Data Protection (GDPR) Policy and Procedure
Introduction
ROLDA UK is committed to protecting the privacy and security of personal data. This policy outlines how we collect, handle, store, and protect personal information to comply with the GDPR and the UK Data Protection Act 2018.
Purpose
The purpose of this policy is to:
- Ensure compliance with GDPR and other data protection regulations.
- Outline the procedures for collecting, storing, and processing personal data.
- Protect the rights and privacy of individuals associated with ROLDA UK, including donors, staff, volunteers, and supporters.
Scope
This policy applies to:
- All staff, volunteers, contractors, and partners working with or on behalf of ROLDA UK.
- All personal data collected, stored, or processed by ROLDA UK in any form (digital or paper-based).
Definitions
- Personal Data: Any information relating to an identifiable person who can be directly or indirectly identified from the data (e.g., names, addresses, email addresses, and IP addresses).
- Data Subject: An individual whose personal data is processed.
- Data Controller: ROLDA UK, responsible for deciding how and why personal data is processed.
- Data Processor: Any third party that processes data on behalf of ROLDA UK.
- Processing: Any operation performed on personal data (e.g., collection, storage, modification, or deletion).
Data Protection Principles
ROLDA UK is committed to processing personal data in accordance with the following principles:
- Lawfulness, Fairness, and Transparency- Personal data must be processed lawfully, fairly, and in a transparent manner.
- Purpose Limitation- Data must be collected for specific, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
- Data Minimisation- Only the data necessary for the purposes stated should be collected and processed.
- Accuracy- Data must be accurate and kept up-to-date where necessary.
- Storage Limitation- Personal data must not be kept for longer than is necessary.
- Integrity and Confidentiality- Data must be processed in a manner that ensures security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
- Accountability- ROLDA UK must be able to demonstrate compliance with these principles.
Lawful Basis for Processing Personal Data
ROLDA UK will only process personal data if at least one of the following lawful bases applies:
- Consent: The data subject has given explicit consent for processing their personal data for specific purposes.
- Contractual Necessity: Processing is necessary for the performance of a contract.
- Legal Obligation: Processing is necessary to comply with legal obligations.
- Legitimate Interests: Processing is necessary for the purposes of legitimate interests pursued by ROLDA UK, except where such interests are overridden by the interests or rights of the data subject.
Rights of Data Subjects
Data subjects have the following rights regarding their personal data:
- Right to be Informed: To know how their data is being collected, used, and shared.
- Right of Access: To request access to their personal data.
- Right to Rectification: To request correction of inaccurate or incomplete data.
- Right to Erasure (“Right to be Forgotten”): To request deletion of their data, under certain conditions.
- Right to Restrict Processing: To restrict the processing of their data under specific circumstances.
- Right to Data Portability: To receive their data in a structured, commonly used format.
- Right to Object: To object to their data being processed for specific purposes (e.g., direct marketing).
- Rights Related to Automated Decision-Making: To object to decisions made solely by automated means.
Data Collection, Storage, and Processing
- Data Collection- ROLDA UK will collect personal data only for specified purposes. All data collected must be relevant and not excessive in relation to the purposes for which it is collected.
- Data Storage- Personal data will be stored securely using appropriate physical, technical, and organisational measures. Digital data must be encrypted, password-protected, and stored on secure cloud platforms. Paper records (if applicable) must be stored in locked filing cabinets.
- Data Processing- Data must be processed in a manner that ensures security. Processing activities must be documented, and all data handlers must be trained in data protection best practices.
- Data Sharing- Personal data will only be shared with third parties if a data-sharing agreement is in place or if consent has been obtained from the data subject. All data processors must adhere to ROLDA UK’s data protection standards.
Data Breach Management
In the event of a data breach, ROLDA UK will:
- Contain the Breach: Identify and isolate the source of the breach immediately.
- Assess the Impact: Determine the severity of the breach and identify affected data subjects.
- Notify the ICO: If the breach is likely to result in a risk to individuals’ rights and freedoms, the Information Commissioner’s Office (ICO) must be notified within 72 hours.
- Notify Affected Individuals: If there is a high risk to individuals, ROLDA UK will inform the affected data subjects without undue delay.
- Document the Breach: Record the details of the breach, actions taken, and outcomes for accountability purposes.
Data Protection Impact Assessments (DPIA)
ROLDA UK will conduct DPIAs for any new project or process that may involve a high risk to the privacy of individuals. The DPIA will:
- Describe the nature, scope, context, and purposes of processing.
- Assess the necessity and proportionality of processing.
- Identify and evaluate risks to data subjects.
- Specify measures to mitigate identified risks.
Responsibilities
Data Protection Officer (DPO): [Assign a DPO if required, or outline who in the organisation handles data protection]. The DPO is responsible for overseeing compliance with this policy and ensuring that ROLDA UK meets its obligations under data protection law.
All Staff & Volunteers: All individuals handling personal data must adhere to this policy and undergo regular data protection training.
Training and Awareness
ROLDA UK will provide regular training to all staff and volunteers on data protection principles and best practices. Training will be reviewed and updated annually or as necessary.
Policy Review
This policy will be reviewed annually or in response to any significant changes in data protection law or organisational processes.
Contact Information
For any questions regarding this policy or to exercise data protection rights, please contact:
Data Protection Officer (DPO): Dana Costin
Email: rolda@rolda.org