Research and analysis

Research on mapping the AI and software cyber security services market: privacy notice

Published 20 November 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/research-on-mapping-the-ai-and-software-cyber-security-services-market/research-on-mapping-the-ai-and-software-cyber-security-services-market-privacy-notice

This notice sets out how we will process your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).  

The Department for Science, Innovation and Technology (DSIT) is responsible for conducting the mapping of the AI and software cyber security services market which is a telephone and online-based study of UK businesses. DSIT has commissioned a third party, Pye Tait Consulting, to conduct this research on its behalf. DSIT is the Data Controller for this research, and Pye Tait Consulting is acting as a Data Processor for DSIT.

1. Your data 

We will process the following personal data:  

  • name, job title, and contact details (including email address and phone number) of those participating in the research. 

We may include details about the types of roles held by research participants in the final published report, but we will not list job titles.

2. Purpose 

The purpose(s) for which we are processing your personal data is:  

  • to enable Pye Tait Consulting to undertake the research on behalf of DSIT and to recontact research participants if necessary to clarify or validate elements of survey responses, and
  • to allow DSIT to recontact research participants to notify the recipient of the publication of related new policy.

The legal basis for processing your personal data under Article 6 of the UK GDPR is:  

1(e)Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller – Pye Tait Consulting may wish to recontact research participants to clarify or validate elements of survey responses.  

DSIT may also rely on your consent to contact you in relation to future research, where you have indicated you are happy to be contacted. Where consent is provided by participants, contact details will be shared with DSIT for the purpose of recontact about the research and to notify the recipient of the publication of related new policy. This will include your records of consent. Where we do so, our lawful basis is:  

1(a)Consent: You consent to the processing of your personal data for one or more specific purposes. Should you change your mind, you can withdraw consent at any time by contacting aicybersecurity@dsit.gov.uk.

4. Recipients 

Your personal data will be shared by us with Pye Tait Consulting staff working on this project. Where consent is provided by participants, contact details will be shared with DSIT for the purpose of recontact about the research and to notify the recipient of the publication of related new policy.  

When summarising findings in the publishable report at the end of the project, we may refer to the types of roles held by interviewees, but we will not list details about any individuals’ job titles. 

As part of our IT infrastructure, your personal data will be stored in the UK on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems

5. Retention  

Your personal data will be kept by Pye Tait Consulting for the duration of the project, which is expected to be five months, to March 2026. All personal data will be deleted by Pye Tait Consulting upon completion of the project. Where consent is given, DSIT will keep your personal data for one year to communicate relevant policy notifications, to March 2027. 

6. International transfers

Your personal data will only be processed in the UK. 

7. Your rights 

You have the right to:

  • request information about how your personal data are processed, and to request a copy of that personal data.  
  • request that any inaccuracies in your personal data are rectified without delay.  
  • request that any incomplete personal data are completed, including by means of a supplementary statement.  
  • the right to request that your personal data are erased if there is no longer a justification for them to be processed.  
  • the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.  
  • the right to object to the processing of your personal data where it is processed for direct marketing purposes.  
  • the right to withdraw consent to the processing of your personal data at any time. 
  • the right to object to the processing of your personal data. 

To exercise your rights please contact the Data Protection Officer using the contact details below.

8. Contact details 

The data controller for your personal data is the Department for Science. Innovation and Technology (DSIT). You can contact the DSIT Data Protection Officer at:  

DSIT Data Protection Officer
Department for Science, Innovation and Technology
22-26 Whitehall
London
SW1A 2EG 

Email: dataprotection@dsit.gov.uk.

If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.  

9. Complaints 

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. The Information Commissioner can be contacted at:  

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113 

https://ico.org.uk/make-a-complaint/

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.  

10. Updates to this notice 

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change. 

If these changes affect how your personal data is processed, we will take reasonable steps to let you know. 

Last updated: 14 November 2025

Back to top