Internal Data Protection Policy (GDPR) Last Updated: February 27, 2026 For: Staff, Volunteers, and Directors of What We Think CIC

While the Privacy Policy (provided previously) is an external document for your customers and website visitors, this Data Protection Policy is an internal document. It sets out the rules and standards that everyone working for What We Think CIC must follow to ensure we comply with the UK GDPR and the Data Protection Act 2018.

1. Purpose and Scope

What We Think CIC constitutes a data controller. This policy applies to all personal data we process, regardless of where it is held (e.g., on computers, in the cloud, or paper files).

This policy applies to all staff, volunteers, contractors, and directors (“Users”) of What We Think CIC.

2. The 7 Data Protection Principles

In accordance with the UK GDPR, we are committed to the following principles. All data must be:

  1. Lawful, Fair, and Transparent: We must have a valid legal reason to process data and be open about how we use it.
  2. Purpose Limitation: We only collect data for specific, explicit purposes (e.g., delivering well-being sessions) and do not use it for anything else.
  3. Data Minimisation: We only collect the data that is strictly necessary.
  4. Accuracy: We must ensure data is accurate and kept up to date. Inaccurate data must be corrected or deleted.
  5. Storage Limitation: We will not keep data for longer than necessary.
  6. Integrity and Confidentiality (Security): We must ensure appropriate security to prevent loss, destruction, or unauthorised access.
  7. Accountability: We are responsible for demonstrating compliance with these principles.

3. Special Category Data (Health & Well-being)

As our business involves physical well-being activities, we process “Special Category Data” (health information). This data requires higher levels of protection.

  • Rule: We must not process health data unless we have obtained Explicit Consent from the individual.
  • Action: Ensure all intake forms for physical activities have a clear “I consent” tick box specifically for health information.
  • Security: Health data (paper or digital) must be restricted. Only staff who need to know a participant’s medical condition to ensure safety should have access.

4. Lawful Basis for Processing

We must identify a lawful basis before processing any personal data. Our primary bases are:

  • Contract: Necessary to deliver the service the user signed up for.
  • Legal Obligation: Necessary for compliance.
  • Legitimate Interests: Necessary for our business interests, provided they don’t override the individual’s rights.
  • Consent: Required for marketing and processing health data.

5. Individual Rights

Individuals have the following rights, which we must facilitate:

  1. Right to be informed: (via our Privacy Policy).
  2. Right of access: They can ask to see the data we hold on them (Subject Access Request).
  3. Right to rectification: Correcting wrong data.
  4. Right to erasure: (The “Right to be Forgotten”).
  5. Right to restrict processing.
  6. Right to data portability.
  7. Right to object.

Procedure for Subject Access Requests (SARs): If someone asks to see their data, we must provide it free of charge within one month. All SARs must be immediately forwarded to the Data Protection Lead (see Section 8).

6. Data Security & Storage

  • Paper Records: Must be kept in a locked filing cabinet/drawer. Never leave files containing personal data on desks overnight.
  • Digital Records: Must be password-protected. Devices (laptops/phones) must be encrypted where possible.
  • Passwords: Use strong, unique passwords and do not share them.
  • Clear Desk Policy: Secure all sensitive information when away from your workstation.

7. Data Breaches

A personal data breach is a security incident that affects the confidentiality, integrity, or availability of personal data (e.g., sending an email to the wrong person, losing a laptop, or a hacking incident). If you suspect a breach:

  1. Report it to the Data Protection Lead immediately.
  2. We have 72 hours to report serious breaches to the Information Commissioner’s Office (ICO).
  3. Do not attempt to investigate it yourself without authorisation.

8. Key Responsibilities

The Data Protection Lead is: David Lampkin.

  • Responsible for updating this policy and the Privacy Policy.
  • Handling Subject Access Requests.
  • Reporting breaches to the ICO.
  • Ensuring staff/volunteers are trained on GDPR.

9. ICO Registration

As a CIC processing personal data, specifically health data, we are required to pay the data protection fee to the Information Commissioner’s Office (ICO).

  • Our ICO Registration Number: [“Pending Registration”]

10. Training and Review

All staff and volunteers will receive a copy of this policy. It will be reviewed annually to ensure it remains up to date with the law and our internal processes.