Impact Trust Data Protection and Privacy Policy

1. Introduction

The Impact Trust (“the Trust”), a charity registered in England and Wales (Registration
Number 1167011), is committed to protecting the privacy and security of personal data. This
policy outlines how the Trust collects, uses, stores, and protects personal data, ensuring
compliance with the UK General Data Protection Regulation (GDPR), the Data Protection
Act 2018, and other relevant legislation.

2. Scope

This policy applies to:

• All trustees, staff (including temporary and contract staff), volunteers, and representatives of the Trust.
• All personal data processed by the Trust, regardless of format (electronic, paper, or otherwise).
• All activities involving the collection, use, storage, sharing, or disposal of personal data.

3. Data Protection Principles

The Trust will ensure that personal data is:

• Processed lawfully, fairly, and transparently.
• Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
• Accurate and kept up to date; inaccurate data will be rectified or erased without delay.
• Kept no longer than necessary for the purposes for which it is processed.
• Processed securely, protecting against unauthorized or unlawful processing accidental loss, destruction, or damage, using appropriate technical and organizational measures.

4. Lawful Basis for Processing

The Trust will only process personal data where there is a lawful basis, including:

• Consent from the data subject.
• Performance of a contract.
• Compliance with a legal obligation.
• Protection of vital interests.
• Legitimate interests pursued by the Trust or a third party, except where overridden by the interests or fundamental rights of the data subject.

Where consent is required, it will be sought in a clear, accessible way, and individuals will be
informed of their right to withdraw consent at any time.

5. Categories of Personal Data

Personal data processed by the Trust may include:

• Names, addresses, emails, telephone numbers.
• Financial information (for donations or payments).
• Photographs, images, or video footage.
• Special categories of data (e.g., health information, racial or ethnic origin) only where necessary and with appropriate safeguards.

6. Purposes of Data Processing

The Trust collects and processes personal data for purposes including:

• Administration of charitable activities and events.
• Communication with supporters, beneficiaries, and stakeholders.
• Fundraising and processing donations.
• Compliance with legal and regulatory obligations.
• Recruitment and management of staff and volunteers.

7. Data Sharing

Personal data may be shared with:

• Service providers and contractors acting on behalf of the Trust
• Regulatory authorities or law enforcement, where required by law.
• Partner organizations, only with appropriate agreements and safeguards.

Where data is shared regularly, a data sharing agreement will be in place. Data subjects will
be informed of any sharing in the Trust’s Privacy Notice.

8. Data Security

The Trust will:

• Restrict access to personal data to those who need it.
• Use secure systems and procedures for storing and handling data.
• Provide training to staff and volunteers on data protection.
• Regularly review and update security measures.

9. Data Retention

The Trust will retain personal data only as long as necessary for the purposes for which it
was collected, in line with its Records Retention Schedule. Data will be securely deleted or
destroyed when no longer required.

10. Individual Rights

Data subjects have rights under the GDPR, including:

• Right to be informed about data collection and use.
• Right of access to their personal data.
• Right to rectification of inaccurate data.
• Right to erasure (“right to be forgotten”) in certain circumstances.
• Right to restrict processing.
• Right to data portability.
• Right to object to processing.
• Rights in relation to automated decision making and profiling.

Requests to exercise these rights can be made to the Trust’s Data Protection Lead.

11. Data Breaches

Any suspected data breach must be reported immediately to the Data Protection Lead. The
Trust will investigate all breaches and notify the Information Commissioner’s Office (ICO)
and affected individuals where required.

12. Data Protection by Design

The Trust will integrate data protection into all processing activities and projects, including
conducting Data Protection Impact Assessments (DPIAs) where processing is likely to result
in high risk to individuals’ rights and freedoms.

13. Training and Awareness

All staff, trustees, and volunteers will receive regular training appropriate to their roles to
ensure understanding of their data protection responsibilities.

14. Monitoring and Review

The Trust will regularly audit compliance with this policy and review it annually or in
response to legislative changes or identified weaknesses.

15. Contact

For any queries or to exercise your rights under this policy, please contact info@impacttrust.org