Privacy Notice


The Information Security Forum (ISF) understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all visitors to this website and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

1. Information About Us – Who We Are

Some important details about us:


2. What Does This Notice Cover?

This Privacy Notice provides a high-level overview of how we use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data. More detailed information about how we use your personal data can be found in other layers of our privacy notices.

3. What is Personal Data?

Personal data is defined as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simple terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

The personal data that we use is set out in Part 5, below.

4. What Are My Rights?

You have the following data protection rights, which we will always work to uphold:

  1. The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using these details at
  2. The right to access the personal data we hold about you. Part 8 will tell you how to do this.
  3. The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 9 to find out more.
  4. The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please contact us using the details in Part 9 to find out more.
  5. The right to restrict (i.e. prevent) the processing of your personal data.
  6. The right to object to us using your personal data for a particular purpose or purposes.
  7. The right to data portability. This means that you can ask us for a copy of your personal data held by us to re-use with another service or business in many cases.

Further information about your rights can also be obtained from the Information Commissioner’s Office.

5. How Do You Use Personal Data for the ISF Public Website?

The table below describes a summary of the main purposes for which we process your personal information, the categories of your information involved and our lawful basis for being able to do this.

Purpose (Reasons why we use your personal information)Personal information usedLawful basis
All Visitors
To provide visitors with membership services, cyber, information security and risk management content, consultancy services, online collaboration and networking and the like.All contact details, download information, records of your interactions with us, and marketing preferences. Where you have given us your consent to do so. 
For the purposes of promoting live events e.g. ISF executive briefings and webinars.Contact details, attendance lists, images in video and/or photographic form.Where you have given us your consent to do so.
To send you other marketing information we think you might find useful or which you have requested from us, including our information about Membership, product releases, events, consultancy services and surveys etc.All contact and membership details, download information and marketing preferences.Where you have given us your consent to do so.
Social media communications.All contact and membership details, records of your interaction with usWhere you have given us your consent to do so.
To publish resources on our website or through our services.Publication data, relevant contact and membership details. Where contractual arrangements allow us to do so.
Retention of records.All the personal information we collect.We need to retain records in order to properly administer and manage your data/interests and in some cases, we may have a legal obligation to retain records. 
To refine our services and offerings to better tailor them to your needs and to market other services the ISF offers that may assist you in your career or otherwise help you do your job.Records of your interest in our products and services, and attendance at ISF events and webinars.Where you have given us your consent to do so.
For the purpose of monitoring use of our Website (“usage data”). and improving our Website and services.Account data, IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use.Our legal basis for this processing is legitimate interest.
The security of our IT systems.Your usage of our IT systems and online portals. We have a legal obligation from various laws to ensure that our IT systems are secure e.g. GDPR.
To answer your queries or complaints.Contact details and records of your interactions with us. Where you have given us your consent to do so. 
To comply with health and safety requirements.Records of attendance.We have a legal obligation to provide you and other attendees of your organisation with a safe environment.

6. How Long Will You Keep My Personal Data?

The ISF will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected.

  • Personal data will be retained for a maximum period of 3 years with Salesforce from the last date of communication

7. Who Are Our Data Processors?

For the purposes described above, the organisations we work with who are acting as our data processors are:

  • Salesforce
  • WordPress
  • Campaign Monitor
  • SurveyGizmo

8. How Can I Access My Personal Data?

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 9. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within 30 days. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

9. How Do I Contact You?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:

Email address:

10. Changes to this Privacy Notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.

Any changes will be made available on