Become A Member

Privacy Policy

Last Updated: 20 March 2026

This Privacy Policy explains how we collect and use personal data in the course of operating our website and providing membership services and related activities (including events and courses). Our members include: (i) corporate members — organisations that hold membership on behalf of their staff and nominated individuals; and (ii) individual members — professionals who apply for membership in a business or professional capacity.  

We are committed to protecting the privacy and security of personal data and to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have any questions, please contact us using the details below. 

1. Who we are and how to contact us

Data controller: The Chartered Institute of Information Security, established in England by Royal Charter on 12 December 2018. 

Email: membership@ciisec.org 
Postal: Data Protection Team, Chartered Institute of Information Security, Haddonsacre Business Centre, Station Road, OffenhamWORCS WR11 8JJ 

2. What personal data we collect

We collect and process only the personal data necessary for administering membership, delivering our services (including events and courses), and operating our website. This may include: 

    • Identification and contact details: name, business email address, business telephone number, job title, employer, and postal address. 
    • Account and communication data: login details, preferences, enquiries, support requests, and correspondence. 
    • Marketing and event data: newsletter subscriptions, event registrations, attendance records, feedback, and interests relevant to our services. 
    • Website and technical data: IP address, device identifiers, browser type, operating system, access times, pages viewed, referral sources, and cookie data. 
    • Payment and billing data: billing contact details, purchase history, and transaction references. Card details are processed by our payment service providers and are not stored by us. 
    • Supplier and partner data: contact details and due diligence information for representatives of our suppliers and partners. 
    • Application data: CVs and application details where an individual applies for a role, registered membership grade or professional registration. 

We do not intentionally collect special category data or criminal offence data via our website. Please do not submit such information unless we specifically request it and provide an appropriate lawful basis and safeguards. 

3. How we collect personal data

We collect data in the following ways: 

    • Directly from you when you contact us, create an account, subscribe to updates, register for events, purchase services, or otherwise interact with us. 
    • From your employer or a corporate member organisation where they nominate you as a staff member or authorised user under a corporate membership. 
    • Automatically through cookies and similar technologies when you use our website. For more information, please see our Cookie Policy
    • From third parties such as event platforms, marketing service providers, analytics providers, payment processors, and publicly available sources (for example, company websites and professional directories). 

4. Purposes and lawful bases for processing

We process personal data for the following purposes and under the lawful bases indicated: 

    • To provide and administer our services, manage accounts, respond to enquiries, and perform contracts with our clients and suppliers (performance of a contract; legitimate interests in operating our business). 
    • To operate and improve our website, ensure security, prevent fraud, and keep records of service usage (legitimate interests in running and protecting our business and IT systems; compliance with legal obligations where applicable). 
    • To manage relationships with clients, prospects, suppliers, and partners, including sending service communications (legitimate interests in developing our services and managing relationships). 
    • To send marketing communications about our services, events, courses, and insights to members and prospective members acting in a professional or business capacity, where permitted (legitimate interests in promoting our services). You can opt out at any time. 
    • To comply with legal and regulatory obligations, exercise or defend legal claims, and maintain appropriate business records (legal obligations; legitimate interests). 
    • To organise and manage events, including registrations and attendance (performance of a contract; legitimate interests). 
    • Recruitment and talent management (legitimate interests; steps prior to entering into a contract).

Where we rely on consent, we will obtain it clearly and you may withdraw consent at any time by contacting us or using the unsubscribe mechanisms provided. Withdrawing consent does not affect the lawfulness of processing before withdrawal. 

5. Sharing your personal data

We do not sell personal data. We may share personal data with: 

    • Affiliated entities for internal administration and service delivery (for example the UK Cyber Security Council where applicable). 
    • Professional advisers, insurers, auditors, and banks for legitimate business purposes. 
    • Service providers who process data on our behalf under written contracts, including IT hosting, cloud storage, CRM, marketing platforms, analytics, event management, and payment processors. 
    • Event co-hosts and speakers where necessary to manage registrations and attendance. 
    • Law enforcement, regulators, courts, or other third parties where required by law or to establish, exercise, or defend legal claims. 

6. International Transfers

Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, such as the UK Addendum to the EU Standard Contractual Clauses or other approved transfer mechanisms. Details of the relevant safeguards can be obtained by contacting us at membership@ciisec.org, noting that certain information may be redacted for confidentiality. 

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including tomeet legal, accounting, or reporting requirements. Typical retention periods are: 

    • Client records (including membership and professional registration records) and supplier records: 7 years after the end of the relationship. 
    • Marketing contacts: until you opt out or 2 years after last meaningful interaction, whichever is sooner. 
    • Event records: 24 months after the event, unless ongoing relationship applies. 
    • Website logs and analytics: 24 months. 
    • Recruitment records: 12 months for unsuccessful candidates, unless you consent to a longer period.

Specific retention periods may vary depending on legal obligations and business needs. We securely delete or anonymise data when no longer required. 

8. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Measures include access controls, encryption in transit and at rest, network security, regular backups, staff training, and supplier due diligence. We test and review our controls periodically. We hold CyberEssentials certification. 

9. Data Breaches

We have procedures in place to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner’s Office (ICO) without undue delay and, where required, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, unless an exemption applies.  

10. Your rights

Under the UK GDPR, you have the following rights, subject to conditions and exemptions: 

    • Right of access to your personal data and to receive a copy. 
    • Right to rectify inaccurate or incomplete data. 
    • Right to erasure in certain circumstances. 
    • Right to restrict processing in certain circumstances. 
    • Right to data portability for data you provided to us where processing is based on consent or contract and carried out by automated means. 
    • Right to object to processing based on our legitimate interests, including B2B direct marketing. We will stop processing unless we have compelling legitimate grounds or the processing is for legal claims. 
    • Right to withdraw consent at any time where processing is based on consent. 
    • Right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. 

 

To exercise your rights, please contact us at membership@ciisec.org. We may need to verify your identity. There is no fee to make a request, unless it is manifestly unfounded or excessive.

11. Cookies and similar technologies

We use cookies and similar technologies to operate our website, enhance user experience, and perform analytics. For details of the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy 

12. Automated decision-making

We do not carry out decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on individuals in the context of our activities. 

13. Third-party links

Our website may contain links to third-party sites. We are not responsible for the privacy practices of those sites. We encourage you to review their privacy information. 

14. Children

Our services and website are aimed at professionals and business users acting in a professional or business capacity. Membership is not available to individuals under the age of 18. We do not knowingly collect personal data relating to children. 

15. Complaints

If you are concerned about our use of your personal data, please contact us first so we can try to resolve your concern. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO): 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF www.ico.org.uk | Telephone: 0303 123 1113 

16. Changes to this policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date.  

Board of Directors

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat m dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor inc. Lorem ipsum dolor sit amet, consectetur.

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat m dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor inc. Lorem ipsum dolor sit amet, consectetur.Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat m dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor inc. Lorem ipsum dolor sit amet, consectetur.

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.