Data Management and Protection Policy

Introduction

Youth Business International (YBI) needs to gather and use certain information about individuals. This can include clients, contacts, employees and other people the organisation has a relationship with or may need to contact.

This policy describes how this personal data must be collected, handled and stored to meet the organisation’s data protection standards and to comply with the law.

This data management and protection policy ensures YBI:

• complies with data protection law and follows good practice
• protects the rights of clients, staff and partners
• is transparent about how it stores and processes individuals’ data
• protects itself from the risks of a data breach

Data protection law

The UK General Data Protection Regulation (GDPR) applies in the UK. It outlines that personal data must be:

• Processed lawfully, fairly and in a transparent manner in relation to individuals.
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes.
• Adequate, relevant and limited to what’s necessary in relation to the purposes for which they’re processed.
• Accurate and, where necessary, kept up to date.
• Protected – every reasonable step must be taken to ensure that personal data that’s inaccurate, having regard to the purposes for which they’re processed, is erased or rectified without delay.
• Kept in a form that permits identification of data subjects for no longer than is necessary, and for the purposes for which the personal data is processed (personal).
• Stored for longer periods. For example, the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This will also be subject to implementation of the appropriate technical and organisational measures required by UK GDPR in order to safeguard the rights and freedoms of individuals.
• Processed in a manner that ensures appropriate security of personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
• Managed by a controller responsible for, and be able to demonstrate, compliance with the principles.

Policy Notice

Youth Business International will:

• Comply with both the law and good practice;
• Respect individuals’ rights;
• Be open and honest with individuals whose data is held; and
• Provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently.

Youth Business International is the Data Controller and all processing of personal data will be undertaken in accordance with data protection principles. Youth Business International recognises that its first priority is to avoid causing harm to individuals. Information about individuals will be processed securely and not disclosed to any person unlawfully or unnecessarily.

For processes involving personal data, the responsible staff lead will complete a Data Management Form. This form will be authorised by the Data Protection Officer to confirm it meets the required data protection criteria:

• The information collected will be specific to the purposes required and these purposes will be explained to the individual concerned;
• Data collected will be accurate and maintained for the duration of its use;
• Personal data will be retained only for the duration necessary
• Data processed will meet the individual’s rights:
• Right of access to a copy of the information comprised in their personal data;
• Right to object to processing that is likely to cause or is causing damage or distress;
• Right to prevent processing for direct marketing;
• Right to have inaccurate personal data rectified, blocked, erased or destroyed;
• Right to claim compensation for damages caused by a breach of the regulations.

For the avoidance of any doubt, YBI makes no automated decisions in any regard.

YBI aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. Individuals may exercise their right to a copy of the information held concerning them. See ‘Subject access requests’ below.

Definitions

Personal Data is any information, whether in manual or electronic form, that identifies an individual from that information alone or in combination with other information that is likely to be held by YBI.

The principle categories of individuals which YBI processes the personal data of include:

• Employees – current and past
• Employees of YBI Network members
• Volunteers & Interns
• Job applicants
• Donors
• Suppliers
• Beneficiaries

Processing means the use made of personal data including:

• Obtaining and retrieving;
• Holding and storing;
• Making available within or outside the organisation; and
• Printing, sorting, matching, comparing, and destroying.

People and responsibilities

Everyone at YBI contributes to compliance with UK GDPR. Key decision-makers must understand the requirements and accountability of the organisation to prioritise and support the implementation of compliance. This includes but is not limited to:

• Keeping senior management and the board updated about data protection issues, risks and responsibilities.
• Documenting, maintaining and developing the organisation’s data protection policy and related procedures, in line with agreed schedule.
• Embedding ongoing privacy measures into policies and day-to-day activities throughout the organisation. The policies themselves will stand as proof of compliance.
• Sharing the policy across the organisation, and arranging training and advice for staff.
• Dealing with subject access requests, deletion requests and queries from clients, stakeholders and data subjects about data protection related matters.
• Checking and approving contracts or agreements with third parties that may handle the organisation’s sensitive data.
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
• Performing regular checks and scans to ensure security hardware and software are functioning properly.
• Evaluating any third party services the company is considering using to store or process data, to ensure their compliance with obligations under the regulations.
• Developing privacy notices to reflect a lawful basis for fair processing, ensuring that intended uses are clearly articulated. This will also ensure that data subjects understand how they can give or withdraw consent, or exercise their rights in relation to the company’s use of their data.
• Ensuring that audience development, marketing, fundraising and all other initiatives involving processing personal information and/or contacting individuals abide by the UK GDPR

The Data Protection Officer (DPO), the person responsible for fulfilling the tasks of the DPO in respect to YBI is Nick Lewis, Director of Finance and Operations.

Staff training and acceptance of responsibilities

All staff who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data, relevant to the execution of their responsibilities. All staff will be expected to adhere to all these policies and procedures.

Youth Business International will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.

Scope

This policy applies to:

• All data collected through the YBI website.
• All employees, contractors, and third-party service providers involved in processing personal data for YBI.

Data We Collect

YBI may collect the following categories of personal data:

• Personal Identifiable Information (PII): Name, email address, phone number, organization details, and other data submitted through forms.
• Technical Data: IP addresses, browser types, operating systems, and usage statistics (via cookies and analytics tools).
• Communication Data: Records of interactions with our support team or subscriptions to newsletters.

Legal Basis for Processing

YBI processes personal data based on one or more of the following lawful grounds:

• Consent: When users voluntarily provide data (e.g., newsletter sign-ups).
• Contractual necessity: When processing is required to fulfil a user’s request (e.g., event registration).
• Legitimate interests: For purposes such as improving user experience and website security.
• Legal compliance: When processing is necessary to meet legal obligations.

How We Use Personal Data

YBI uses personal data for:

• Providing requested services or information.
• Sending newsletters and updates (with consent).
• Improving website performance through analytics.
• Ensuring website security and fraud prevention.

Data Sharing and Transfers

YBI does not sell personal data to third parties. Data may be shared with:

• Service providers assisting in service delivery, website operations or marketing.
• Partners involved in campaigns or events (with explicit consent).
• Authorities to comply with legal obligations.

If data is transferred outside the European Economic Area (EEA), YBI ensures adequate safeguards are in place, such as standard contractual clauses.

Data Retention and Storage

• Youth Business International has a single database, protected by password, holding basic information about a limited number of data subjects.
• Youth Business International will regularly review its procedures for ensuring that its records are adequate and limited to only that which YBI needs to carry out the tasks required:
• The database system is reviewed to facilitate the entry of accurate data;
• Data on any individual is held in as few places as necessary, and all staff, volunteers and interns will be discouraged from establishing unnecessary additional data sets;
• Effective procedures are in place so that all relevant systems are updated when YBI is informed of any individual changes;
• Staff, volunteers and interns who keep more detailed information about individuals are given additional guidance on accuracy in record keeping;
• Data is corrected if shown to be inaccurate.
• Youth Business International stores archived paper records of donors and volunteers securely in the office only for the durations that these are needed.

Consent

YBI collects written consent for any data collected for contractual purposes, such as when we register a new YBI Network member or when employing a member of staff.

The YBI website includes a cookie banner where users can decide the level of consent they give for data collection when using the website.

YBI collects written consent to send email campaigns to its members. It occasionally sends emails related to other activities such as events and services based on the legitimate interests of the participating attendees.

Consideration will be made of the lawful basis for personal data to be processed, e.g. whether YBI has a legitimate interest and does not require consent to be granted for it to process personal data or whether consent is deemed appropriate. The decision of the lawful basis being applied and the rationale for that decision shall be recorded in the Data Management Form.

Information about donors will only be made public with their consent. This includes photographs.

Consent will be freely given and explicit, although the form of consent may vary according to the situation, e.g. verbal consent may be accepted for personal data use where written consent is impractical or otherwise inappropriate. Regardless of the form, consent will be recorded with sufficient detail to reasonably corroborate its validity, e.g. time and date of consent, and any further details as necessary.

Youth Business International acknowledges that, once given, consent can be withdrawn, see ‘Subject Access Requests’ for guidance on YBI’s approach. YBI is committed to fulfilling its obligations for the removal of personal information following withdrawal.

Security measures

This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.

Only staff who need access to personal data will be given this privilege. Access to information on the main database is controlled by a password and only those needing access are given the password.

Staff are trained in the secure handling of data, with particular attention given to personal data and sensitive personal data. Any recorded personal data will be:

• Kept in locked cabinets;
• Protected by the use of passwords if kept on computer;
• Destroyed confidentially when it is no longer needed.

Staff, volunteers and interns will use appropriate care to ensure personal data is not shared in insecure ways, e.g. via email or in file-sharing repositories without password protection and that personal data is only shared in this way when necessary.

Staff, volunteers and interns will be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.

Data Breaches

It is the responsibility of the staff member handling personal data to ensure this is done with the greatest care and adherence to this policy. Where a breach occurs or is suspected, the staff member discovering it should inform the Data Protection Office immediately.

The Data Protection Officer is responsible for ensuring the correct procedures are followed in order to understand, mitigate or minimise the harm of a data breach and to inform the relevant authorities.

Subject access requests

All individuals who are the subject of data held by Youth Business International are entitled to:

• ask what information the company holds about them and why
• ask how to gain access to it
• be informed how to keep it up to date
• be informed how the company is meeting its data protection obligations

Subject Access Requests can be made to YBI’s Data Protection Officer at [email protected].

When requesting personal information from YBI, the following information should be included:

• Full name
• Address
• Contact details, e.g. email address, telephone number
• Any information which may help to identify or distinguish the Subject (individual whose personal data is being requested) from others;
• Such as details of the specific information you require (e.g. personnel file) and any relevant dates

Upon receipt of the required information to help YBI identify all personal data held, YBI commits to responding within 1 month (our legal obligation). We do endeavour to respond to queries as soon as is practicable.

Whilst the most efficient way to make a Subject Access Request is to contact YBI at [email protected], all requests that YBI can corroborate as genuine are valid. This includes but is not limited to postal, email, telephone and social media requests. Verbal requests are also valid if this is the most appropriate means of communication with us.

If YBI does not receive all the information required for the identification of personal data we shall revert for this.

YBI takes the use and security of personal data seriously and will meet all reasonable requests for information. If YBI considers the request to be unreasonable, impractical or is otherwise unable to meet the request, we will revert providing our reasons with the expectation of being able to meet the Subject Access Rights without disproportionate effort in terms of:

• The cost of providing the information;
• The length of time it will take;
• How difficult it will be;
• The effect on the subject of not having the information in permanent form.

YBI is committed to providing access to your personal data in the most suitable form. Please make clear in your Subject Access Request if you require the information in a specific format (e.g. Braille, large print, email or audio format) in order for YBI to meet our obligations in this regard and under the Equality Act

Data Subject Rights

Users have the following rights under GDPR:

• Access: Request a copy of personal data held by YBI.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of personal data (subject to legal exceptions).
• Restriction: Limit processing of personal data.
• Objection: Opt-out of direct marketing or processing based on legitimate interests.
• Data portability: Receive data in a structured, machine-readable format.

Exercising the Right to Be Forgotten

In certain circumstances, subjects have the right to be deleted from the YBI database. To request deletion of your data, contact us at [Insert Contact Email] with details of your request. YBI will evaluate the request and respond within one month, as mandated by GDPR. Exceptions may apply if:

• The data is required for legal obligations.
• The data is needed for the establishment, exercise, or defense of legal claims.
• Restriction: Limit processing of personal data.
• Objection: Opt-out of direct marketing or processing based on legitimate interests.
• Data Portability: Receive data in a structured, machine-readable format.

To exercise any of these rights, contact us at [email protected].

Complaints procedure

Any issues regarding Subject Access Rights request should be made via email to [email protected]or in the most appropriate manner according to the circumstances of the subject.

If we are unable to satisfactorily resolve the issue complaints should be directed to the Information Commissioner’s Office (ICO).

Privacy notices

YBI aims to ensure that individuals are aware that their data is being processed, and that they understand:

• who is processing their data
• what data is involved
• the purpose for processing that data
• the outcomes of data processing
• how to exercise their rights

For more information, please see our Privacy Policy.

Policy review

The policy will be reviewed at the first quarterly governance and risk meeting of the year by the chief executive and approved by the board of trustees. It will also be reviewed in response to changes in relevant legislation, contractual arrangements, good practice or in response to an identified failing in its effectiveness.