Data Protection Policy
The General Data Protection Regulation (GDPR) regulates the processing of data relating to individuals. This includes the obtaining, holding, using or disclosing of such data and covers computerised records as well as manual filing systems and card indexes.
Southport Business Improvement District shall hold the minimum personal data necessary to enable it to perform its functions. All such data is confidential and needs to be treated with care in order to comply with the law.
We recognise that the lawful and correct treatment of personal data is very important to successful operations and to maintaining customers’ and employees’ confidence in ourselves.
Any personal data which we collect, record or use in any way whether it is held on paper, on computer or other media shall have appropriate safeguards applied to it to ensure that we comply with the GDPR.
This policy will cover the rules and also the implementation of best practice around data acquisition, usage, storage and protection.
2 Data Protection Principles
The Company is fully committed to adhering to the Principles of Data Protection, as set out in the GDPR.
In summary, the Principles state that personal data shall
- Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
- Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
- Be obtained for legitimate interests which cover the following:
a. Voter contact details to communicate during a formal BID ballot. To which the contact details will be accessible for any ballot.
b. Levy payer contact details to allow Southport BID to communicate effectively.
c. Information gathered via our online e-mail sign up to communicate any services and projects delivered by BID.
- Be adequate, relevant and not excessive for that purpose.
- Be accurate and kept up to date annually.
- Not be kept for longer than is necessary for that purpose.
- Be processed in accordance with the data subject’s rights
- Be kept safe from unauthorised access, accidental loss or destruction
- Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data
To comply with the law, information shall be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
3 Compliance and accountability
It is the responsibility of Southport BID to:
- Assess the understanding of the obligations of the BID under the GDPR
- Identify and monitor problem areas and risks and recommend solutions
- Promote clear and effective procedures and offer guidance to staff on Data Protection issues
- Review business changes and determine whether registration under the GDPR is required
4 Data Acquisition
Any staff members purchasing, renting or otherwise acquiring data are responsible for the following:
- Suppliers must verify that any purchased or rented data has been acquired in a compliant manner.
- Any data acquired for marketing purposes (email lists, phone numbers, addresses etc) must be acquired through legal methods or from reputable suppliers. Individuals must have opted to receive marketing messages.
- If the supplier cannot or will not supply an adequate Proof of Provenance, we cannot use their services.
- If possible, data should be acquired from the source rather than a supplier further down the chain.
Any data which is acquired – either by the Company from or a third-party supplier – which individuals have not explicitly opted into cannot be used and could potentially put the Company at risk of sanctions from the ICO.
5 Data Classification
Staff members who regularly deal with personal data and store and transfer it are responsible for assessing the importance and sensitivity of the data and classifying it accordingly. This ensures that any recipients are aware of the precautions that they need to take when they are handling it.
- Low: A dataset that does not contain any information which is directly personally-identifiable. It has either been completely anonymised or pseudonymised, or does not contain any personal information such as contact details, email addresses, addresses etc or any vital client information. An example would be a self-generated testing dataset used to create an analytical model, as this is something that is worthless to anyone outside the organisation. That said, care should still be taken around its storage, use and transference.
- High: Any dataset which contains confidential information, either personal data such as email lists, CRM outputs, address targets and so on, or information which is vital to a client, such as transaction details. If you are unsure of the classification, err on the side of caution and assume it should be classified as High. This data should be stored for no longer than is needed, should be password protected and encrypted and would ideally only be transferred by secure means.
If you are unsure of the classification a piece of data should receive, discuss it with your manager who will be able to point you in the right direction.
6 Data Transference
- When transferring sensitive data between yourself and other individuals, either within the BID or externally to clients, members, partners and/or stakeholders you must ensure the following:
- The recipient is authorised to receive this data. You must not share confidential information with unauthorised persons either deliberately or through negligence. Doing so may lead to disciplinary action being taken or even a criminal prosecution.
- All reasonable steps to ensure a safe transfer have been taken.
- Data should not, unless absolutely required, be transferred outside the European Union. If it must be, sign off from a Company director must be obtained.
- If you must transfer the information via email, the following steps should be taken:
- If possible, depersonalise the information. This obviously will not be possible with some pieces of data, but if it can be depersonalised, do so before transfer.
- The file(s) must be encrypted and protected with a strong password.
- The email should be deleted from the inbox/ sent items folder and the deleted items folder as soon as the dataset has been exported.
- The sender must log the date, time, recipient, format, method of transfer and classification of the data in the internal BID business contacts database.
7 Data Storage
It is the employee’s responsibility to ensure that all received and otherwise acquired data is stored correctly. The company will provide regular backups and archiving facilities for electronic data and lockable cabinets for hard copies. All machines and backup devices shall be encrypted and protected with strong passwords.
- Employees shall ensure that any personal information which they have access to is:
- Stored in the secure cud based environment and only stored on their local machines for the duration they require to work on it (if appropriate).
- Protected with a strong password and encrypted.
- Removed from their local machine and any memory sticks, cloud storage platforms or other non-secure or Company-controlled areas as soon as it is no longer required.
- Removed from their secure data environment as soon as it is no longer required. This will require the performance of regular checks on their storage environment.
- All hard copies such as personnel information and financial statements must be kept in a locked cabinet or drawer and put away when not in use. Relevant members of the Operations Team and Senior Management shall be the only people with access to this.
- Any breach of this Data Protection Policy whether deliberate or through negligence may lead to disciplinary action being taken or even a criminal prosecution.
8 Breach Procedure
In the event of a breach (an incident where data is lost, either through the loss or theft of the laptop/ memory stick/ hard drive it is stored on, a breach in the security of the platform it is stored in, or the hard copies being lost or stolen), employees must inform the Data Protection Officer (DPO) immediately. Your DPO will then escalate this to the appropriate team members including Board of Directors.
The nominated team members will then assess the severity of the breach and work to ascertain the correct response.
In all instances, if clients have had their customer data compromised, either through actions or a breach on the employee’s part or on the part of a third party, clients shall be alerted to the fact by a BID Director as soon as possible. This should take the form of a telephone call, but if this is not possible, an email. Follow-up calls with the individuals responsible for data storage and security may be arranged.
If it is found that the breach has occurred through negligence (loss of device/ documentation with data stored on it, poor password practices, storing data in a way which contravenes the Data Protection Policy), disciplinary or criminal action may be taken. If a complaint is raised against BID due to breach of procedure this will be dealt in accordance with the company’s complaints procedure and staff handbook.
9 Personnel records
One of the rules under Data Protection gives you the right to see certain information held about you, that includes your personnel file. BID will respond within 2 working days.
Under the GDPR there could be some very rare situations where we would not disclose information in your file. For example if there is a document that also contains personal information about someone else.
Under the GDPR you have a right to request for your data to be removed from our database, with the exception of data we require for legal, statistical compliant and legitimate purposes i.e Head Office Voter Contact.
10 Keeping your information up to date
Please help us to keep your information up to date and let us know if there are any changes such as:
- your address
• your name
• your home telephone number
• removal from our records
Please send all changes to firstname.lastname@example.org