Data Protection Policy – The Association of Independent Festivals ltd (AIF).
This is the statement of general policy arrangements for AIF. The organisation is committed to ensuring that all personal information in its possession is processed fairly and lawfully with all due regard to current data protection legislation in force in the United Kingdom. The organisation recognises that it is a Data Controller as defined in legislation and takes the responsibilities of this role seriously.
Data Protection Officer
Having reviewed the nature and scope of the information held by the organisation, the board of directors have decided not to designate a Data Protection Officer in accordance with Article 37 of the EU General Data Protection Regulation (EU2016/679). Overall responsibility for data protection rests with the CEO and board of directors.
Roles and Responsibilities
Everyone in the organisation is responsible for ensuring that their own work practices are compliant with the relevant policies and procedures regarding data protection and for promptly reporting any potential breeches of data protection to the incident response team. Failure to do so may result in disciplinary action as well as personal liability.
The members of the incident response team are: Paul Reed and 24-hour contact details can be found in the incident reporting procedure.
The following table sets out the key responsibilities under this policy and the people responsible for each.
|Overall responsibility for data protection||CEO: Paul Reed. Directors: A full current list can be found at www.aiforg.com||CEO and Board of Directors|
|Day-to-day responsibility for ensuring policy is put into practice||Paul Reed||CEO|
|Responsible for the physical security of locations and devices containing personal information||Paul Reed||CEO|
|Responsible for the cyber security of computer systems containing personal information||Paul Reed||CEO|
|Maintaining a register of personal information processed by the organisation||Paul Reed||CEO|
|Ensuring that any information processing is in accordance with the legal basis and the data protection principles||Paul Reed||CEO|
|Ensuring that appropriate impact assessments are carried out and the results of those
assessments are put into practice
|Ensuring that appropriate policies and procedures are in place and that staff are given training and guidance in order to be competent in doing their work||Paul Reed||CEO|
|Ensuring that data subjects are informed about processing through privacy notices and other means||Paul Reed||CEO|
|Ensuring that contracts include data protection clauses where relevant||Paul Reed||CEO|
|Ensuring that any personal information exported to a non-EU country is subject to appropriate legal safeguards||Paul Reed||CEO|
|Ensuring that data subject requests are dealt with appropriately and in a timely manner||Paul Reed||CEO|
|Ensuring that data breech incidents are dealt with appropriately and in a timely manner||Paul Reed||CEO|
|Ensuring that business continuity arrangements protect the confidentiality, integrity and availability of personal information even during a crisis.||Paul Reed||CEO|
Sign-off and Review
This policy was agreed by the board of directors on 24.08.18 and will be reviewed at least
Signed by: Paul Reed
If your information changes, or you have any comments, queries and requests relating to our use of your information please contact us at firstname.lastname@example.org.