Data Protection Policy

BLACK GIRL STREAMS C.I.C.

Last Updated: December 2024

1. Introduction

1.1 Purpose of Data Protection Legislation

Data protection laws exist to safeguard individuals' rights to privacy, autonomy, and freedom. With rapid developments in digital technologies and increased risks such as cyber-attacks, there is a growing need to ensure that personal information is collected, used, shared, and stored responsibly. These concerns underpin the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

1.2 Rights and Freedoms of Individuals

These laws aim to protect the rights and freedoms of living individuals and ensure that their personal data is not processed without their awareness. Wherever possible, processing should occur with their explicit consent and in a transparent manner.

2. Definitions Used by the Organisation

(Drawn from UK GDPR)

2.1 Material Scope (Article 2)

The UK GDPR applies to:

  • Personal data processed wholly or partly by automated means (such as digital systems), and
  • Non-automated personal data that forms part of a structured filing system (such as paper files organised by identifiable criteria).

Pseudonymised data is included within scope, while truly anonymised data is not.

2.2 Personal Data

Any information relating to an identified or identifiable living person ("data subject"), such as names, identification numbers, online identifiers, or information relating to physical, social, or cultural identity.

2.3 Special Category Data

Includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data used for identification, health information, and data concerning sex life or sexual orientation.

2.4 Data Controller

A natural or legal person that determines the purposes and means of processing personal data. The controller is responsible for ensuring compliance with UK GDPR.

2.5 Data Processor

An entity that processes personal data on behalf of the controller, following the controller's instructions.

2.6 Data Subject

Any living individual whose personal data is processed by an organisation.

2.7 Processing

Any operation carried out on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, sharing, restriction, deletion, or destruction.

2.8 Personal Data Breach

A security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data. Controllers must report certain breaches to the supervisory authority and, when necessary, affected individuals.

2.9 Data Subject Consent

A freely given, specific, informed, and unambiguous indication of a data subject's wishes, demonstrated through a clear affirmative action.

2.10 Child

Under the UK GDPR, a child is anyone under 16. Parental or guardianship consent must be obtained before processing their personal data, and reasonable steps must be taken to verify that consent.

2.11 Third Party

Any person or organisation other than the data subject, controller, processor, and persons authorised by the controller or processor to process personal data.

2.12 Filing System

Any structured set of personal data accessible according to specific criteria.

3. Policy Statement

3.1 Commitment to Compliance

The Board and management of BLACK GIRL STREAMS C.I.C., located at 124 City Road, London, EC1V 2NX, are committed to complying with UK GDPR and related UK legislation, and to upholding the rights of all individuals whose data we collect or process.

3.2 Linked Policies and Procedures

Compliance is supported by this policy, alongside related policies such as IT Acceptable Use, Social Media, Privacy Notices, and other relevant procedures.

3.3 Scope of Processing Activities

These obligations apply to all personal data processed by BLACK GIRL STREAMS C.I.C., including data relating to clients, customers, employees, volunteers, partners, suppliers, and any personal data obtained from any other source.

3.4 Responsibility for Register of Processing

The UK GDPR Lead (JOB TITLE) is responsible for annually reviewing the organisation's processing activities and updating the Record of Processing Activities accordingly.

3.5 Staff Responsibilities

All staff must familiarise themselves with this policy and follow its requirements. Failure to do so may place both the organisation and individuals at risk and may lead to action under the organisation's disciplinary procedures.

3.6 Third Parties

Partners and third parties who may access personal data must comply with this policy and must sign a confidentiality agreement with obligations no less stringent than those applied within BLACK GIRL STREAMS C.I.C.

4. Responsibilities and Roles

4.1 BLACK GIRL STREAMS C.I.C. as Controller and Processor

We may act as both a data controller and a data processor depending on the nature of the activity.

4.2 Management Responsibilities

Senior leadership and managers must promote strong information governance and ensure compliance within their areas of responsibility.

4.3 Role of the UK GDPR Lead

The UK GDPR Lead is part of senior management and is accountable for ensuring the organisation meets legal requirements and can evidence compliance. They oversee procedures such as Subject Access Requests and act as a point of guidance for staff.

4.4 Staff Responsibilities

All staff handling personal data must comply with data protection legislation. Staff must ensure that personal information they provide to BLACK GIRL STREAMS C.I.C. is accurate and current.

5. Data Protection Principles

5.1 Principle 1: Lawfulness, Fairness, and Transparency

Processing must be lawful, fair, and transparent. The organisation's Privacy Notice sets out how these requirements are met.

5.2 Principle 2: Purpose Limitation

Personal data must only be collected for specified, explicit, and legitimate purposes, and must not be processed for purposes incompatible with those original intentions.

5.3 Principle 3: Data Minimisation

Data collected must be adequate, relevant, and limited to what is necessary.

  • The UK GDPR Lead ensures that excess data is not collected.
  • All data collection forms must contain a fair processing statement.
  • Data collection procedures will be reviewed annually.

5.4 Principle 4: Accuracy

Personal data must be accurate and kept current.

  • Data subjects must ensure that information they supply is correct.
  • The UK GDPR Lead ensures procedures exist to maintain accuracy.
  • Retention dates will be reviewed annually, and outdated data securely destroyed.

5.5 Principle 5: Storage Limitation

Data must not be kept longer than necessary.

  • Once retention periods expire, data is destroyed in line with the Retention of Records Procedure.
  • Data held beyond processing needs must be anonymised or encrypted.

5.6 Principle 6: Integrity and Confidentiality

Data must be processed securely.

  • A risk assessment will be undertaken to determine appropriate safeguards.
  • Security measures must consider potential harm to individuals and reputational risks to the organisation.

5.7 Accountability Principle

BLACK GIRL STREAMS C.I.C. must be able to demonstrate compliance through policies, governance measures, training, and technical controls.

6. Data Subjects' Rights

6.1 Rights Overview

Data subjects have rights including:

  • Access
  • Objection
  • Restriction
  • Erasure
  • Data portability
  • Compensation for harm
  • Complaint to the ICO
  • Right to prevent direct marketing
  • Rights related to automated decision-making

6.2 Exercising Rights

Requests must follow the Subject Access Request Procedure.

Data subjects may raise concerns through the organisation's complaints process, and the Privacy Notice outlines how individuals may contact us.

7. Consent

7.1 Meaning of Consent

Consent must be freely given, specific, informed, unambiguous, and demonstrated through a clear affirmative action. It may be withdrawn at any time.

7.2 Conditions for Valid Consent

Consent obtained under pressure or through misleading information is invalid. The organisation must retain evidence of consent.

7.3 Sensitive (Special Category) Data

Explicit written consent is required unless another lawful basis applies.

7.4 Consent for Children

For any online services provided to children under 16, parental or guardian consent is required.

8. Security of Data

8.1 Staff Responsibilities

All staff must ensure that personal data held by BLACK GIRL STREAMS C.I.C. is kept secure and not disclosed without authorisation and a confidentiality agreement.

8.2 Storage Requirements

Personal data must be kept:

  • In locked rooms or cabinets
  • In password-protected systems
  • On encrypted removable media

8.3 Manual Records

Paper records must not be left unattended and must not be removed from premises without authorisation.

8.4 Disposal

Data must be destroyed according to the Retention of Records Procedure. This includes shredding paper records and destroying hard drives.

8.5 Off-Site Processing

Authorisation is required for off-site processing due to increased risks.

9. Training

9.1 Training Commitments

The Board and UK GDPR Lead will ensure staff receive training on data protection and its relevance to their roles.

9.2 Security Training

Staff will receive training on information security and breach reporting relevant to their responsibilities.

10. Disclosure of Data

10.1 Restrictions on Disclosure

Personal data must not be disclosed to unauthorised individuals, including family members, friends, or external organisations, unless proper authorisation and documentation are provided.

10.2 Authorisation

All disclosures must be approved by the UK GDPR Lead.

11. Retention and Disposal of Data

11.1 Retention Periods

Data must only be kept for as long as necessary for the purpose collected, unless used for archiving, research, or statistical purposes with safeguards in place.

11.2 Retention Schedules

Retention rules are defined in the Retention of Records Procedure, including justification, record type, and disposal method.

11.3 Timely Destruction

Data must be destroyed within 90 days of its retention period ending.

12. International Data Transfers

12.1 Restrictions

BLACK GIRL STREAMS C.I.C. does not transfer data outside the EEA unless appropriate safeguards are established.

12.2 Adequacy and Safeguards

Transfers require adequacy decisions or the use of IDTAs, SCC Addendums, BCRs, and completion of a Transfer Risk Assessment.

12.3 Exceptions

In the absence of safeguards, transfers may occur only under specific conditions such as explicit consent, contract necessity, public interest, legal claims, or vital interests.

13. Information Asset Register / Data Inventory

13.1 Purpose

We maintain a data inventory and data flow map to identify risks and opportunities.

13.2 Contents

The data inventory identifies:

  • Business processes
  • Data sources
  • Categories of personal data
  • Processing activities
  • Recipients
  • Retention rules
  • Transfers
  • Key systems and repositories
Back to About Us