Privacy Policy

Who are we?

The Chartered Institute of Internal Auditors (IIA) is part of a global network of institutes affiliated to IIA Global. When you join the IIA you automatically become a member of IIA Global.

The Registered address is

13 Abbeville Mews
88 Clapham Park Road

Telephone: 020 7498 0101

The IIA takes the privacy of its members customers employees, suppliers, subcontractors and other contacts extremely seriously and is committed to protecting your personal information and complying with all current Data Protection legislation.

The details in this Privacy Notice are generalised to show the overall context in which the IIA collects and used your information. The IIA will provide you with a more specific explanation of these options via an Information Notice at the time you supply your information.

How do we collect information from you?

We use any personal information that you provide to us online or via:

  • membership Application forms
  • telephone conversations
  • email
  • letter
  • any other type of Correspondence.

Membership applications are only accepted from you as an individual regardless of who is paying. The Institute will always act as the data controller for all membership related data collection and processing.

If your details have been given to us by a third party, such as a centralised event booking provider, the IIA acts as the data processor and will use your information only for the purposes instructed by the provider.

What type of information is collected from you?

When you participate in or sign up to any of the IIA’s services such as events, training, membership or online newsletters, we will collect and store personal information about you. We will also collect information about you if you supply the Institute with goods and services.

This information can consist of, but is not limited to, information such as your name, email address, postal address, telephone or mobile number and date of birth, depending on how you are engaging with us. By submitting your details, you enable us to provide you with the products or services that you have selected, and agreed we will provide.

How is your information used?

We will use your personal information for a number of processing purposes including:

  • providing you with the information you have asked for about our products, services and activities and ensuring any requests or enquiries you may have made from us are dealt with in a manner that is sufficient for both you and the Institute
  • we may need to contact you for reasons related to the service or activity you have signed up to for example, changing the details about a course you have booked We call this “Service Administration”
  • we may need to contact you about an application that you have made or a service that you supply
  • processing you Employment application and where applicable, a history of your employment once appointed.

If you are joining the IIA, we will share your name, membership number and email address data with our Global Body which is based in the United States of America. The only reason for this is to make sure you can access the content of our Global Website by means of a password issued by us.

What is the Lawful Basis for the IIA to process your Personal Data?

There are potentially a number of different ways in which we will process your information, and there may be a different legal basis for processing in each situation. A simplified view of the lawful basis for processing your information is shown in the table below:

Personal Data Collected

Department within IIA

Lawful Basis

Personal information 
relating to Membership Details and some payment information/history



Employee information relating to employment with the IIA


Legitimate Interest

Special types of information such as medical history






Provision with IIA Global


Legitimate Interest

Where Consent is the Lawful Basis, there will always be facilities for you to change your mind at any time.

How long will the IIA keep your Personal Data?

We only keep the information we hold for as long as is necessary to support the reasons you gave it to us, such as Membership. We also keep information for the appropriate periods where there are required or recommended legal or business reasons.

Who has access to your information?

Your information is provided to Global IIA.

We do not sell or rent your information to other organisations.

We may pass your information to third party service providers. This is only done when stated and for the purposes of completing tasks and providing goods and services to you on our behalf.

When we do this, we disclose only the personal information that is necessary to deliver the service and we have an agreement in place that requires them to keep your information safe and secure and not to use it for any other purpose.

We will not release your information to other organisations unless in exceptional cases when we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime. In all other instances, we would only share your information with another party if you have given your explicit permission to do so.

Third-Party Providers

We make certain personal information available to third parties who provide services to us. We do so on a 'need to know basis' and in accordance with applicable data privacy law. The external suppliers we use and the purposes for which we use them are:

AL  Mailing

Mailing of Audit & Risk magazine, other bulk mailings such as membership renewals

Blackeye Design Ltd

Printing of annual dinner and conference programmes


Printing and despatch of study materials ordered from us

Something Big

Telephone and email marketing and member renewals follow up

IIA Global

Generation of password access to the global website


Updating on progress of apprenticeships your employer has purchased from them

Holmes Corporation

To permit you access to online study materials

Sundry workshop and event venues as notified to you when you book

To permit secure/authorised access to the event you have booked

The IIA will require all Third-Party Data Processors with whom we share data to sign a Data Sharing Agreement which will ensure that they comply with our Data Protection Policies.

Social Media Platforms

If you engage with the IIA on any of our social media channels you should know that we do not collect your personal information from these origins. It remains within the platform that we are using and so you should familiarise yourself with their privacy notices and policies. FacebookTwitter and LinkedIn.

The IIA may use information you provide to share updates, news and events, in the form of customised online advertising. If you send us a direct message, your information still remains within the platform unless we ask you to provide us with your contact details to continue the conversation offline or privately, and you consent to do that.


Many websites use 'cookies' which are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. 

We use some unobtrusive cookies to store information on your computer. We also use some non-essential cookies to (anonymously) track visitors and help to enhance user experience of the Website. These all expire when the browsing session ends.

The IIA website occasionally contains hyperlinks to websites owned and operated by third parties. These third party websites have their own privacy policies, and are also likely to use cookies, and we therefore urge you to review them. We do not accept any responsibility or liability for the privacy practices of such third party websites and your use of such websites is at your own risk.

Fore more information on cookies, see our cookie policy here.

Your Individual (Data Subject) Rights

You have a choice about whether or not you wish to receive marketing  information from us. If you give permission to receive communications about the work of the IIA and our products, services and events, you can select your choices when we collect your information.

We will not contact you for marketing purposes by post, email, or text message unless you have given your explicit permission.

  • you have the right to ask for information you believe to be wrong to be corrected
  • you have the right to object to processing, or to ask for processing to be restricted at any time
  • you have the right to ask for a copy of the personal information that the IIA holds about you. We will always endeavour to meet the 1 month deadline shown in the Regulations
  • you have the right to ask for your complete record with us to be deleted
  • you have the right to be provided with some of your information so that it can be ported to a similar service provider and reused.

If you wish to do any of these please contact our Data Protection Officer, Amanda Winham, in the first instance by emailing her at, or by writing to her at:

Chartered IIA Data Protection Officer
Chartered Institute of Internal Auditors
Wimbledon Business Centre
The Old Town Hall
4 Queen’s Road

Security precautions to protect loss, misuse or alteration of your information

When you give us personal information, we take the necessary steps to ensure that it’s treated securely. The IIA’s website is built in HTTPS. The principal motivation for HTTPS is authentication of the website and protection of the privacy and integrity of the information exchanged while in transit. So you can be assured that any personal information that requires extra security (such as credit or debit card details) is encrypted and protected using industry standard security measures, including the Secure Socket Layer (SSL) protocol.

While we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, via email for example, and you do so at your own risk.

Once we receive your information, we make all reasonable efforts to ensure its security on our systems.

Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Processing Card Payments

Where you use your credit or debit card to purchase from us, we will ensure that this is carried out securely. We do not store your card details for use in future transactions.

Links to other Organisations’ Websites

Our website may contain links to other websites run by other organisations. This privacy notice applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

In addition, if you linked to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party site and recommend that you check the policy of that third-party site.

Questions and complaints

Any questions regarding this Privacy Notice and our data protection practices should be sent by email to the Data Protection Officer, Amanda Winham, at or telephone +44 (0)20 7498 0101.

If you have a complaint about our privacy practices and the way we have collected, used, retained or disposed of your information please contact or telephone +44 (0)20 7498 0101.

Alternatively, you can contact the Information Commissioner’s Office to make a complaint or report a concern by calling their helpline on 0303 123 1113 (in the UK), or contacting them at

Information Commissioner's Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113

Alternatively, you can contact the equivalent national privacy authority in your country, if outside the UK.

Privacy Notice Review

We review this notice annually or as and when changes in legislation or internal procedures require it. This notice is reviewed by the Data Protection Officer.

Page last updated: March 2019