URM Consulting Services Ltd
(‘URM’, ‘we’, ‘us’) Privacy Policy

Your privacy is of great importance to us. This Privacy Policy is designed to give you a clear explanation of our data processing policies and how we process your information in support of the delivery of our services. Please note that this Policy may be amended and updated in future to reflect any changes in our services, the law or our organisation.

About URM

We are a private limited company, registered under Company Number 5488337. Our registered company address is Blake House, Manor Park, Reading RG2 0JH. We provide organisations throughout the UK with consultancy, auditing and training services, along with software solutions, in the areas of information security, business continuity, risk management, governance and compliance to management system standards.

We own and operate the URM website at www.urmconsulting.com. This Privacy Policy should be read in conjunction with our Website Cookie Policy. For the purposes of UK data protection law and the GDPR, URM is the ‘Data Controller’ of the personal data you provide to us.

Who do we process personal data about?

As a data controller, we process personal data about our clients, potential clients, business partners, visitors to our website including people who use our web applications, and recipients of our marketing emails. We also process personal data in relation to those who attend our training courses, webinars and similar events.  These are the categories of data subjects to whom this Privacy Policy is addressed.

Why do we collect and process personal data?

We collect personal data to offer and administer our services and products (e.g., URM’s consultancy services, our events including training courses, webinars, seminars or our products including Abriska and Alurna).

The data you provide to us will be processed in accordance with the purposes specified in this notice, namely:

  • To perform the services or provide the products requested by clients and individuals (where the processing is necessary for our legitimate business interests in conducting and managing our business)
  • To perform the services or provide the products requested by clients and individuals using our website or web applications (where the processing is necessary for our legitimate business interests in conducting and managing our business)
  • To comply with obligations provided by laws, current regulations and UK or European legislation, e.g., tax regulations (where processing is based on a legal obligation)
  • For legitimate business purposes to advise you through e-mail, phone call, or post, in the framework of our standard commercial relationship, about other services or products similar to the services or products we have provided to you and which we think will be of interest to you (where the processing is necessary for our legitimate business interests)
  • For marketing purposes.  We may use your information, for example to further discuss your interest in our services and to send you information about URM and promotions, webinars, seminars, events, services, products and articles (e.g., blogs).
    - If you are located in the UK or EU, we will only send you marketing communications and updates about our services, products and events with your prior consent, or based on our and your legitimate interests.  In either case, you can withdraw your consent or opt-out or receiving such communications at any time.
    - If you are not located in the UK or EU, you may opt-out of receiving marketing communications and updates at any time.
    - You can manage your receipt of marketing and non-transactional communications by clicking on the «unsubscribe» link located on the bottom of URM’s marketing emails or you may send a request to info@urmconsulting.com
  • For improving URM’s communications with you.  Emails sent to you by URM may include standard tracking, including open and click activities.  URM may collect information about your activity as you interact with our email messages and related content.
  • For security purposes. For example, we may use your data to protect URM and its third parties against security breaches and to prevent fraud and violation of URM’s applicable agreements (where the processing is necessary for our legitimate business interests).
  • To assist in the monitoring of the website, enriching your user experience, and displaying relevant digital advertising, this data also includes online identifiers including IP addresses and web cookies.
  • To administer your request where processing is necessary in performance of a contract or service when you have elected to attend such as when you register to attend a URM training course, webinar or similar events.

URM is committed to ensuring that the information we collect and use is appropriate for these purposes and does not constitute an invasion of your privacy.

Whenever URM processes your personal data for its legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws.  Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You have the right to object to this processing if you wish.

What personal data do we process?

In order to promote our services and products, we collect and process the following categories of personal data:

For providing consultancy services and our products to clients, your business contact details used to understand service requirements, define an offering, share a quotation proposal and deliver the services either onsite or virtually, comprising:

  • Your name, business role/title, company name and postal address, work telephone numbers and work email address.

Any additional personal information you choose to share with us will also be processed.

For marketing and promoting URM's services to prospects and existing clients (all B2B):

  • Your name, job title, work email address, work telephone number, and marketing communication preferences.

For visitors to our website:

• Your IP address, browser ID and marketing communication preferences.

We do not process any special category data on clients, potential clients,  business partners, visitors to our website or recipients of our marketing emails.

For attendance on our training courses and events:

  • Your name, job title, work email address, work telephone number, event attendance and course outcomes including certificated examination results.

Use of your personal data

In processing your data for the above purposes, we do not normally share it with other parties (unless you instruct us to pass it to third parties acting for you, such as agents).  In delivering our Cyber Essentials service we share your data with IASME Systems, which is responsible for delivering the Cyber Essentials scheme in the UK.

Except as set out in this Policy, URM will not sell or rent to any third party any personal information that we collect without the permission of the person to whom that information relates.  In the delivery of our services, URM may very occasionally distribute the information to a third party who is working on our behalf and such use will be strictly limited to a specific activity and controlled by appropriate contracts.

URM does not send your data outside the UK unless you specifically instruct us to do so.

Storage of personal data and retention period

We keep your data for the following periods.

For our consultancy services:   from the date when URM’s contract with our client expires without renewal + 6 years.

For our Abriska and Alurna products:   if the tool is licensed directly by our client, from the date when contract with client expires without renewal + a maximum of thirty days; and where the tool was used as part of a service delivery by our consultant, as above (expiry of contract with client + 6 years).

For our B2B marketing emails: until the recipient unsubscribes or URM receives a 'bounceback' message from their email address suggesting it has been deactivated.

For visitors to our website who provide contact details but who do not proceed with a transaction or register for one of URM’s webinars, seminars or other events and publications 18 months.

For training course attendance records are held for 7 years to align with statutory obligations for retention of financial accounting and associated records.

Use of cookies on website

Cookies are used to monitor the website usage. They enable us to gather statistical information to manage and develop the website to improve user experience and to assess the popularity of individual web pages. Please click here to access our Cookies Policy.

Email activities

URM strictly limits the number of emails sent to contacts and the subject of these emails will always relate to the products and services that we provide. It is not in our interest to bombard our customers, or prospective customers, with unsolicited mail and we will remove a contact's details from our marketing activity when requested to do so.

Customer contacts: If your details are on URM's database because your organisation purchases products and/or services from us, we believe that email communications will contain useful information that is relevant to you in your professional capacity. If you do not wish to receive emails of this nature, please let us know by emailing info@urmconsulting.com.

Other contacts: If you are not a URM customer, your details will be included on our database for one of the following reasons:

  • Event registration/attendance. You have provided your details when registering for one of URM's seminars or webinars, or have provided your details when visiting URM at a conference/exhibition or requesting information from our website.
  • Third party database. URM occasionally purchases lists of contacts from an approved data supplier as stated above.

If you do not wish to continue to receive emails promoting URM's products and services, please let us know by emailing marketing@urmconsulting.com.

URM does not knowingly get involved in ‘spamming’ activities of any kind.


URM will always provide recipients with an opportunity to opt-out or 'unsubscribe' from receiving further email content. This is because we only want to send information to people who are interested in receiving it. URM is responsible for responding to 'opt-out' or 'unsubscribe' requests when asked to do so. In turn, our business partners are responsible for complying with all such requests by removing the appropriate person from their lists.

Data protection

URM will always comply with the legal obligations on us in relation to data protection set out in the GDPR and the Data Protection Act 2018, and we are committed to complying with the Privacy and Electronic Communications Directive 2003. We will only work with business partners who adopt a similar approach.

Security of your personal data

URM secures your personal information from unauthorised access, use or disclosure. URM is certified to both ISO 27001, the International Standard for Information Security and ISO 22301, the International Standard for Business Continuity and is totally committed to maintaining the confidentiality, integrity and availability of your information.

Your data subject rights

Under the GDPR and the UK Data Protection Act 2018, you have specific rights over the processing of your personal data. These include the rights to:

  • Be informed about the processing of your data
  • Have your information processed securely
  • Request access to a copy of your personal data
  • Have inaccurate personal data corrected (rectification)
  • Be informed about how long your personal information will be retained
  • Erasure of your personal data if we do not have any legal, statutory or regulatory reason for continuing to process it
  • Restrict the processing of your personal information causing, or likely to result in, harm or distress (subject to our legal obligations for processing)
  • Portability in certain circumstances
  • Object to the processing conducted by us (e.g., direct marketing)
  • Have any automated processing and the logic used explained to you if any decisions about you are made solely by a computer program (URM does not use such automated decision-making in any of its processing)
  • Complain to the Information Commissioner’s Office (ICO) if you believe your rights have been breached and we have been unable to resolve the issue, and a further right to obtain judicial remedy through the courts if your complaint is upheld by the regulator. For more information on how to make a formal complaint to the ICO visit www.ico.gov.uk.

If you would like to exercise any of the rights listed above, please email info@urmconsulting.com. We will explain any applicable exceptions to these rights in our response.

Changes to this Policy

We will occasionally update this Privacy Policy to reflect company and client feedback or as a result of regulatory changes. You are encouraged to periodically review this online Policy to stay informed of how we are protecting your personal data and your rights.

Privacy Contact

URM welcomes your questions about this Policy. If you have any such questions please contact us at info@urmconsulting.com or telephone 0118 2065 410.