top of page

SPUD DATA PROTECTION & PRIVACY POLICY


(Version approved: September 2025)

​

1. Introduction & Scope

SPUD is committed to full compliance with UK GDPR (Data Protection Act 2018) and best practices in data protection, even as a Charitable Incorporated Organisation (CIO) exempt from ICO registration. This policy applies to all employees, trustees, volunteers, contractors, and third parties processing personal data on SPUD’s behalf.

​

2. Policy Statement

This policy applies to the processing of personal data in manual and electronic records kept by SPUD.  SPUD makes a commitment to ensuring that personal data, including special categories of personal data and criminal offence data (where appropriate) is processed in line with GDPR and domestic laws and all its employees conduct themselves in line with this, and other related, policies. Where third parties process data on behalf of SPUD, the organisation will ensure that the third party takes such measures in order to maintain SPUD’s commitment to protecting data. In line with current data protection legislation, SPUD understands that it will be accountable for the processing, management and regulation, and storage and retention of all personal data held in the form of manual records and on computers.

All personal data obtained and held by SPUD will:

  • be processed fairly, lawfully and in a transparent manner

  • be collected for specific, explicit, and legitimate purposes

  • be adequate, relevant and limited to what is necessary for the purposes of processing

  • be kept accurate and up to date. Every reasonable effort will be made to ensure that inaccurate data is rectified or erased without delay

  • not be kept for longer than is necessary for its given purpose

  • be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisational measures

  • comply with the relevant data protection procedures for international transferring of personal data.

​

In addition, personal data will be processed in recognition of an individuals’ data protection rights, as follows:

  • the right to be informed

  • the right of access

  • the right for any inaccuracies to be corrected (rectification)

  • the right to have information deleted (erasure)

  • the right to restrict the processing of the data 

  • the right to portability

  • the right to object to the inclusion of any information

  • the right to regulate any automated decision-making and profiling of personal data.

 

3. Data Controller & Responsibilities

SPUD is the data controller for all personal data collected via:

  • Website (cookies, forms, analytics).

  • Service delivery (e.g., beneficiary records, volunteer details).

  • Partnerships (e.g., subcontractors, funders).

​

Designated Roles:

4. Data Collected & Lawful Bases

Category

Examples

Lawful Basis

Service Users

Names, contact details, case notes

Contract, Legitimate Interest

Volunteers/employees

DBS checks, payroll data

Legal Obligation, Contract

Website Visitors

Cookie data, IP addresses

Consent (non-essential cookies)

Sensitive Data

Health, ethnicity (if collected)

Explicit Consent or Safeguarding

Safeguarding Note:
Special category data (e.g., mental health records) requires additional protections and is only processed where strictly necessary (e.g., safeguarding referrals).

​

5. Data Use & Sharing

Permitted Uses:

  • Service delivery and impact reporting.

  • Legal compliance (e.g., HMRC, safeguarding authorities).

  • Marketing: Only with prior opt-in consent (easy opt-out required).

Third-Party Processors:

  • Contracts must include GDPR-compliant clauses (e.g., data minimization, encryption).

  • Regular security audits of cloud providers (e.g., Microsoft 365, Google Workspace).

​

6. Security Measures

  • Encryption: All portable devices (USB sticks, laptops) and sensitive emails.

  • Access Controls: Role-based permissions; 2FA for systems holding personal data.

Breach Response:

  1. Contain: Isolate affected systems.

  2. Assess: Risk to individuals (72-hour ICO reporting if high risk).

  3. Notify: ICO and affected parties where required.

  4. Review: Update policies to prevent recurrence.

​

7. Individual Rights

Users may request:

  • Access (Subject Access Requests – responded to within 30 days).

  • Rectification of inaccurate data.

  • Erasure (where no legal basis for retention).

  • Data Portability (for automated processing).

Request Process: Email [DPO Email] with proof of identity.

​

8. Training & Compliance

  • Annual GDPR training for all employees /volunteers.

  • Privacy by Design: Mandatory for new projects/services.

  • DPIA (Data Protection Impact Assessment): Required for high-risk processing (e.g., biometric data).

​

9. Policy Review

Next Review: (Every 3 years or after legal changes).

bottom of page