Logo

GDPR Policy

1. Introduction

Sky High Solutioning (“SHS”, “we”, “our”, “us”) is a values-driven consultancy that supports nonprofits, funders, and social-impact organisations through funding strategy, CRM implementation, and digital optimisation services.

We are committed to protecting the privacy and personal data of our clients, partners, and community in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

This policy sets out how SHS collects, stores, processes, and safeguards personal data, in accordance with:

  • The Institute of Fundraising’s GDPR Essentials for Fundraising Organisations
  • The Fundraising Regulator’s Code of Fundraising Practice

2. Our Role and Responsibilities

SHS acts as:

  • Data Controller for our own business operations (client communications, website, and mailing lists)
  • Data Processor when managing, configuring, or maintaining CRM or fundraising systems on behalf of nonprofit clients

As a processor, we only act under written instruction from the Data Controller and maintain strict confidentiality and security measures.

3. Lawful Basis for Processing

In accordance with GDPR Article 6, we process data on the following lawful bases:

  • Contractual necessity
    CRM implementation, data migration, website builds
  • Legitimate interest
    Project updates, follow-up consultations
  • Consent
    Email newsletters, event invites
  • Legal obligation
    Invoicing, tax and audit records
  • Legitimate interest (or contractual basis)
    Prospect research and publicly available funder data

Where consent is used, it is freely given, specific, informed, and unambiguous. We use opt-in mechanisms and never rely on pre-ticked boxes.

4. Fundraising and Marketing Communications

We ensure all communications comply with GDPR and PECR:

  • Email, text, or automated calls require explicit opt-in consent
  • Postal mail or live calls may be based on legitimate interest (unless opted out or on TPS)
  • Every communication includes a clear unsubscribe option

We use Legitimate Interest Assessments (LIA) to ensure communications are proportionate and expected.

5. How We Collect Data

We collect personal data through:

  • Website forms, subscriptions, and analytics tools
  • Direct communication (email, phone, meetings)
  • Client project data shared for consultancy purposes
  • Publicly available sources (e.g. charity registers, grant databases)

We do not purchase or trade personal data.

6. Data We Collect

Depending on context, data may include:

  • Contact information (name, email, phone, organisation)
  • Project and CRM configuration data
  • Professional profiles (publicly available)
  • Financial data (invoices, payments via secure providers)

We do not collect sensitive data unless required and with explicit consent.

7. Data Retention

We retain data only as long as necessary:

  • Client data: up to 7 years (legal/audit)
  • Marketing data: reviewed annually or removed after 24 months inactivity
  • Processor data: deleted or returned on client instruction

All data is securely deleted when no longer needed.

8. Data Security

We use robust security measures:

  • Encrypted storage and transmission (SSL/TLS)
  • Role-based access controls
  • Password-protected systems
  • Regular security reviews

All subcontractors meet GDPR standards via Data Processing Agreements (DPAs).

9. Data Subject Rights

Individuals have the right to:

  • Access their data
  • Correct inaccuracies
  • Withdraw consent
  • Object or restrict processing
  • Request deletion
  • Request data portability

Requests: privacy@skyhighsolutioning.org

10. Data Sharing and Transfers

We only share data:

  • With trusted providers (e.g. CRM systems, hosting)
  • When legally required

We never sell data.

International transfers comply with UK adequacy regulations or Standard Contractual Clauses (SCCs).

11. Cookies and Analytics

We use cookies to improve experience and measure engagement.

Users can manage preferences via browser settings or our cookie notice.

Complaints and Oversight

If you have concerns:

Data Protection Lead
Sky High Solutioning
privacy@skyhighsolutioning.org

You can also contact the ICO:
https://www.ico.org.uk/concerns

Review

This policy is reviewed annually or when regulations change.

Key Principles

  • Lawfulness, fairness, and transparency
  • Purpose limitation and data minimisation
  • Accuracy and storage limitation
  • Integrity and confidentiality
  • Accountability