This site belongs to a business that tells boards to take data protection seriously, so this policy is written to be read, not skimmed past. It says what information I collect, why, and what your rights are.
Who I am
INED.UK is the trading name of Mícheál Gallagher, a sole trader providing technology governance, cyber security, and advisory services to boards and directors in the UK and Ireland. For data protection purposes I am the data controller for the information described below. Contact: mgallagher@ineduk.com.
Visiting this website
This site sets no cookies and runs no advertising or cross-site tracking. It is hosted on Cloudflare's network, which processes visitor IP addresses transiently to serve and secure the site. If analytics are enabled, they are Cloudflare Web Analytics, which is cookieless and does not identify individual visitors. Page fonts are loaded from Google Fonts, which means your browser sends a standard request (including your IP address) to Google when a page loads.
When you contact me
If you email me or book an appointment, I receive the details you choose to share: typically your name, email address, organisation, and whatever you write. Appointment bookings are handled by Google Calendar's appointment scheduling, and my email runs on Google Workspace, so Google processes this information as my service provider. I use it to respond to you and to provide what you've asked for. The lawful basis is legitimate interests (responding to people who contact me) or, where we go on to work together, the performance of a contract.
The Board Briefing newsletter
If you subscribe, I hold your email address to send you the Briefing, on the lawful basis of your consent. Every edition includes a way to unsubscribe, and unsubscribing is immediate and unconditional. Your address is never sold, shared, or used for anything other than the Briefing.
Business-to-business outreach
I occasionally contact directors and organisations who I believe would genuinely benefit from these services, using publicly available professional contact details (for example, corporate websites or professional registers). The lawful basis is legitimate interests, and this is done in line with the UK's PECR rules on corporate subscribers. Every such email identifies me, says why you're receiving it, and gives you a one-step way to opt out. If you opt out, I record the minimum needed to make sure I don't contact you again, and nothing else.
Client work
Engagements such as audits and assessments necessarily involve information about your organisation and the individuals in it. That information is used solely to deliver the engagement, is held securely, and is governed by the engagement's own terms, which take precedence over this general policy where they differ.
How long I keep things
Correspondence is kept for as long as a working relationship is live or reasonably likely, and then deleted. Newsletter addresses are kept until you unsubscribe. Client records are kept for six years after an engagement ends, in line with normal professional and tax requirements.
Who else sees your data
No one, except the service providers that make the business run: Cloudflare (website hosting and security) and Google (email, calendar, and document storage). Both act as processors under their standard terms. I do not sell, rent, or trade personal information with anyone.
Your rights
Under the UK GDPR you can ask me for a copy of the personal data I hold about you, ask for it to be corrected or deleted, object to how it's used, and ask for it to be transferred. Email mgallagher@ineduk.com and I'll respond within a month. If you're unhappy with how I've handled your data, you can complain to the Information Commissioner's Office at ico.org.uk, though I'd appreciate the chance to put it right first.
Changes
If this policy changes materially, the date at the top changes with it. There is no notification theatre; the current version is always this page.