The General Data Protection Regulation came into force on the 25th of May 2018 and the Data Protection Act 2017 – 2019 came into force in 2019. The purpose of this Statement is to highlight Nicholas Associates Group Holding Limited and its subsidiaries commitment to the highest standards of information security and privacy.

We have

  • Reviewed our internal data protection and privacy policies and procedures to ensure they comply with GDPR.
  • Reviewed our approach to collecting consent.
  • Appointed a Data Protection officer and internal working group.
  • Audited our internal policies and processes to ensure we meet the requirements.
  • Trained our staff on the changes GDPR introduced.
  • Worked closely with third parties we share data with on their responsibilities.
  • Conducted an internal review of the data we collect, store, manage, process and control.

We ensure

  • We only collect as much information as we need.
  • Data we collect is relevant and up to date.
  • Data is only kept for as long as required.
  • We offer transparency in our data collection and processing.
  • Data subjects are made aware of the information we hold on them upon request.
  • All third parties we deal with meet the requirements and we provide this information through our privacy notices in the areas we collect data.
  • Data is kept safe and secure, both when in transit and when at rest.

Our commitment

  • No personal data is transferred outside of the European Union.
  • Our staff are trained at induction with annual refreshers.
  • Integration of privacy impact assessments and data reviews into our processes.
  • Ongoing assessments, audit of our internal and the third parties whom we share data with.


We take our security very seriously and have achieved the following certifications:

  • Cyber Essentials.
  • IASME.

Our Business data is held at datacentres that are:

Certified to ISO 9001, ISO 14001, OHSAS 18001 and ISO 27001 across all locations.

We frequently test and audit the security of our systems and have implemented robust incident prevention and detection mechanisms.