Introduction

Ilford BID needs to gather and process certain personal information about individuals for certain legitimate business purposes. These can include BID levy payers. Ilford BID will seek to have a point of contact for each business that pays a BID levy in order to keep the business informed on the projects and services BID funds are used for. If you are an Ilford BID levy paying business, please ensure we have your correct company contact details. To update us you can email DPO@ilfordbid.com We will also hold data on suppliers, business contacts, and other people the organisation has a relationship with or may need to contact.  We may share your details securely with our partners who have to comply with the current Data Protection Act.

Consumer -An Ilford Town centre visitor who has opted in to receive inilford communications.

We may contact consumers to inform them of Ilford town centre events, promotions and offers that may be of interest. If you wish us to delete your contact details in compliance with GDPR/current Data Protection Act please email us DPO@ilfordbid.com

This policy describes how this personal data is collected, handled and stored to meet the company’s data protection standards and to comply with the law. 

2018 General Data Protection Regulations GDPR

The General Data Protection Regulations (GDPR) came into effect in May 2018, and replaced the Data Protection Act 1998; bringing with them a wider scope of protections for individuals, and greater accountability for the data controller and processor.   These regulations describe how organisations — including Ilford BID must collect, handle and store personal information.  

These rules apply regardless of whether data is stored electronically, on paper or on other materials. 

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. 

The Regulations are underpinned by six important principles. These say that personal data must be: 


  1. Processed lawfully, fairly and in a transparent manner in relation to individuals; 
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; 
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; 
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; 
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 

 

 

Data Control, Processing and Retention

Please see table showing how we process data and how long it is retained.

The Rights of the Individual 

There are a number of enhanced rights for individuals under the scope of the GDPR. 

  1. The right to be informed.
  2. The right of access.
  3. The right to rectification.
  4. The right to erasure.
  5. The right to restrict processing.
  6. The right to data portability.
  7. The right to object.
  8. Rights in relation to automated decision making and profiling.

 

To ensure that we are as transparent as possible, the ICO Register holds an entry around what data we hold and process. The information is available publicly on the Data Protection Register.

 

Complaints or Corrections 

In the first instance, please address any complaint or correction to DPO@ilfordbid.com  this will be dealt with an aim to resolve the complaint in a satisfactory and timely manner. 

Right of Access 

You have a right to access the personal information we hold about you. To do this, please contact DPO@ilfordbid.com

We aim to respond to any requests in writing within one month, however if your request is particularly complex, we may take a further two months to process your request, however we will contact you to explain this within one month. 

Within the scope of the GDPR, we always aim to provide this information free of charge. However, in line with the regulations, we reserve the right to charge a reasonable fee for any manifestly unfounded, excessive or repeated requests; or where multiple copies of the response are required.  This fee will be aligned to the actual cost of providing the information. 

Under certain exceptional circumstances, we may refuse your request for information.  This would generally be because we cannot legally disclose it.  If we do this, we will explain why we have taken this action, and provide you with an escalation point within the relevant supervisory authority. 

Right of Erasure 

You have the right to request that we erase any personal data held about you, subject to you providing a valid reason for this request within the scope of the GDPR.  The business will not ordinarily refuse such a request, unless it would render the business liable for a breach of its legal obligations. 

If you wish to make a representation under the Right of Erasure, please write to DPO@ilfordbid.com stating what data you wish to have erased, and the reason for the request. The business will respond in writing within one month stating the action taken. 

Right to Restrict Processing 

You have the right to restrict the processing of your personal data.  This means that Ilford BID can retain enough data to meet its legal obligations, but may not further process the data. 

If you wish to make a representation under the right to restrict processing, please write to DPO@ilfordbid.com stating what data you wish to restrict from processing.  The business will respond in writing within one month stating the action taken. 

 

  

Data Transference/Sharing

We work with several external organisations in order to efficiently deliver business

communications. These audited partners are listed below.

Central Management Solutions (CMS) www.centralmanagementsolutions.co.uk

Jacob Bailey Ltd www.jacobbailey.com

mailchimp www.mailchimp.com

When we transfer sensitive data between us and other individuals, either within the Company or externally to clients or partners, we will ensure the following:

The recipient is authorised to receive this data. We will not share confidential information with unauthorised persons either deliberately or through negligence. Doing so may lead to disciplinary action being taken or even a criminal prosecution.

 All reasonable steps to ensure a safe transfer have been taken. If possible, use SFTP. Sending data by email should be avoided where possible.

Data should not, unless absolutely required, be transferred outside the European Union. If it must be, sign off from a Company director must be obtained.

  •  If we must transfer the information via email, the following steps should be taken:
  •  If possible, depersonalise the information. This obviously will not be possible with some pieces of data, but if it can be depersonalised we  will.
  • The file(s) must be encrypted and protected with a strong password.
  • The password must be sent separately from the email, either by telephone or instant messaging platform.
  • The email should be deleted from the inbox/ sent items folder and the deleted items folder as soon as the dataset has been exported.
  • The sender must log the date, time, recipient, filename, format, method of transfer and classification of the data in the transference log. They should also enable a read-receipt. See example below.

 

Recipients within the Company should also log the date, time, sender, filename and type of the data in the transference log. Senders should ask recipients outside of the Company to acknowledge receipt of the data and then log the time that receipt was acknowledged.

 

All data transfers should feature accompanying documentation, allowing the recipient to see the size of the dataset they are receiving, the file layouts and the number of volumes. This should also be requested from senders outside the Company. This allows us to ensure that recipients know what they are receiving and can appropriately prepare to work with the files that we are sending. It also makes ensuring that the correct file has been sent a much quicker process.

 

 Upon receipt of data, check it against the sender’s documentation as soon as possible to ensure that the correct files have been sent.

 

Data Storage

The company will provide a secure storage environment with regular backups and archiving facilities for electronic data and lockable cabinets for hard copies. All machines and backup devices shall be encrypted and protected with strong passwords.

 Staff shall ensure that any personal information which they have access to is: Stored in the secure environment and only stored on their local machines for the duration they require to work on it (if appropriate).

Protected with a strong password and encrypted.

Removed from their local machine and any memory sticks, cloud storage platforms or other non-secure or Company-controlled areas as soon as it is no longer required.

Removed from their secure data environment as soon as it is no longer required. This will require the performance of regular checks on their storage environment.

 All hard copies such as personnel information and financial statements must be kept in a locked cabinet or drawer and put away when not in use. Relevant members of the Operations Team and Senior Management shall be the only people with access to this.

Any breach of this Data Protection Policy whether deliberate or through negligence may lead to disciplinary action being taken or even a criminal prosecution.


LEGITIMATE INTEREST STATEMENT

Type of Data Subjects processed

Ilford BID needs to gather and process certain personal information about individuals for certain legitimate business purposes. These can include BID levy payers; Ilford BID will seek to have a point of contact for each business that pays a BID levy in order to keep the business informed on the projects and services BID funds are used for. If you are an Ilford BID levy paying business. Every effort will be made to ensure our data is up to date. Ilford BID Street Ambassadors will visit businesses and update business contacts daily. Information obtained is logged securely via smart phone which is password protected. We will also hold data on suppliers, business contacts, and other people the organisation has a relationship with or may need to contact.  We may share your details securely with our marketing agency who comply with GDPR.

 We may contact consumers to inform them of Ilford town centre events, promotions and offers that maybe of interest.

Purpose of processing personal data of levy payers

Ilford BID Businesses have the right to be informed as to how BID funds are spent. We believe we have a legal duty to keep businesses informed and up to date on Ilford BID activities.

  • newsletter
  • phone calls
  • emails 
  •  face to face visits.

Types of processing

For the above purpose, the Scheme undertakes the following types of processing of personal data of Offenders:

·         Data collection; as defined in Privacy Notice

·         Data storage; As defined in Privacy Notice

·         Data retention; as defined in Privacy Notice

·         Data sharing; as defined in the Privacy Notice

·         Data deletion; as defined in the Privacy Notice

·         Data analysis; of de-personalised data for historical comparisons etc.

 

Categories and types of Personal Data processed

·         Name of Store/office manager or another appropriate point of contact the purpose of this processing is to enable Ilford BID to Communicate BID updates and keep BID levy paying businesses informed on the projects and services being delivered. Where appropriate the BID will try and encourage businesses get involved in events and BID initiatives.

 

·         Manager postal and email addresses, telephone number(s) and other contact details; the purpose of this processing is to enable Ilford BID to communicate with Managers from time to time, for example to send email E-shot updates.

  

·         Information and evidence about business visits/engagement the BID has had with a business; the purpose of this processing is to enable the BID to show it has had adequate engagement with businesses. KPIs maybe set by BID management and the Directors around this.

 

·         No sensitive or ‘special category’ personal data (ethnicity, sexuality, religious beliefs etc) is processed by the Ilford BID

Necessity and proportionality of processing BID point of contact personal data

It is necessary for the BID to process appropriate personal data of business managers whose business contribute to Ilford BID as defined in the BIDS Privacy Notice wholly or partly by automated means because:

·         Processing managers personal data in any other way, for example in paper-form only, presents unacceptable risks in terms of data integrity, security and confidentiality;

·         Strict systematic adherence to the BIDs data retention policy requires processing in this way.

It is proportionate for the purposes of the Ilford BID to process manager/Point of contact personal data as defined in the BIDs Privacy Notice because:

  •  Keep the business informed on the projects and services BID funds are used for. If you are an Ilford BID levy paying business you pay a levy towards these services.

We believe we have a legal duty to keep businesses informed on 

 

  • Ilford BID ballots/renewals activities and meetings.

 

  •  The BIDs data retention policy as defined in the BIDs Privacy Notice observes its obligation to process personal data only for as long as is justified by the purpose for which the processing was originally undertaken.

 

Contact Details

               Email DPO@ilfordbid.com

               Post Ilford BID, Room 503 Olympic House, 28-42 Clements Rd, Ilford, Essex IG1

 

Data Transference Log

Example

Date/Time

File name

Format

Method of transfer

Classification of data

Recipient

Read Receipt enabled

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Data Control, Processing and Retention (BID Levy Payers)

What information is shared

Who is it shared with

What data processing consent clause applies

How long do we keep the data

Point of contact for business, typically the managers name, business address and email

Ilford BID may share this with relevant third parties such as appointed marketing partners so that BID newsletters/BID emails maybe distributed in order conributes of the BID levy are upto data and kept informed.

6(1)(f) Necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

For the length of the BID term, BIDs have a maximum length of 5 years in the UK. Ilford BID staff continuously ensure point of contact details are up to date.