Data Protection Policy

Data protection responsibility and accountability

  • The Board will be responsible for ongoing GDPR compliance, the Board will ensure that we have the necessary policies in place and ensure they are regularly reviewed and appropriately implemented. One Director will be nominated to review GDPR compliance on a semi-annual basis and report compliance/ issues to the Board at 2 Directors' meetings a year.

  • Any day-to-day public queries about GDPR would be received initially by the Operations Manager role (using the Bridge email address as a contact point). 

Data protection awareness training

Bridge volunteers will be briefed on the GDPR requirements as part of their induction, using a briefing sheet to be circulated to all volunteers. Our existing volunteers will be briefed (so that all volunteers working at The Bridge know about the obligations of The Bridge under the new law and understand the rights the public have). Volunteers will be asked to confirm their understanding of GDPR requirements when signing the volunteer agreement.

Data security systems

We will process personal data in a manner that ensures appropriate security.

  • To do this we will decide what level of security is right for our organisation and assess the risks to the personal data we hold and choose security measures that are appropriate to our needs.

  • We will keep our IT systems safe and secure and ensure we provide adequate time, resources and (potentially) seek specialist expertise.

Information risks and mitigation

The Bridge is responsible for managing information risks. When information risks are identified, we will develop action plans in place to mitigate such risks.

Data Protection Impact Assessment

The Bridge has undertaken a Data Protection Impact Assessment

ICO registration

http://ico.org.uk/for:organisations/

Our organisation is currently registered with the Information Commissioner's Office.

Reference no: ZA420424

Breach notification

We understand we have a duty to report certain types of personal data breaches to the ICO and, in somecases, to the individuals affected and we will notify the ICO of a breach within 72 hours.

In all cases we will maintain records of personal data breaches, whether or not they are notifiable to the ICO.

Information we hold

We have conducted an information audit to map how data flows through our organisation.

Data quality

We will regularly review the information we process or store to identify when we need to take action to e.g. correct inaccurate records and when data can be disposed of. 

Lawful basis for processing personal data

We keep personal data under the following basis: 

  • Consent: the individual has given clear consent for us to process (their personal data for a specific purpose). 

  • Contract: the processing is necessary for contracts we hold with individuals.

  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations). 

Sensitive data

We currently only keep sensitive data on our volunteer forms for health and safety purposes.

Consent

We do this by:

  • Keeping our consent requests prominent and separate from our other terms and conditions.  

  • Seeking a positive opt-in such as unticked opt-in boxes or similar active opt-in methods.

  • Avoiding making consent a precondition of service. 

  • Being specific and granular- Allow individuals to consent separately to different purposes and types of processing whenever appropriate

  • Naming our business and any specific third party organisations who we rely on this consent

  • Keeping records of what an individual has consented to, what you told them, and when and how they consented

  • Telling individuals they can withdraw consent at any time and how to do this.

  • We continue to review consent as part of our ongoing relationship with individuals to ensure we meet GDPR’s standards.

Individuals’ rights

We are aware that individuals have a right to be informed that we are collecting their data, why we are processing it and who we are sharing it with. To make sure individuals know this we will publish privacy information on our website.

The information will be:

  • concise, transparent, intelligible and easily accessible

  • written in clear and plain language

  • free of charge 

Right of access

We acknowledge the right of individuals to have access to their data and will provide a copy of the information we hold about them within one calendar month of receiving it free of charge (unless in exceptional circumstances i.e. manifestly unfounded or excessive, in which case we may charge an admin fee).

Right to rectification 

We will respond to a request for information to be rectified within one month of receipt (this may be extended to two months in exceptional circumstances - in which case we will contact the person making the request. We will verify the identity of the person making the request, using “reasonable means”.

Right to erasure including retention
We recognise the right of individuals have to be forgotten and will respond to requests for the erasure of personal data within one month of receipt (this may be extended by up to two months in exceptional circumstance - in which case we will contact the person making the request).

We will verify the identity of the person making the request, using “reasonable means”.


On occasions we may refuse to comply with a request for erasure if we are processing the data for the following reasons:

  • to exercise the right of freedom of expression and information

  • to comply with a legal obligation

  • to perform a public interest task or exercise official authority

Right to restrict processing

We recognise Individuals have the right to block or restrict the processing of their personal data and will respond to requests to restrict the processing of their personal data within one month of receipt. Whilst investigating the right for restriction we will only store the personal data, but not further process it. 

We will retain just enough information about the individual to ensure that the restriction is respected in the future. 

We will consider restricting the processing the personal data if:

  • If an individual contests the accuracy of the personal data, (we will restrict the processing of the data until we have verified the accuracy of the personal data)

  • An individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether your businesses legitimate grounds override those of the individual

  • processing is unlawful and the individual opposes erasure and requests restriction instead.

  • We no longer need the personal data, but the individual requires the data to be retained to allow them to establish, exercise or defend a legal claim. (we will review procedures to ensure you are able to determine if you need to restrict the processing of personal data)

We will inform individuals when we decide to lift a restriction on processing.

Right to data portability

We recognise the right individuals have to their data portability and will enable individuals to obtain and reuse their personal data for their own purposes across different services and will respond to requests for personal data free of charge within one month of receipt.

The right to data portability only applies:

  • To personal data an individual has provided to us as a controller;

  • Where the processing is based on the individual’s consent or for the performance of a contract; and

  • Where the processing is carried out by automated means.

Individuals can make a request verbally or in writing.

We will verify the identity of the person making the request, using “reasonable means”.

Right to data portability (structure)

We will provide the personal data in a structured, commonly used and machine-readable format. Examples of appropriate formats we will use include CSV (Excel).

If the individual requests it, we may transmit the data directly to another business where this is technically feasible. 

Right to object

We recognise the right of individuals to have a right to object having their data collected/retained in certain circumstances and will respond to requests made verbally or in writing within one month of receipt. (Our email newsletter gives recipients the oopption to unsubscribe).

We will verify the identity of the person making the request, using “reasonable means”.

Right to object (direct marketing)

We will stop processing data for any direct marketing as soon as we receive an objection
Right to object (lawful and legitimate interest)

In exceptional circumstances we may refuse the right to object where we have lawful/ and legitimate interest for retaining data; in such circumstances we will demonstrate compelling legitimate grounds for processing, which override the interests, rights and freedoms of the individual; or where we are processing for the establishment, exercise or defence of legal claims.

Rights related to automated decision making including profiling

We recognise the right of Individuals, who have a right not to be subjected to a decision when it is based solely on automated processing, including profiling; and where it produces a legal effect or similarly significant effect on the individual and we will respond to requests for cessation this form of profiling made verbally or in writing within one month of receipt.

We will seek consent for profiling where there it is in the interests of the individual or for legitimate purposes of contacting- and where the use of automated profiling is used for, we will enable individuals to obtain:

  • Human intervention

  • Express their point of view; and

  • Obtain an explanation of the decision and challenge it.

We will take particular caution if we make automated decisions about children.

Reviewed: June 2025