The General Data Protection Regulation (GDPR) regulates the processing of data relating to individuals. This includes the obtaining, holding, using or disclosing of digital data records.
Southend BID shall hold the minimum personal data necessary to enable it to perform its functions. All such data is confidential and treated with care in order to comply with the law. We recognise that the lawful and correct treatment of personal data is very important to maintaining user confidence. Any data which we collect, record or use in any way whether it is held on paper, on computer or other media shall be done so fairly, will be stored safely, safeguarded and not disclosed to others unlawfully to comply with the GDPR.
This policy will cover the rules around data acquisition, usage, storage and protection.
1.2 Data Protection Principles
Southend BID will adhere to the Principles of Data Protection, as set out in the GDPR.
In summary, the data shall be
• Obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.
• Obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
• Obtained for legitimate interests which cover the following: Company contact details (local manager, head office contact and any other contact relevant) to communicate during the BID term, personal/company contact details of Advisory Group, Board (and any other relevant group of people or businesses relevant to the work of the BID), Data collection for Annual Survey, Mid Term Review.
• Adequate, relevant and not excessive for that purpose.
• Accurate and kept up to date annually.
• Not be kept for longer than is necessary for that purpose.
• Processed in accordance with the data subject’s rights
• Kept safe from unauthorised access, accidental loss or destruction
• Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data
Compliance and accountability
It is the responsibility of Southend BID to:
• Assess the understanding of obligations under the GDPR
• Identify and monitor problem areas and risks and recommend solutions
• Promote clear and effective procedures and offer guidance to staff on Data Protection issues
• Review business changes and determine whether registration under the GDPR is required
Any staff members acquiring data are responsible for the following:
Vetting – ensure compliancy
Any data acquired for marketing purposes (email lists, phone numbers, addresses etc.) must be acquired through legal methods or from reputable suppliers. Individuals must have opted to receive marketing message
Any purchased or rented data must be checked to ensure no individual on the list has opted out
Before data purchase or rental, Proof of Provenance must be acquired. This document clearly states data’s origin, how it has been used, moved and/or altered
If the supplier cannot or will not supply an adequate Proof of Provenance, the services CANNOT be used
Data will, more often than not, be acquired from the source, not a supplier. This means information is less likely to be corrupted, out of date or exposed
However, use of supplier will not be an excuse to make a complaint about Southend BID and is protected from penalties. They MUST be International Organization for Standardization (ISO) or Direct Marketing Association (DMA) certified
Any data which is acquired – either by the Company or a third-party supplier – which individuals have not explicitly opted into cannot be used and could potentially put the Southend BID at risk of sanctions from the ICO.
Staff members who regularly deal with personal data and store and transfer it are responsible for assessing the importance and sensitivity of the data and classifying it accordingly. This ensures that any recipients are aware of the precautions that they need to take when they are handling it.
Low: Non-directly personally-identifiable, anonymous, pseudonymised non-personal (contact details) or vital information. Care of its storage, use and transference remain paramount
High: Confidential, personal, CRM outputs, address targets, transaction details. Should be stored for the appropriate amount of time, password protected, encrypted and securely transferred
When transferring sensitive data within Southend BID, ensure that:
• The recipient is authorised to receive this data. You must not share confidential information with unauthorised persons either deliberately or through negligence. Doing so may lead to disciplinary action being taken.
• All reasonable steps to ensure a safe transfer have been taken.
• Data should not, unless absolutely required, be transferred outside the European Union. If it must be, sign off from a Company director must be obtained.
• If you must transfer the information via email, the following steps should be taken:
Depersonalise the information, if possible.
The file(s) must be encrypted and protected with a strong password.
Password must be sent separately.
The email should be deleted from the inbox/ sent items folder and the deleted items folder as soon as the dataset has been exported.
The sender must log the date, time, recipient, format, method of transfer and classification of the data in the internal Southend BID log keep centrally.
It is the employee’s responsibility to ensure that all data is stored correctly. Southend BID will provide secure storage for data - archiving for electronic data and lockable cabinets for hard copies. All devices shall be encrypted and protected with strong passwords.
Employees shall ensure that any personal information which they have access to is:
Stored securely and only local for the required and appropriate time
Encrypted and strong password protected
Removed from any device, cloud storage platforms or company-controlled areas
Removed from secure data – regular checks must take place
All hard copies (e.g. personnel information and financial statements) must be kept in a secure storage and stored away when not in use. Management and the marketing team are only to have access to this
Any breach of this may lead to disciplinary action
In the event of a breach (loss, theft of the data itself or storage device or security breach), employees must inform management immediately to then inform Directors. The nominated members will assess the severity in order to respond correctly.
In all instances, if Southend BID users have had their customer data compromised, by an employee or third party, they shall be informed by management immediately by telephoine if possible and if not, by email. If
If it is found that the breach has occurred through negligence, disciplinary action may be taken.
One of the rules under Data Protection gives you the right to see certain information held about them, a fee will be at Southend BID's discretion. There could be some very rare situations where we would not disclose information for example if there is a document that also contains personal information about another individual.
Keeping your information up to date
Please help us to keep your information up to date and let us know if there are any changes such as:
• your address
• your name
• your home telephone telephone number
• next of kin, or who to notify in the event of an accident or emergency, and their contact details and
• anything (medical or otherwise) we need to know in an emergency
Please send these changes to hello@SouthendBID.com.
Viewing your personnel record
Personal and salary records are confidential and access is restricted. Under the GDPR and employment law Southend BID is entitled to access to certain records. Any request to view personal records should be made to the Manager or the Director.
There is a minimum period of 10 working days’ notice of a request for view these details. Files will be made available as soon as possible after the notice period and in any event within 21 days, can only be viewed within the Southend BID Office, and must not be taken from this address.
Information that may NOT be viewed by employees
Employees may not view confidential employment references or personal data processed for the purposes of management forecasting and planning.
In addition, any data contained within personnel files that includes personal information on a third party who can be identified from that information may not be viewed.
The only exceptions to this rule are:
• If the third party has consented to the disclosure of the information to the person making the request (this must be done in writing and logged)
• If the information is in a health record and the third party is a health professional who has complied or contributed to that health record; and
• If it is reasonable in all the circumstances to comply with the request without the consent of the third party.
Staff files are maintained by the Company’s human resources team.
Personal data will be used in connection with any aspect of the individual’s employment and for no other purpose. It will be a disciplinary offence to disclose personal data to a third party without prior authorisation.
Date: 27th January 2021