Last updated: May 2026

This Data Protection Policy sets out the principles and responsibilities that govern how EP Media LTD, trading as EP+ EntrepreneurPlus ("EP+"), collects, handles, and protects personal data.

This policy applies to all staff, contractors, contributors, and third parties working with EP+ who handle personal data in connection with our operations.

1. Our Commitment

EP+ is committed to processing personal data lawfully, fairly, and transparently in accordance with:

  • The UK General Data Protection Regulation (UK GDPR)
  • The Data Protection Act 2018 (DPA 2018)
  • The Data (Use and Access) Act 2025 (DUAA)
  • The Privacy and Electronic Communications Regulations 2003 (PECR)

We treat data protection as an organisational responsibility, not a compliance checkbox.

2. Data Protection Principles

All personal data processed by EP+ must comply with the following principles under Article 5 of the UK GDPR:

  1. Lawfulness, fairness, and transparency — data is processed on a valid lawful basis and individuals are informed
  2. Purpose limitation — data is collected for specified, explicit, and legitimate purposes only
  3. Data minimisation — only the data necessary for the stated purpose is collected
  4. Accuracy — data is kept accurate and up to date
  5. Storage limitation — data is not kept longer than necessary
  6. Integrity and confidentiality — data is protected against unauthorised access, loss, or destruction
  7. Accountability — EP+ is responsible for demonstrating compliance with these principles

3. Roles and Responsibilities

Data Controller: EP Media LTD is the data controller for all personal data processed in connection with entrepreneurplus.co.uk and its associated services.

Editorial team: Responsible for ensuring that personal data used in editorial research and interviews is handled in accordance with this policy and the journalistic exemption where applicable.

All staff and contributors: Responsible for following this policy, completing any required data protection training, and reporting any suspected data breaches immediately.

4. Lawful Basis for Processing

Before collecting or processing personal data, EP+ must identify and document the appropriate lawful basis. The lawful bases available under Article 6 of the UK GDPR are:

  • Consent — used for newsletter subscriptions and marketing
  • Contractual necessity — used for directory listings and paid services
  • Legal obligation — used where required by law
  • Legitimate interests — used for analytics, fraud prevention, and internal operations, subject to a Legitimate Interests Assessment (LIA) where required
  • Recognised legitimate interest — available under DUAA 2025 for specified pre-approved purposes including fraud prevention

5. Special Category Data

EP+ does not routinely process special category data (including health data, ethnic origin, political opinions, religious beliefs, or biometric data). Where such data is processed incidentally — for example, in the course of a founder interview — it will be handled under the journalistic exemption or with explicit consent.

6. Data Retention

Personal data must not be retained beyond the periods set out in our Privacy Policy. When retention periods expire, data must be securely deleted or anonymised. Our retention schedule is reviewed annually.

7. Data Security

EP+ implements the following technical and organisational measures to protect personal data:

  • HTTPS encryption across the entire website
  • Access controls — personal data is accessible only to authorised personnel
  • Password policies and two-factor authentication on all systems
  • Regular review of third-party processor security standards
  • Secure deletion of data at end of retention period

8. Data Breaches

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

All suspected breaches must be reported to [email protected] immediately and no later than within 24 hours of discovery.

EP+ will:

  • Investigate all reported breaches promptly
  • Notify the ICO within 72 hours where the breach is likely to result in risk to individuals' rights and freedoms
  • Notify affected individuals without undue delay where the breach is likely to result in high risk
  • Document all breaches in our breach register regardless of whether notification is required

9. Third-Party Processors

EP+ uses third-party service providers who process personal data on our behalf. All such processors are subject to:

  • A written data processing agreement
  • Adequate security standards
  • Restrictions on sub-processing
  • Obligations to assist with data subject rights and breach notifications

A full list of our current processors is maintained internally and reviewed annually.

10. International Transfers

Where personal data is transferred outside the UK, EP+ will ensure that appropriate safeguards are in place, including ICO-approved Standard Contractual Clauses or adequacy decisions.

11. Data Subject Rights

EP+ is committed to facilitating the exercise of data subject rights as set out in our Privacy Policy. All requests must be acknowledged within one calendar month. Requests should be directed to [email protected].

From 19 June 2026, individuals also have the right to lodge complaints directly with EP+. We will acknowledge complaints within 30 days.

12. Journalistic Processing

As a digital media publication, EP+ relies on the journalistic exemption under Part 5, Schedule 2 of the Data Protection Act 2018 when processing personal data for editorial and journalistic purposes. This exemption allows EP+ to:

  • Research and publish information about public figures and companies in the public interest
  • Retain information relevant to ongoing editorial investigations
  • Decline certain data subject requests where compliance would seriously impair publication

The journalistic exemption applies only to processing carried out with a view to publication and where EP+ reasonably believes publication is in the public interest. It is not a blanket exemption from all data protection obligations.

13. Policy Review

This policy is reviewed annually or whenever significant changes occur in applicable data protection law. The most recent review date is shown at the top of this document.

14. Contact

For any data protection enquiries:

EP Media LTD — Data Controller Email: [email protected] Website: entrepreneurplus.co.uk