Privacy Policy

Ridouts Professional Services Plc (‘Ridouts’)

  1. Introduction

We appreciate the fact that you are parting with your personal data and that you trust our organisation with your personal data.  The security of your personal data is of fundamental importance to us.

  1. Our Services

We provide advice, training and legal consultation services to build lasting relationships with our clients. Unlike traditional lawyers, rather than simply telling clients what their options are, we integrate ourselves into the client’s value chain to offer expert insight and high-quality advice in the most efficient manner so that the client feels that we are an extension of their management team.

We provide proactive, practical solutions with a goal of achieving sustainable regulatory compliance as quickly as possible. We use our knowledge in this sector to suggest the best solution to often intricate problems.


  1. Purpose of this Privacy Policy

This privacy policy is aimed at ensuring that you are aware of the categories of personal data we intend to process on your behalf and the reasons why we intend to process your personal (including sensitive data/special categories of personal data).

We want to assure you that we are compliant with the General Data Protection Regulation  (GDPR) as implemented in the UK as the Data Protection Act 2018.


  1. Ridouts & Contact Details

For the purposes of GDPR, the following director of Ridouts is  the ‘Controller’ and is mentioned below:

Paul Ridout


  1. Categories of Your Personal Data that We may Process

Personal Data

Special Categories of Personal Data

Full name

Your Passport details

Home Address

Your EU ID Card

The organisation’s address

Your Signature

Organisation’s reg. no (charity status if applic.)

Political situation

Mobile Number and Office number


NI Number


Bank Details


Financial Documents


Email address


Any information which relates to your matter or case (including your any prior file comprising of your personal data)


Your Utility bill (3 months)


Bank statements (3 months)


Home insurance certificate (12 months)


Source of funds


MLRO Report


Details of any significant control


Conflict checks


High risk information


HMRC confirmation of charitable status of an organisation (if applicable)


 The above list is not exhaustive.

Requesting personal data of employees, consultants and service users of Providers of Health and Social Care

Depending upon the circumstances we may at times request that you provide us with the personal data of the employees, consultants of your organisation and current and past service users your organisation has cared for.

In such circumstances we will ensure that their personal data is also processed in line with the GDPR.

  1. Lawful Reasons for Processing your Personal Data

We will be processing your personal data (including sensitive data) for the following reasons:

  • to fulfil our contractual obligations with you; or
  • in order to fulfil a legal obligation; or
  • for legitimate interest reasons;
  • if you have provided us with permission (consent) by your signature, verbally or ticking an opt-in or subscribe button;

If you have provided us with consent, then you have the right to withdraw consent at any time.


  1. Lawful Reasons for Processing Special Categories of Personal Data

Sensitive Data/Special Categories of Personal Data – Purpose for Processing

We will be processing your personal data (including sensitive data) where:

  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • in order that we can meet our obligations in the field of social security protection law;
  • the processing is necessary for legitimate activities with appropriate safeguards in place;
  • it is necessary due to substantial public interest reasons;
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • processing is for archiving purposes;
  • we have obtained your explicit consent.

If you have provided us with consent, then you have the right to withdraw consent at any time.

  1. Unable to Process Personal Data – Consent being used as a Lawful Basis

In certain circumstances if you have provided us with consent as a lawful reason for processing your personal data and then you withdraw your consent;  by withdrawing your consent this may mean we no longer can process your personal data and this could affect your on-going relationship with us.

  1. Disclosure of your Personal Data to Third Party Processors
  1. In order for us to carry out our services on your behalf we may need to disclose your personal data and sensitive data to third parties.
  2. The reasons would be:
  • in order that we can fulfill our obligations towards you under our contract of services; and /or
  • legitimate interest reasons; or
  • for legal obligation reasons.

The third-party processors are likely to be:

  • CQC
  • Ofsted
  • Local Authorities
  • BDO
  • PLMR
  • E-Shot
  • Other solicitors or professional advisors.

This list is not exhaustive and will depend upon the nature of your particular matter or case.

  1. Assurances under the GDPR

Ridouts is committed to getting assurances from each third-party processor that they are GDPR compliant and is committed in ensuring that the relevant contracts are in place.

  1. Non-liability Your Disclosure to Third Parties

If you have provided your personal data voluntarily to the third-party processor then the Controller accepts no responsibility regarding how this personal data will be processed by that third party processor.

  1. Our Commitment to Processing your Personal Data in compliance with the GDPR

Principle 1 – Lawful Purpose (Article 5 of the GDPR)

We will be processing your personal data for lawful reasons as outlined in clauses 6 and 7 of this privacy policy.

Principle 2 – Specific Purpose & Limited (Articles 5 & 6 of the GDPR)

We will ensure that any personal data (including sensitive data) that we process will be specific, legitimate and limited to a specific purpose.

Principle 3 – Adequate, Relevant & Limited

We only want to process your personal data and sensitive data which is adequate, relevant & limited.

Retention Policy

We will only retain personal data which is specific, limited, relevant and adequate for the purpose it has been acquired.

Once we have terminated our relationship with you, we will take steps where necessary to minimise the amount of personal data that we retain on your behalf.

However, please note that in many cases we will be under a legal obligation to retain your personal data for longer than is necessary.  Please refer to our Retention Policy.

Duration – Retention of Your Personal Data                                        

We will keep your personal data as follows:

  • for the duration of our business relationship with you; and
  • after any termination of any agreement for a period that does not exceed 13 years.

The retention is mainly required for legal compliance reasons.

We will delete your personal data after the legal and tax requirement period has been fulfilled.

Please contact the Controller for a copy of the ‘Retention Policy’.

Principle 4 & 5 – Accuracy of your Personal Data – Principle 4 & 5 (Article 5 of the GDPR)

We want to ensure that your personal data is kept up to date.

If any of your personal data changes, please kindly contact our Controller at Ridouts in order that your personal data can be amended.

We will not be responsible in any way for your failure to notify of us of any changes to your personal data.

Principle 6 – Ensuring Security

We have received assurances from our IT processors that the processing of your personal data on this platform is secure from any damage or accidental loss and if there are any risks the risks are low. Our IT processors will do everything to rectify any security breaches related to the processing of your personal data.

  1. Transfer of Personal Data Abroad

Should we need to transfer any personal data outside the UK we will do our utmost to ensure that any personal data that is transferred abroad is done so with the appropriate safeguards in place.

  1. Consent

One of the lawful reasons for processing your personal data is if you provide us with consent. If you do provide us with ‘consent’, this means that you are providing us with permission to process your personal data.

Please also note the following:

  • we want you to provide your consent explicitly and freely; and
  • in the event that you do provide consent you have the right to withdraw your consent at any time.

For further information please contact our Controller for the Consent Policy.


  1. Your Rights

While we keep your personal data you have the following rights:

  • Right to request access to your personal data, known as a ‘Subject Access Request’ (SAR)
  • Right to rectification of your personal data
  • Right to request your personal data to be transferred to another organisation (right to data portability). However, currently we do not have this facility.
  • Right to object to the processing of your personal data (see right to object notice)
  • Right to erasure of your personal data
  • Right to restrict personal data
  • Right not to be a subject to automated decision-making process (including profiling)
  • Right to be informed
  • Right to make a complaint to the ICO in the event you feel your complaint has not be handled by the organisation correctly.

  1. Subject Access Request requirements

A SAR can be requested verbally by you, however in order for us to ensure that we can deal with your request correctly, we will require you to:

  1. complete a SAR Form. This form can be requested from: Paul Ridout. Please email:
  2. return the SAR Form with a certified copy of your ID and also  2 month’s utility bills. You can also attend the offices in order to verify your ID;
  3. We will not be under any obligation to provide you with any personal data unless your ID is verified.


  1. Subject Access Requests – Time-scale

We aim to process the SAR within 1 month, however it may take a further 2 months. In which case if there is a delay, we will notify you of such delay in writing.

  1. Subject Access Request Details

You can at any time request the following information from our organisation:

  • The full name(s) and contact details of who has been processing your personal data including names of the controller and any managers responsible for processing the personal data;
  • A list of personal data & sensitive data which has been processed by the controller
  • If the personal data was obtained by a third party; details of such third party
  • Details of any recipients including third country details
  • The reasons why these forms of personal data have been processed (lawful reasons etc & compliance with key principles)
  • Sensitive data – consent – if not legitimate reasons for processing
  • Where the personal data has been located (third party/controller’s platform/computer system) including security
  • Retention Periods – the length of time your personal data will be processed
  • Compliance with the key principles which are disclosed in this privacy document
  • If your personal data has been processed outside the EU, details of any representative(s)
  • Your rights (object, restrict, erasure etc) which are listed in this privacy document
  • Your right to make a complaint to the Information Commissioner’s Office (ICO).

  1. Marketing

Ridouts may contact you for the purpose of direct marketing.  This means that we may use your personal data that we have collected in accordance with this privacy policy to contact you about other services that may interest you. The direct marketing communications may be provided to you by email, telephone post or social media channels.

How we collect personal data

The following are examples, although not exhaustive, of how we collect your personal information.  You:

  • Sign-up to receive one of our newsletters
  • Submit an online enquiry
  • Agree to fill in a questionnaire or survey on our website
  • Ask us a question or submit any queries or concerns you have via email or on social media channels
  • Post information to our website or social media channels, for example when we offer the option for you to comment on, or join, discussions
  • When you leave a review about us on a third party platform
  • Third party bought lists, including a company called Oscar Research
  • Publically available sources

Marketing & Consent

You may have consented to receiving material from Ridouts as follows:

  1. by signing a document provided by Ridouts which allows Ridouts to market to you directly; or
  2. by ticking on a ‘opt-in’ button; or
  3. by ticking  a box in a document provided by Ridouts which expressly states that you consent to receiving e- newsletters or receiving information such as Ridouts’ upcoming events.
  4. Verbally which has been followed up by an email confirming that verbal consent

You have the right to withdraw consent at any time. You can withdraw your consent as follows:

  1. by opting out from any email correspondence sent to you from Ridouts; or
  2. by informing a member of staff by telephone; or
  3. by emailing the Controller and exercising your right of objection via

Marketing & Legitimate Interest

Relevant marketing communication by email and telephone may be sent to you during a case and once the case has been closed. You will have the option to exclude yourselves from marketing by clicking on (a) unsubscribe link or opt-out button, by speaking to an advisor or contacting the Controller through email.

How we may use your details

The following are examples, although not exhaustive, of how we may use your personal information for our legitimate business interests:

  • fraud prevention
  • to provide you with our E-newsletter
  • to notify you of any events were are holding or other Firm news via email
  • to provide you with information as a result of you contacting us following receipt of our E-newsletter
  • direct marketing that we think will be of interest to you.
  • network and information systems security
  • data /analytics /enhancing, modifying or improving our services
  • identifying usage trends
  • determining the effectiveness of promotional campaigns and advertising.

Ridouts are sending you this information in your business capacity.  We are relying on legitimate interest to process your information, on the basis we believe that the information sent to you would be of interest to you, as it relates to the health & social care sector that you operate in, that processing your data is necessary to fulfil that purpose, and sending you this information is not intrusive and does not impinge on your individual rights.

However, you have the right to unsubscribe from Ridouts’ direct marketing at any time.  You can do this by contacting us by any of the methods noted above.

We use a third-party provider, Forfront e-Shot, who processes your data on RPS’s behalf, to deliver our marketing emails.  We gather statistics around email opening and clicks using Forfront e-Shot’s software to help us monitor and improve our E-newsletter. Each communication (which will be delivered to you at least once each month) will include an option for you to unsubscribe. We will understand that your consent is renewed each time that you receive our marketing emails unless you exercise your right to unsubscribe.

We may use your personal information for legitimate interests such as direct marketing or under reasonable expectation to provide you with information you would expect to receive or that would benefit and enhance our relationship. This information will help us review and improve our products, services and offers.


Right to object to certain types of processing of personal data such as:

  • for marketing purposes
  • automated processing
  • profiling

This right to object does not apply if:

  1. Our organisation needs to enter into a contract with you
  2. It is sanctioned by law (tax evasion or fraud)
  3. The agreement does not have a legal or equally important impact
  4. It is based around explicit consent and you have provided us with explicit consent

Please contact a Controller of Ridouts via


In the event that you wish to make a complaint about how your personal data is processed by our organisation (or any third party listed in this privacy policy) then please make your complaint to the following:


Paul Ridout


The contact details of the ICO are as follows

Tel: 0303 123 1113

Please also request the firm’s ‘Complaint’s Procedure’ from any member of the firm.


I got through to Paul immediately and he told me what to do there and then; I didn’t realise how limited the Local Authority’s powers were.
They are saviours! They rescued my business – they are worth every penny!
You feel that you get both legal advice and consultancy, borne out of many years of dealing with regulators
Caroline came back to me immediately with a high quality, considered response.
I was immediately impressed with Jenny’s knowledge in legal matters and how care homes work at a business level.
I went to their symposium – it was a big investment of time – but it was wonderful – I learnt a lot and like the way they spoke – easy to understand, clear, friendly – I would definitely use them if I needed to – and would absolutely recommend them.
I know for a fact that the CQC fear Ridouts – they know you are taking it seriously if you work with Ridouts.
Knowing they only work for care providers adds trust in them