Internal Privacy Policy


Kerv understands that everyone has a right to data privacy and protection, and aims to set the highest ethical benchmark when processing individual’s data. We demonstrate our commitment to data privacy and protection by meeting multiple industry standards, enabling us to implement the highest levels of personal data protection.  

Transparency is also something we care deeply about, so in addition to our Privacy Notice we think it’s important that we clearly state the controls we have in place to ensure that we treat all personal data with the respect that it deserves, enabling our customers to challenge our approach in the interest of collective continual improvement.  


Kerv incorporates best-practice systems and all required privacy protection as part of its standard business processes, managed via our Governance Team. The following data privacy and protection controls are integration throughout our Business Management System:


This policy applies to all employees, contractors, customers, visitors, and to all data held or processed by us, including programs, systems, facilities and technical infrastructure.  

Privacy Outcomes  


Privacy  Controls  

To ensure we continue to achieve our privacy outcomes, comply with applicable data protection laws and regulations and deliver our Privacy Objectives we have following controls in place:  

Organisational Controls  

Human Resource Controls  

Technical Controls  

Responsibilities of Data Protection and Privacy Officer  

We have appointed a Chief Data Privacy and Protection Officer in place of a Data Protection Officer because:   

The Data Privacy and Protection Officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, considering the nature, scope, context, and purposes of processing.  

The DPPO is responsible for:  

  1. informing and advising Kerv, and its employees who carry out processing, of their obligations pursuant to applicable laws and regulations and to other data protection provisions;  
  1. monitoring compliance with the GDPR and with other data protection provisions and with our policies to ensure the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;  
  1. providing advice, where requested, about the data protection impact assessment and monitor its performance;  
  1. reviewing internal/external audit reports along with the Governance Team to evaluate and report on all aspects of Kerv’s compliance with these Rules and ensure that any corrective/preventative action takes place as soon as reasonably practicable;  
  1. where a DPPO has reason to believe local or national legislation prevents Kerv from fulfilling its obligations under these Rules, or has a substantial effect on Kerv’s ability to comply with these Rules, the DPPO will promptly inform the Chief Data Protection and Privacy Officer;  
  1. handling local complaints from data subjects;  
  1. reporting major privacy issues to the Chief Data Protection and Privacy Officer; and  
  1. ensuring data protection compliance at a local level.  

In addition to the above responsibilities the Chief Data Protection and Privacy Officer is also responsible for:  

  1. cooperating with the Information Commissioners Office -  the UK supervisory authority;  
  1. acting as the contact point for the supervisory authority on issues relating to processing, including the prior consultation and to consult, where appropriate, regarding any other matter;  
  1. managing the Data Breach Assessment Board which is chaired by the Chief Data Protection and Privacy Officer and is composed of senior executives of Kerv. The Chief Data Protection and Privacy Officer is responsible for overseeing all privacy and data protection issues, including ensuring compliance with all aspects of these Rules. The Chief Data Protection and Privacy Officer reports to the board of directors of Kerv Group. The Chief Data Protection and Privacy Officer is supported by a team of local Privacy Officers responsible for overseeing and ensuring compliance with these Rules on a day-to-day basis at a local level;  
  1. making a responsible decision where there is a conflict between national law and these Rules and will consult with the relevant Data Protection authority in case of doubt;  
  1. keeping an up-to-date list of Kerv affiliates bound by the Rules, recording any updates to the Rules and providing the necessary information regarding updates on requests to any data controller and data subject or the relevant Data Protection Authorities and no transfer of data is made to a new Kerv affiliate until the Kerv affiliate is bound to these Rules; and notifying the relevant Data Protection Authorities of any changes in operation at least annually.  


The Data Protection and Privacy Officer, supported by the Governance Team, are responsible for this policy and its implementation. We commit to providing the relevant resource and to reviewing this policy annually and communicating it within the organisation and to external interested parties.  

Legal Responsibilities  

The UK government mandates several statuary obligations regarding information security. This policy therefore actively complies and supports these obligations. We identify relevant and applicable data privacy and protection laws and regulation using our Requirements Gathering and Discovery Process, these legal responsibilities are then detailed in our Business Management System in Legislation and Regulation.  

We appoint independent external auditors to assess and confirm our compliance with ISO and NCSC data privacy and protection standards annually.  

Worth Digital

is now part of Kerv

In a continued effort to ensure we offer our customers the very best in knowledge and skills, Kerv has acquired Worth Digital.