policy

Data Protection

Giving Back Generation (“GBG,” “we,” “our,” or “us”) is committed to protecting the privacy, dignity, and personal data of everyone involved in our work, including donors, volunteers, staff, beneficiaries, partners, and website users.

1. Introduction

Giving Back Generation (“GBG,” “we,” “our,” or “us”) is committed to protecting the privacy, dignity, and personal data of everyone involved in our work, including donors, volunteers, staff, beneficiaries, partners, and website users. As a charity, we ensure full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection legislation.
This policy sets out how GBG collects, uses, stores, and protects personal data, and explains the responsibilities of those handling personal data on behalf of the charity.

2. Objectives of the Policy

This policy aims to:

  • Ensure that all personal data is processed lawfully, fairly, and transparently.
  • Protect the rights, freedoms, and privacy of individuals whose data we collect, use, or store.
  • Safeguard the reputation and operations of GBG from risks associated with data breaches, misuse, or non-compliance.
  • Support GBG’s safeguarding duties and obligations as set out by the Charity Commission.

3. Scope of the Policy

This policy applies to:

  • All personal data, in both digital and physical formats, collected, stored, or processed by GBG.
  • All Trustees, employees, volunteers, contractors, and partners who access or process personal data on behalf of GBG.
  • All GBG activities, including fundraising, volunteering, programme delivery, partnership work, and website management.

4. Principles of Data Protection

GBG upholds the following UK GDPR data protection principles:

  • Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and in a transparent manner.
  • Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes, and not processed in a manner incompatible with those purposes.
  • Data Minimisation: Only data necessary for intended purposes is collected and processed.
  • Accuracy: Personal data is accurate and kept up to date. Inaccurate data will be corrected or erased without delay.
  • Storage Limitation: Data is not kept longer than necessary for its intended purpose.
  • Integrity and Confidentiality: Personal data is processed securely, using appropriate technical and organisational measures to protect against unauthorised access, loss, destruction, or damage.
  • Accountability: GBG can demonstrate compliance with all data protection principles.

5. Types of Data Collected

GBG may collect, process, and store the following categories of data:

  • Donors: Name, contact details, donation history, Gift Aid status, communication preferences.
  • Volunteers and Staff: Name, contact details, application details, references, training records, background checks (including DBS checks where relevant), safeguarding disclosures.
  • Beneficiaries: Information necessary to assess eligibility and deliver support or programme participation (e.g., contact details, needs, support provided, safeguarding information as required).
  • Website Users: IP addresses, cookies, analytics data, and other usage information for the purposes of improving website experience and security.
  • Partners, Sponsors, and Suppliers: Contact and contract details as required for project delivery and compliance.

6. Data Subject Rights

Under UK GDPR, all individuals whose personal data is held by GBG have the following rights:

  • Right to Access: Request a copy of their personal data held by GBG.
  • Right to Rectification: Request corrections to inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of personal data where it is no longer required or where consent is withdrawn (subject to legal and safeguarding requirements).
  • Right to Restrict Processing: Request limitation of the use of their data under certain circumstances.
  • Right to Data Portability: Request their data in a machine-readable format for transfer to another organisation.
  • Right to Object: Object to processing of their personal data for particular purposes, including direct marketing.
  • Right not to be subject to automated decision-making (GBG does not use personal data for automated decision-making or profiling).

Requests to exercise these rights can be submitted to contact@givingbackgeneration.org.uk.
GBG will respond within one month of receiving a valid request.

7. Data Security Measures

GBG implements a range of technical and organisational measures to safeguard personal data, including:

  • Encryption of sensitive data during transmission and storage.
  • Secure storage of digital data on password-protected and access-controlled systems.
  • Locked storage of paper records and safe disposal of obsolete documents.
  • Regular staff and volunteer training on data protection, confidentiality, and cyber security.
  • Limiting access to personal data to only those who require it for their roles.
  • Regular review and audit of our data protection and information security practices.

8. Data Breaches

In the event of a data breach or suspected breach:

  • GBG will immediately assess the scope, nature, and impact of the breach.
  • The Data Protection Officer (or responsible person) will take appropriate steps to contain and mitigate the breach.
  • Affected individuals will be notified promptly if their rights or freedoms are at significant risk.
  • GBG will report the breach to the Information Commissioner’s Office (ICO) within 72 hours, where required by law.
  • All breaches and near-misses will be recorded, reviewed, and used to strengthen GBG’s data protection processes.

9. Third-Party Data Sharing

GBG will only share personal data with third parties:

  • When required by law or regulation (e.g., HMRC, Charity Commission, Fundraising Regulator, law enforcement).
  • When it is necessary for delivering our charitable purposes (e.g., with service providers or trusted partners), and always subject to written data processing agreements and due diligence.
  • With the explicit and informed consent of the data subject, except in safeguarding emergencies where data may be shared to protect vital interests or prevent harm.
  • We do not sell personal data or share data with any organisation for commercial purposes.

10. Data Retention Policy

GBG retains personal data only as long as necessary for its purposes, or as required by law, funding agreements, or regulatory bodies.

  • Donor records: Retained for at least six years for financial and Gift Aid reporting.
  • Volunteer and staff records: Retained for the duration of involvement plus up to six years after departure (or longer if required for safeguarding or legal purposes).
  • Beneficiary records: Retained for the duration of the programme and as required by funders, regulations, or safeguarding best practice.
  • Safeguarding records: Retained in accordance with current safeguarding guidance, often for an extended period to protect vulnerable persons.
  • All data is securely destroyed when no longer required.

11. Monitoring, Training, and Compliance

  • GBG regularly reviews and updates its data protection policies, procedures, and risk assessments to ensure ongoing compliance.
  • All staff, trustees, and volunteers receive data protection training at induction and periodic refresher sessions.
  • Any suspected non-compliance, risk, or incident must be reported immediately to the Data Protection Officer or designated responsible person at contact@givingbackgeneration.org.uk.
  • GBG will cooperate fully with regulatory bodies and investigations as required.

12. Data Protection Officer / Contact Information

For questions, concerns, or to exercise your data protection rights, please contact:

Giving Back Generation Limited
Data Protection Officer (DPO)
662 High Road, N12 0NL, London, United Kingdom
contact@givingbackgeneration.org.uk

13. Policy Review and Updates

This Data Protection Policy will be reviewed at least annually, or more frequently as required by changes in law, regulation, or operational needs. Any updates will be communicated to all staff, volunteers, and published on our website.

By adhering to this Data Protection Policy, GBG demonstrates its commitment to upholding the highest standards of privacy and data security for all individuals and stakeholders.