The Institute of Operational Risk (hereinafter “IOR” “we”, “us”, or “our”) is committed to protecting and respecting the personal data that we hold. This privacy statement describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for the purposes described in this privacy statement or as made clear before collecting personal data.

Personal data is any information relating to an identified or identifiable living person. When collecting and using personal data, our policy is to be transparent about why and how we process personal data. 

We process personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose are set out in the relevant sections below.

The personal data that is provided to us is either provided directly from the individual concerned or from third parties.

Where we receive personal data that relates to an individual from a third party, we request that this third party inform the individual of the necessary information regarding the use of their data. Where necessary, reference may be made to this fair processing statement.


We take the security of all the data we hold seriously. 

We have a framework of policies and procedures which ensure we regularly review the appropriateness of the measures we have in place to keep the data we hold secure.

All information you provide to us is stored on our secure servers.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.



We provide services to individuals as well as organisations. The exact data held will depend on the services to be provided.

Where we engage with individuals, we may collect and process personal data in order to satisfy a contractual or operational obligation. We request that individuals only provide the personal data that is required for us to fulfil our contractual or operational obligation.

Why do we process data?

Where data is collected for professional services, it is used for a number of purposes, as follows;

  • Providing services to you. Data is processed in accordance with the purpose which we have collected it, and may sometimes be further clarified in written documentation supplied before any data processing may occur. We provide a range of services and this includes but is not limited to: holding examinations leading to professional qualifications, membership services and running events.
  • Individual needs. When communicating with and assessing the needs of clients, personal data may be processed in order to ensure that their needs are appropriately satisfied. This may include assessing whether the services provided to our clients are appropriate.
  • Administration. In order to manage and administer our business and services, we may collect and process personal data. This may include (but is not limited to) maintaining internal business records, managing client relationships, hosting events, and maintaining internal operating processes.
  • Regulatory. In order for the IOR to do what it does, we may from time-to-time be required to collect and process personal data in order to fulfil regulatory, legal or ethical requirements. This may include (but is not limited to) the verification of identity of individuals.

What data is processed?

The data that is processed is dependent on the service that is being provided and on the recipient of this service.

  • Services to individuals. Personal data may include name, contact details, ID documents to identify who you are (passport / driving licence), qualification and certificates, membership data, bank details, photographs, videos and any other specifically relevant data.

How long do we hold data for?

We retain the personal data processed by us for as long as is considered necessary for the purpose(s) for which it was collected; there may also be occasions which will require data to be kept for longer, however this will typically be for legal purposes. 

In addition, personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it. We will periodically review this data, to ensure that it is still relevant and necessary.


Personal data from our contacts, which covers both potential and prior relationships, journalists and media contacts, as well as potential and prior office bearers and volunteers are held in our systems.

This information may be entered into the system after contact is made between an office bearer of the IOR and an individual or a business contact individual. 

Why do we process data?

Where personal data on business contacts is held, it is used for a number of purposes, as follows;

  • Promote and develop our services.
  • Hosting and facilitating of events.
  • Relationship management.
  • Administration and management. 

 What data do we hold?

Personal data that may be stored by us include, but are not limited to, name, email address, physical address, job title and details of the initial meeting.

In addition, personal data may be securely archived with restricted access and other appropriate safeguards where there is a need to continue to retain it.

How long do we hold data for?

We retain the personal data processed by us for as long as is considered necessary for the purpose(s) for which it was collected.


We collect personal data for our people as part of the administration, management and promotion of our business activities. Our people are the volunteers who hold positions within the IOR as office bearers or committee members.


Where an individual is applying to volunteer, personal data is collected through the application process. 

There are a number of purposes that personal data for applicants are collected.

  • Volunteers. We process an applicant’s personal data in order to assess their potential to act as an office bearer or committee member at the IOR.
  • Administration and management. We may also use this personal data in order to make informed management decisions and for administration purposes.

Personal data collected for applicants is held for as long as necessary in order to fulfil the purpose for which it was collected, or for a maximum of one year where those purposes no longer become necessary.


We collect and process personal data about our suppliers, subcontractors, and individuals associated with them. The data is held to manage our relationship, to contract and receive services from them.

Why do we process data?

  • Receiving goods and services. We process personal data in relation to our suppliers and their staff as necessary to receive the services. 
  • Providing services to our clients. Where a supplier is helping us to deliver professional services to our members and students, we process personal data about the individuals involved in providing the services in order to administer and manage our relationship with the supplier and the relevant individuals and to provide such services to our members and students.
  • Administering, managing and developing our businesses and services. We process personal data in order to run our business, including:
    • managing our relationship with suppliers;
    • developing our businesses and services (such as identifying members and students needs and improvements in service delivery);
    • hosting or facilitating the hosting of events; and
    • administering and managing our website and systems and applications.
  • Security, quality and risk management activities. We have security measures in place to protect our and our members and students information (including personal data), which involve detecting, investigating and resolving security threats.  Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails.  We have policies and procedures in place to monitor the quality of our services and manage risks in relation to our suppliers.  We collect and hold personal data as part of our supplier contracting procedures.  We monitor the services provided for quality purposes, which may involve processing personal data.
  • Complying with any requirement of law or regulation. We are subject to legal, regulatory and professional obligations.  We need to keep certain records to show we comply with those obligations and those records may contain personal data.

 What data do we hold?

We will hold supplier’s names, contacts names, and contact details of suppliers.

How long do we hold data for?

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).  Data may be held for longer periods where required by law or regulation and in order to establish, exercise or defend our legal rights.


 We use cookies on our website. Insofar as those cookies are not strictly necessary for the provision of our website, we will ask you to consent to our use of cookies when you first visit our website.

We may request from you your e-mail address and/or your postal address to communicate with you through several different channels, including post and electronic newsletters. We ask that you confirm that we can subscribe you to our mailing lists as part of any such request. You can also proactively elect to subscribe to receive selected communications. Our aim is to keep you up-to-date with all the latest news from the IOR.  However if you no longer wish to receive direct mail or e-mail communications from us, you are able to unsubscribe from them individually at any time at your discretion, or you can edit or completely remove your e-mail details.

Data about you provided to the IOR will be used for the purposes described at the time of collection. It may also be used for the other purposes described in this Privacy Statement. For instance, data may be used by the IOR to record your use of IOR services, events and other facilities.  This helps us to administer these effectively, provide the highest possible level of service and also helps us better understand your needs and interests.

The IOR compiles statistics from visitors’ (both IOR members and non-members) use of this website.  Membership of the IOR is required to access certain specific secured pages (Members’ Area).  However, other than this specific area of the website, visitors are not required to be IOR members to gain access to the general pages of website. The reason we collect and use this data is for our legitimate legal interests, namely monitoring and improving our website and services.

Any information collected as a result of your visit to the website will remain anonymous.  The statistics collated will not include domain or IP addresses.  Further, temporary cookies and sessions will only be used for the duration of your visit to the IOR website to enhance usability as you move from one page to another and will expire when you leave the site, or if your session is idle for approximately 20 minutes.  No personal data is retained relating to such website visits.

The IOR website contains links to other sites that reflect the interests and/or share the values and objectives of the IOR. 

The IOR does not control, and is not responsible for, the accuracy, timeliness, security, or the continued availability or existence of such outside information. Opinions expressed on other sites linked from the IOR website are not necessarily those of the IOR. Neither is the IOR responsible for the contents of any websites that choose to link to the IOR website, with or without the IOR’s consent.


We will only share personal data with others when we are legally permitted to do so.  When we share data with others, we put contractual arrangements and security mechanisms in place to protect the data and to comply with our data protection, confidentiality and security standards.

Personal data held by us may be transferred to:

  • Third party organisations that provide applications/functionality, data processing or IT services to us.
  • We use third parties to support us in providing our services and to help provide, run and manage our internal IT systems.  For example, providers of information technology, identity management, website hosting and management, data analysis, data back-up, security and storage services. 
  • Third party organisations that otherwise assist us in providing goods, services or information
  • Third party organisations in order to hold events or examinations on behalf of the IOR.
  • Law enforcement or regulatory agencies or those required by law or regulations.

Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with applicable law and regulation, to investigate an alleged crime, to establish, exercise or defend legal rights.  We will only fulfil requests for personal data where we are permitted to do so in accordance with applicable law or regulation.


Where possible, personal data resides within the UK territory but may be transferred to, and stored at, a destination inside the European Economic Area (EEA).

We will not transfer your Personal data outside the European Economic Area (EEA) unless the recipient country ensures an adequate level of protection for the rights and freedoms of data subjects.


Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights as follows:

  • the right to be informed about the collection and the use of their personal data
  • the right to access personal data and supplementary information
  • the right to have inaccurate personal data rectified, or completed if it is incomplete
  • the right to erasure (to be forgotten) in certain circumstances
  • the right to restrict processing in certain circumstances
  • the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
  • the right to object to processing in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to withdraw consent at any time (where relevant)

If you wish to exercise any of these rights, please send an email to:


We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to:  We will look into and respond to any complaints we receive.

You also have the right to lodge a complaint with the UK data protection regulator, the Information Commissioner’s Office (“ICO”). For further information on your rights and how to complain to the ICO, please refer to the ICO website:


For the purposes of GDPR, the IOR is the ‘data controller’. 

If you have any questions about this privacy statement or how and why we process personal data, please contact us at:

Data Protection Officer

Institute of Operational Risk
2nd Floor, Sackville House
143 – 149 Fenchurch Street
United Kingdom


Updates to this privacy policy will appear on this website. This privacy statement was last updated in August 2023.

©2024 The Institute of Operational Risk. All Rights reserved Site designed and powered by Eko UK Limited

Log in with your credentials

Forgot your details?