St Austell BID ensures that we are compliant with all Data Protection Legislation, including the Data Protection Act 1998 and the EU General Data Protection regulation (GDPR) due for enforcement with effect from 25th May 2018. St Austell BID acknowledges that although GDPR is EU Legislation, it is already on the UK statute books, and will therefore apply to the UK after we leave the EU (Brexit).
St Austell BID collects, processes, stores and shares information in accordance with this legislation. More information can be found in our Data Protection Policy and Privacy Notice.
The GDPR states that organisations shouldn’t process or retain extraneous personal data. That means data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose. St Austell BID complies with this.
Step 1 : Awareness
Everyone in the organisation needs to understand what GDPR is and what impact it will have on them.
The organisation has formal GDPR policies and statements in place, and understands the impact this legislation has.
The BID Manager ensures that they are regularly informed of any updates to GDPR and data changes. Within the organisation, the BID Manager, Annette Miller has responsibility for GDPR.
If in the future the organisation expands, the organisation will ensure that decision makers and key people in the organisation demonstrate support for Data Protection legislation and promote a positive culture of data protection compliance across the organisation.
Step 2 : Information You Hold
The organisation needs to identify all the different data and data types held in the organisation.
St Austell BID collects different types of client data.
The organisation regularly maps the data it collects, and documents any Personal, Sensitive and Financial Data held, when and where data comes from, the legal basis for processing data, when data is updated, how long data is retained for and on what basis, where the data is stored and processed and who the data is to disclosed to and why.
The organisation has carried out extensive Data Mapping and regularly updates this to identify :
- Why data is collected and processed by the organisation.
- Whose Personal Data is processed by the organisation.
- When and where Personal data is processed by the organisation.
The organisation has identified the following types of data in the organisation :
- Personal Data is data which can be used to identify you, and includes name, date of birth, address, telephone number(s), emails etc. St Austell BID also collects data relating to staff (BID Manager, Levy Payers, Board of Directors, Suppliers, Loyalty Card applicants, town residents, shopper and interested parties.
- Financial Data is data that includes things like the amount of the BID levy for local businesses, rateable value of business premises, bank details for supplier payments and information relating to the member of staff (BID Manager).
- Sensitive Data is information related to any of the following : racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
St Austell BID processes this type of data in different ways, for example :
For St Austell town centre safety and security purposes the St Austell BID Manager receives regular Criminal Behaviour Orders from Devon & Cornwall Police (Helen Toms) which is circulated to town centre security staff. However, this nature of this data means that it is already in the public domain.
The BID Manager also retains copies of meeting minutes from ASB Meetings and also the bi-annual Safer Cornwall summit. However, this nature of this data means that it is already in the public domain. In addition, the minutes contain no personal data.
The BID Manager also received Daily Occurrence logs from town centre security staff but these contain no personal data. In addition, hand written Security Reports are received from town centre security staff twice weekly, which the BID manager scans and emails to CI Devon and Cornwall Police, 101 and the Crime Department of Cornwall Council. The BID Manager is not compiling this data but simply distributing it as required to these parties.
We collect this data in a variety of ways.
St Austell BID has carried out extensive data mapping which identifies the ways in which the different types of data is collected.
Interested parties are also able to contact the organisation via an online form on the BID website www.staustellbid.co.uk which asks for their first and last name and email address.
The telephone number field is optional.
Step 3 : Communicating Privacy Information
The organisation needs to ensure its privacy notices are GDPR compliant, and also ensure that it tells people about how the organisation uses their data.
- Visitors to our website and other social media including Facebook, Twitter and Instagram;
- People who use our services.
Step 4 : Individual Rights
The organisation must ensure procedures are in place so that individuals can exercise their rights.
St Austell BID is aware of the following rights for individuals :
- The Right to be Informed
- The Right of Access
- The Right to Rectification
- The Right to Erasure
- The Right to Restrict Processing
- The Right to Data Portability
- The Right to Object
- The Right not to be subject to automated decision-making including profiling.
St Austell BID regularly reviews, and where necessary, updates our privacy information, and brings any new uses of an individual’s personal data to their attention before we start the processing.
St Austell BID has a separate policy document outlining or procedures for dealing with Individual Rights.
Step 5 : Subject Access Requests
The organisation must have a GDPR compliant procedure for providing people with copies of their data.
St Austell BID tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998 and under the new GDPR Regulations with effect from 25th May 2018.
We issue the following notice to clients :
If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
To make a request to St Austell BID for any personal information we may hold you need to put the request in writing (post or email) or verbally. Please address requests to Annette Miller (BID Manager), at the following address :
St Austell BID, BID Office, Burton House, Trinity Street, St Austell, Cornwall, PL25 5LS.
However, if you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting St Austell BID.
We will respond to your request within 1 month, and we do not usually charge you for processing this request.
Step 6 : Lawful Basis for Processing Personal Data
The organisation must identify the lawful basis for processing personal data for everything the organisation does.
The organisation has identified the lawful bases processing data and documented these.
St Austell BID has the following lawful basis for processing Personal Data:
- In order to fulfil our contractual obligations towards the BID Manager.
- In order to fulfil our legal obligations and comply with BID Regulations.
- In order to assist with Crime Prevention in the town centre.
- Legitimate interests in the provision of services.
- Consent in order to again provide services, for example, responding to queries and provide the town Loyalty Card to applicants.
- In these cases, the processing is necessary, as the organisation could not reasonably fulfil various obligations without processing this personal data.
Step 7 : Consent
The organisation must review how consent from people is sought, recorded and managed.
St Austell BID has identified that Consent is a legal basis for processing data, when individuals submit their data via the online contact form on the St Austell BID website and also when applying for the St Austell town Loyalty Card, again via the organisation’s website.
Other lawful bases are detailed in Step 6 of this document.
However, clients are able to access both the GDPR and Privacy Policies on the St Austell BID website.
They are also to acknowledge the following :
- That they give their consent to be contacted via Email for marketing purposes as required (via the online Loyalty Card application).
- Clients also have the right to withdraw this consent at any time.
Any request to withdraw consent, must be put in writing to St Austell BID, Burton House, Trinity Street, St Austell PL25 5LS
Alternatively, individuals can email the organisation.
This procedure is clearly documented in the organisation’s Individual Rights Policy document.
Step 8 : Children
The organisation must identify any instances where consent is obtained directly from children.
St Austell BID does not currently obtain consent directly from children.
However, St Austell BID recognises that if any information relating to children is processed, that children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.
Step 9 : Data Breaches
The organisation must have a GDPR compliant procedure for detecting, reporting and investigating personal data breaches.
St Austell BID recognises that the GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority, within 72 hours of becoming aware of the breach, where feasible.
For example :
The theft of the levy payers database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences
When notifying the ICO St Austell BID will give :
- a description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we are also aware that those individuals affected must be informed without undue delay.
When notifying the individuals affected St Austell BID will :
- Describe in clear and plain language, the nature of the personal data breach,
- The name and contact details of a member of staff from whom more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
St Austell BID ensures that there are effectives processes in place to identify, investigate, assess, report, manage and resolve any personal data breaches. We have a specific Data Breach Template in place. This will facilitate decision-making about whether or not we need to notify the relevant supervisory authority and the affected individuals. Responsibility for dealing with data breaches lies with the BID Manager, Annette Miller.
In accordance with GDPR legislation, we also keep a record of any personal data breaches, regardless of whether we are required to notify.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal Data Breaches can include :
- Access by an unauthorised third party.
- Deliberate or accidental action (or inaction) by a controller or processor.
- Sending personal data to an incorrect recipient.
- Computing devices containing personal data being lost or stolen.
- Alteration of personal data without permission, and
- Loss of availability of Personal Data.
Step 10 : Data Protection by Design and Data Protection Impact Assessments (DPA’s)
The organisation must ensure that Data Protection is built into all systems, projects and procedures.
St Austell BID has a comprehensive DPIA Policy and Assessment procedure.
Details of which are contained in our DPIA Policy and Assessment documents.
Step 11 : Data Protection Officers, Data Controllers and Data Processors
The organisation must identify who the Data Controller(s) and Data Processor(s) are in the organisation, and appoint a Data Protection officer if required.
The organisation must also register with the ICO if required.
The organisation has clearly identified and documented both Data Controller(s) and Data Processor(s) within the organisation.
A Data Controller is someone who is responsible for data and who must make sure that data is processed according to the law. For example, they are responsible for making sure that information held about someone is accurate and that it is kept secure.
The BID Manager, Annette Miller is the Data Controller and Data Processor in common, and is responsible for data when used to provide a service to clients or a third party.
Under the GDPR, you must appoint a DPO if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
St Austell BID does not engage in any of the above activities and therefore, does not need to appoint a Data Protection Officer.
The organisation is not required by law to register with the Information Commissioner’s Office (ICO).
This is because St Austell BID is a not-for-profit organisation and is therefore exempt.
Step 12 : International
The organisation needs to identify the lead Data Protection Regulatory Authority and document this.
St Austell BID has its office in the UK. The ICO is therefore St Austell BID’s regulatory authority.
The organisation is not registered with the Information Commissioner’s Office (ICO) as St Austell BID is not required by law to do so.
St Austell BID does not operate in more than one EU Member State and does not engage in cross border processing.