committed to addressing your concerns and maintaining your trust in our data handling practices.

If you remain unsatisfied after contacting us directly, you have the right to lodge a complaint with the UK data protection authority, the Information Commissioner’s Office (ICO). You can contact the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, by telephone on 0303 123 1113, through their website at https://ico.org.uk/global/contact-us/, or by email at casework@ico.org.uk.

You have the right to lodge a complaint at any time, though we would appreciate the opportunity to resolve issues directly first where possible.

Contact Us

If you have any questions about the processing of your personal data, wish to exercise your rights, or require more information about this Notice, please contact us by email at info@securityforum.org, by telephone on +44 (0)203 875 6868, or by writing to us at Information Security Forum, 10 Eastcheap, London, EC3M 1AJ.

 

Last Updated: 11-Aug-2025

Version: 2025.1

This Privacy Notice is available at: www.securityforum.org/privacy-notice

We are committed to transparency and protecting your privacy. This Notice is written to help you understand your rights and our responsibilities under UK data protection law.