This GDPR Policy outlines our commitment to ensuring the protection of personal data in compliance with the General Data Protection Regulation (GDPR). This policy sets out the procedures for handling data breaches, providing GDPR training to staff and volunteers, designating a Data Protection Lead/Officer, and managing subject access requests.
- Data Breach Procedure
In the event of a data breach, we will follow the following procedure to minimize the impact and respond appropriately:
- Identification and Reporting: Any employee, volunteer, or contractor who suspects or becomes aware of a potential data breach must immediately report it to the Data Protection Lead/Officer.
- Assessment: The Data Protection Lead/Officer will assess the breach to determine its severity, potential risks, and affected individuals.
- Containment and Recovery: We will take immediate steps to contain the breach, prevent further unauthorized access, and restore the integrity of the affected data.
- Notification: If the breach is likely to result in a risk to the rights and freedoms of individuals, we will report the breach to the relevant supervisory authority within 72 hours of becoming aware of it. If the breach is likely to result in high risk to individuals’ rights and freedoms, we will also communicate directly with affected individuals.
- Documentation: We will document all aspects of the breach, including the nature of the breach, its effects, actions taken to address it, and any follow-up measures.
- GDPR Training
We are committed to ensuring that all staff and volunteers are aware of their responsibilities under GDPR and understand how to handle personal data appropriately. Our GDPR training program includes:
- Induction Training: All new staff and volunteers will receive basic GDPR awareness training during their induction.
- Regular Updates: Regular training sessions will be conducted to keep staff and volunteers informed about any changes in GDPR regulations and best practices for data protection.
- Records: We will maintain records of training sessions attended by each staff member and volunteer.
- Data Protection Lead/Officer
We have designated a Data Protection Lead/Officer who is responsible for overseeing data protection activities, ensuring compliance with GDPR, and acting as the point of contact for data protection matters.
- Roles and Responsibilities: The Data Protection Lead/Officer is responsible for monitoring compliance, providing guidance, and collaborating with relevant departments to implement data protection measures.
- Contact Information: Contact details for the Data Protection Lead/Officer are available for all staff, volunteers, and data subjects for any queries or concerns related to data protection.
The Lead officer is:
Michael Hancock, Director
- Subject Access Requests Procedure
Individuals have the right to request access to their personal data that we process. The procedure for handling subject access requests (SARs) is as follows:
- Submission: Individuals can submit SARs in writing, either by email or physical mail, to the Data Protection Lead/Officer.
- Verification: We will verify the identity of the requester before disclosing any personal data to ensure the requestor’s rights and privacy.
- Response Time: We will respond to SARs within one month from the date of receipt. This period may be extended by two months if the request is complex or numerous. We will inform the requester of any such extension within one month of receiving the request.
- Fees: We will not charge a fee for responding to a SAR unless the request is manifestly unfounded or excessive.
- Communication: We will provide the requested information in a clear and understandable format, including details about the data being processed, its sources, and any recipients.
- Review and Updates
This GDPR Policy will be reviewed periodically to ensure its effectiveness and compliance with any changes in regulations or our data processing activities. Any updates will be communicated to staff, volunteers, and relevant stakeholders.