About Manor Royal BID
The Manor Royal BID Company (MRBD Limited) is a limited company incorporated in England and Wales with the company number 8542859, having a registered office at Richard Place Dobson Services Ltd, 1-7 Station Road, Crawley, West Sussex, RH10 1HT.
The Manor Royal BID Company ("Manor Royal BID" / "The BID" / "Us" / "We" / "Our") is the BID body for the purposes of the BID Statutory Provisions as per Part 4 of the Local Government Act 2003 and the Business Improvement Districts (England) Regulations 2004.
MRBD is legally and operationally responsible to the businesses in the Manor Royal BID area for all BID activities. The BID Board represents the views of the businesses that have voted for it and acts on their behalf.
About this policy
The General Data Protection Regulation (GDPR) came into force on 25 May 2018. It contains explicit provisions that require us to maintain internal records of our processing activities. To ensure compliance with the GDPR provisions this policy sets out, among other things, how and what data we collect, the reasons for collecting that data, how it is shared and the process of retention applied to that data.
This statement is intended to demonstrate how the Manor Royal BID processes personal data in line with the GDPR and in line with Article 30 which states that organisations will "...maintain a record of processing activities under its responsibility."
Manor Royal BID employees, contractors and other third party data processors with who we work are expected to be familiar with this policy and its accompanying documents, statements, policies and procedures.
How individuals can contact the Manor Royal BID
Individuals whose personal data we collect can contact us by the following ways:
By post (or in person): Unit 38 Basepoint Business Centre, Metcalf Way, Manor Royal Business District, Crawley, West Sussex, RH11 7XX
By telephone: 01293 813 866 By email (and website): firstname.lastname@example.org (www.manorroyal.org)
The data controller for the BID
The Executive Director acts as the Data Controller for the Manor Royal BID and can be contacted in those ways set out above.
How this policy has been prepared
In preparing this statement we have been mindful of Article 5 of the GDPR requiring that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
The reason we collect personal data
We collect personal data for to enable the efficient management of the BID to ensure that businesses and staff based in the defined BID area who may benefit from or be affected by the work of the BID are informed and aware of its activities.
We also collect data to ensure that communications relating to the rights of levy paying businesses are protected, this includes making every effort to ensure the correct person receives the ballot papers, annual BID levy leaflets and information relating to levy bills, Annual Reports, invitations to Annual General Meetings and BID delivered events etc.
Lawful basis for processing personal data in relation to the Manor Royal BID.
The lawful bases for processing are set out in Article 6 of the GDPR, which states that at least one of these must apply whenever personal data is processed:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone's life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individualâ€™s personal data which overrides those legitimate interests.
In carrying out its obligations to deliver the Manor Royal BID Business Plan approved by the BID Ballot in accordance with the BID Regulations, we will have regard to what information is "necessary" in carrying out our obligations in an open and transparent way, allowing challenge where appropriate.
In doing so we will only process and use data in a way that is targeted and proportionate for achieving our purpose of delivering the Business Plan in a way that can be seen to open and transparent.
Defining legitimate interests
The Manor Royal BID does not and will not proactively or otherwise seek to obtain data other than that which relates to a Manor Royal business or a representative of that business and only as it is relevant to the work of the BID.
When collecting personal data in respect of identifying voters to participate in a BID Ballot, it is judged that this satisfies the legal obligation requirement as the BID Regulations require us to consult with levy payers and their voters on matters relating to the BID Ballot and the BID Proposals, where failure to do so might leave the BID open to criticisms of malpractice.
Beyond the BID Ballot, we consider that the lawful basis of legitimate interest is satisfied to justify the processing of personal data as it relates to levy payers, voters and representatives of businesses based in the defined Manor Royal BID area so that they are aware of how their BID Levy contribution is being invested to deliver the Business Plan for which they voted. This includes the distribution of the BID Levy Leaflet with the annual BID Levy bill, which is a requirement of the BID Regulations, and further relates to the official documents and communications of the BID, including but not limited to the Manor Royal News magazine and Monthly eBulletin.
Should the Manor Royal BID not provide levy payers, voters and representatives of businesses based in the defined Manor Royal BID area with this information throughout the defined BID Term it could be argued that it is not operating in an open and transparent way that is consistent with the spirit of collaboration in which the Manor Royal BID has been established.
It is further considered that there would be an expectation of those individuals in the Manor Royal BID area that once the Manor Royal BID has been mandated via the BID Ballot that the Manor Royal BID conveys in a clear, timely and open fashion the work of the BID being undertaken on their behalf so that they might benefit, challenge or otherwise be aware of that work as it affects them, their business, staff and colleagues.
Notwithstanding the above, we seek consent from contacts we may make in the course of delivering the Manor Royal BID Business Plan in order that we can fulfil our intention to deliver on our obligations in an open and transparent way.
We do not otherwise collect or process personal data relating to the general public or other individuals except where their consent has been obtained, or where there is a contractual relationship in place i.e. with one of our partners or contractors or where an individual has positively elected to receive content from us by subscribing to our mailing lists e.g. to receive our monthly ebulletin (delivered via Mailchimp with a user sign up / opt-in form).
None of the above over-rides the right for any individual within the Manor Royal BID area to request their personal data to be rectified or erased.
The purpose of the Manor Royal BID is clearly defined by its Business Plan which itself conforms to the BID Regulations. Its purpose therefore is specific and unlikely to change. This applies equally to those projects delivered by the BID that are also linked to our central purpose.
However, should that purpose change or any of our projects not conform to our core purpose as described we will assess whether the lawful bases for processing personal data has changed, how that effects the individuals whose data we process and either erase their data, obtain new consents or inform those individuals affected of the new basis for processing their data giving them the right for their personal data to be rectified or erased as they decide.
What personal data we collect
- Name, business name, job title, place of employment, postal and email addresses and telephone number.
- No sensitive or 'special category' personal data (ethnicity, sexuality, religious beliefs etc) is processed.
The personal data we collect is regarded as "low risk" inasmuch as it usually only relates to the function an individual performs connected with a business in the Manor Royal BID area, unless that individual is a partner to the BID (in which case there is some form of contractual relationship in place) or an individual has chosen to opt-in to BID communications.
In the unlikely event that the personal data held by us is compromised, either by loss or a data breach, the harm or upset caused to that individual is likely to be minimal. Regardless, every care and attention is taken to ensure personal data is protected and only used for its intended purpose as described in this document.
How we store personal data
Personal data is stored in the following ways:
- Secure CRM System: This is the primary way in which we store data. It is a secure, password protected system that can only be accessed by a limited number of individuals who are employed by the BID to carry out the business of the BID.
- Paper records: Some limited personal data is kept in paper files. These are usually records of attendance at events, responses to surveys or copies of emails and correspondence relevant to undertaking the work of the BID e.g. in the form of feedback on events or issues affecting the BID area. These records are stored in lockable cupboards.
- Other electronic records: Similar to paper records. Some limited personal data is kept securely in a password protected cloud-based back office system accessible by a limited number of individuals employed by the BID. These are usually records of attendance at events, responses to surveys or copies of emails and correspondence relevant to undertaking the work of the BID e.g. in the form of feedback on events or issues affecting the BID area.
In all cases access to these records, however stored, is secure (either by IT controls, password controlled access or in lockable cupboards) and limited to a small number of individuals who are employed by the BID to carry out the business of the BID.
How long we keep personal data for
We will retain personal data only for as long as an individual remains an employee of a company based in the defined BID area unless they specifically request that their data be erased. Should we discover that an individual is no longer an employee of a business based in the BID area we will, as soon as is practical, erase personal data we hold on them. If a business moves out of the BID area their data and any data relating to persons employed by that company will also be erased.
The exception to the above is where data relating to their attendance at a BID event or meeting (e.g. an AGM) or formal responses to the BID as part of a survey or representations made to the BID by that person on behalf of the company is kept for historical, statistical or technical reasons relating to the work of the BID.
Personal data relating to persons that are not an employee of a business in the BID area who have proactively consented to provide their data to the BID e.g. via the opt-in process to receive the eBulletin will be stored solely for that person until they elect to have their data erased or at which time it becomes obvious beyond doubt to the BID that this correspondence is no longer appropriate i.e. if emails are consistently rejected for any reason.
Individuals can obtain a copy of all their personal data held by the BID by contacting the Data Controller. Individuals have the right to request for personal data pertaining to them or the business they represent to be corrected or erased at any time, subject to other provisions in this policy. The data controller will inform the individual making the request of those actions taken and the process for making a complaint should that individual not be satisfied with those actions taken.
How we collect data and keep our records up to date (process for amending and erasing personal data)
We make every effort to ensure our records are up to date in the following ways:
- We obtain records from the Local Billing Authority (Crawley Borough Council) to verify and review business data at least annually as part of the billing cycle.
- We obtain data from individuals via online forms (e.g. opt-in forms, event registration forms, online enquiry forms, surveys and questionnaires) or via direct correspondence by email of telephone)
- As far as possible we will undertake visual checks of properties to identify changes in business occupation.
- We monitor our correspondence with businesses and individuals representing those businesses, whether by post or electronically â€“ and identify where changes may be required e.g. as a result of returned mail, feedback or persistently rejected emails.
- We encourage businesses moving into or out of the area to liaise with us to keep us informed of changes and to let us know when that happens.
- We may also become aware of changes in business occupation or changes in individual contacts within the business by word of mouth.
- From time to time individuals may contact us to inform us of changes to their personal data
Where we become aware of changes in business or personal circumstances impacting on the accuracy of our records we will look to verify the accuracy of the data we hold and take prompt steps to either amend or erase data we hold that is no longer relevant to the operation of the BID. These actions are taken as soon as is practicable and will involve a review of the data we hold wherever and however it is stored.
We will erase personal data in a way that prevents its future use, unless otherwise required for historical, statistical or technical reasons. This will include the destruction of paper records, including business cards, so that personal data is not usable.
How to withdraw consent
Any individual has the right to withdraw their consent. Individuals can do this by contacting the BID Office in any way they choose requesting that we either delete their data, cease to use their data for specific or all purposes or both. In almost all cases we will act on this request as soon as practicable. On those rare occasions where this is not possible, e.g. because of a contractual reason or other legitimate legal basis, the individual will be informed of what action has been taken and how to raise a complaint.
An individual's right to request details of the personal data we hold
An individual has the right to request details of information we hold in them. Having first established the legitimate grounds for the request i.e. that the person making the request is the person whose personal data we hold or someone rightfully acting on their behalf we will respond to that request in not more than one month from the date of the request being received. If for whatever reason we cannot comply within this timeframe we will contact the individual, or the party acting on their behalf, to explain why this has not been possible to provide them with an explanation and details of when we will comply having first sought advice from the Information Commissioners Office.
Who we share personal data with (Data processors, contractors and third party use)
From time to time the BID contracts with third parties to deliver specific services to businesses and individuals within the defined BID area. This could be in the form of discrete services, projects or initiatives (time-bound or on-going), delivering BID events or the under-taking of BID related communications activities. When this occurs those third parties are subject to the same requirements for processing personal data as set out in this document and only for the express purpose of carrying out the agreed function or service on behalf of the BID.
When contracting with a third party the following terms will apply and be agreed with the BID:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the obligations and rights of the controller.
When contracting with a third party the BID will further stipulate that:
- the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
- the processor must ensure that people processing the data are subject to a duty of confidence;
- the processor must take appropriate measures to ensure the security of processing;
- the processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
- the processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- the processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- the processor must delete or return all personal data to the controller as requested at the end of the contract; and
- the processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
We will not otherwise share personal data with a third party without express consent having been first been sought and given.
Developing new systems â€“ privacy by design approach
Should the BID develop new systems or processes we will adopt a privacy by design approach and carry out a Data Protection Impact Assessment (DPIA) as part of this.
We will use the template provided by the Information Commissioners Office when designing new systems to carry out a DPIA, which is reproduced as Attachment A.
Data security and breaches
Personal data will be processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
All access to data electronically stored will be in a secure, password protected system by whatever devise access to that data can be accessed with access will be strictly limited and controlled. Personal data stored by other means e.g. in paper form will be kept in lockable cupboards in a secure office.
In the event of any breach or suspected loss of personal data the data controller should be informed immediately and the individual or individuals whose personal data is at risk will be contacted and informed of those actions being taken. The data controller will also inform the Information Commissioners Office as required not later than 72 hours of becoming aware of the breach.
When reporting a breach we will provide a description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned;
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data controller
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
We will document all breaches, even if they donâ€™t all need to be reported.
Periodic checks will be carried out to ensure our security procedures and systems are up to date and that business continuity measures are in place e.g. through data stored on a remote secure server allowing for data recovery.
Making a complaint
Should an individual have grounds for complaint and it is not resolved to their satisfaction by first contacting the BID Office, they should contact the Information Commissioners at https://ico.org.uk/concerns/handling/
Keeping this policy under review
We will keep this policy under review on a regular basis, at least annually or sooner if required e.g. when designing a new system or process or contracting with a new third party or partner.