Bless It Forward Ministries

General Data Protection Regulations Policy

On the 25th May 2018 the General Data Protection Regulation will come into effect and become law which will impact all businesses, and as a small independent business/ministry I must be complaint with all new legislation that comes into force and I must meet the new requirements. It is a European law and includes the UK; this will remain in place even once we leave the EU.

The GDPR has been brought in to reflect more modern times including the electronic process we use to collect and store data. It is also to give individuals greater control over their own personal data.

However, it is not just for those who use modern technology, the law affects any business which uses a highly structured filing system –in short any business who needs to process and store away personal data as part of their responsibilities. Personal data includes any data which can identify a person including but not limited to; names, addresses, invoices, date of birth and email addresses.

GDPR uses two terms, the controller and the processor. The controller determines the purpose and the means of personal data. The processor processes data on behalf of the controller. As a small business I will always be one or both of these.

The GDPR Principles are as follows:

1 Processed lawfully, fairly, and in a transparent manner.

2 Collected for specified, explicit, and legitimate purposes.

3 Adequate, relevant and is limited to what is necessary.

4 Accurate and where necessary kept up to date.

5 Retained only for as long as necessary.

6 Processed in an appropriate manner to maintain security.

Lawfulness of Processing Data

1 Consent of the data subject

2 Processing is necessary for the performance of a contract with the data subject.

3 Processing is necessary for the compliance with a legal obligation.

4 Processing is necessary to protect the vital interests of the data subject.

5 Processing is necessary in the public interest or the controller has official authority.

6 Processing is necessary for the purposes and legitimate interests pursued by the controller or a third party.

Consent

All consent to collect or store data must be freely given.

It should be unambiguous.

Consent can be withdrawn at any time.

Consent must now be freely given so pre ticked boxes will no longer be used; in short 5 people must now be able to opt in rather than opt out.

As a small business I am already bound by the regulations set by the Information Commissioner’s Office (ICO) and pay our yearly fee to ensure all our data is protected by the laws of the country.

Retention Periods

The retention periods can differ based on the type of data processed, I will be required to retain personal data no longer than is necessary for the purpose it is obtained it for. Ensuring personal data is disposed of when no longer needed to reduce the risk that it will become inaccurate, out of date or irrelevant.

- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

- Review the length of time I keep personal data;

- Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it.

- Securely delete information that is no longer needed for this purpose or these purposes; and update, archive or securely delete information if it goes out of date.

Data Breaches

I will be obligated to notify the ICO of a data breach within 72 hours of becoming aware of the breach. We understand the huge fines in place for failing to follow correct procedures for a breach in data.

Please see separate Privacy Notice for more information

Emma Vickers

Bless It Forward Ministires