We Need Music CIC GDPR Data Protection Policy Last updated: 15th October 2025 Next update due: 15th October 2026 1.Introduction We Need Music CIC is committed to protecting the privacy and security of personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains how we collect, use, store, and protect personal data, and sets out the rights of individuals whose data we process. It applies to all staff, directors, volunteers, freelancers, and anyone acting on behalf of We Need Music CIC. 2.Purpose of this Policy The purpose of this policy is to ensure that We Need Music CIC: ●Handles all personal data responsibly, lawfully, and transparently ●Protects the rights of individuals whose data we hold ●Demonstrates accountability and compliance with data protection legislation ●Ensures that all team members understand their responsibilities in relation to data protection. 3.Scope This policy applies to: ●All personal data processed by We Need Music CIC, whether in digital or paper form. ●All staff, directors, volunteers, freelancers, and anyone acting on behalf of We Need Music CIC ●Third parties or partners who process data on our behalf. Where We Need Music CIC acts as a data processor or joint controller with a partner or funder, clear data-sharing agreements will define responsibilities in line with GDPR requirements. 4.Key Definitions Personal Data: Any information that can identify a living individual, such as names, contact details, or other identifiers. Sensitive Data (Special Category Data): Personal data that is particularly sensitive, including information about race, ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health, or sexual orientation. Processing: Any action performed on personal data, such as collection, storage, use, or deletion. Data Subject: The individual whose personal data is being processed. Controller: The organisation that determines the purpose and means of processing personal data. 5.Data Protection Principles We are committed to adhering to the following principles under GDPR: ●Lawfulness, fairness, and transparency: We will process personal data lawfully, fairly, and in a transparent manner. ●Purpose limitation: Personal data will only be collected for specified, legitimate purposes and not further processed in ways incompatible with those purposes. ●Data minimisation: We will ensure that the personal data we collect is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. ●Accuracy: We will take reasonable steps to ensure that personal data is accurate and kept up to date. ●Storage limitation: Personal data will not be kept in a form that allows identification of data subjects for longer than is necessary for the purposes for which the data is processed. ●Integrity and confidentiality: We will process personal data in a manner that ensures its security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. ●Accountability: We will be accountable for our data processing activities and ensure compliance with this policy. 6.Legal Bases for Processing Personal Data We rely on one or more lawful bases under Article 6 of the UK GDPR, depending on the context: PurposeLawful BasisExample Delivering services and programmesLegitimate interests / ContractRegistering participants for workshops Managing staff and volunteersContract / Legal obligationPayroll and HR records Collecting monitoring data for fundersLegitimate interests / ConsentEqual opportunities reporting Processing donations and paymentsConsent / Legal obligationGift Aid claims Marketing and communicationsConsent / Legitimate interestsNewsletters and updates Health and safety, safeguarding, and incident managementLegal obligation / Vital interestsReporting safeguarding concerns 7.Processing of Special Category Data Where we collect or process Special Category Data (e.g., health or equality data), we rely on Article 9(2)(a) — explicit consent — or Article 9(2)(b) — employment and social protection law obligations. We ensure additional safeguards such as restricted access, encryption, and secure deletion. 8.How We Collect Personal Data We collect personal data in a variety of ways, including: ●When individuals sign up for our services or events, ●Through forms submitted in on paper or online (e.g., contact forms, registration forms, surveys), ●From communication with individuals (e.g., via email, phone, or social media), ●Through our employees, contractors, and volunteers as part of their work with the organisation. ●From funders or partners where lawful data sharing is agreed. 9. Data Retention We only retain data for as long as necessary for its intended purpose. After that, it is securely deleted or anonymised. Data TypeTypical Retention PeriodDisposal Method Staff and volunteer records: Employment history, applications, job titles, contracts, health information which may impact their role6 years after leavingSecure deletion/ shredding Participant and project data: Name, address, email, phone number. Age, gender, date of birth. Data related to attendance.3 years after last contactAnonymisation or deletion Financial records: Payment details, billing information, invoices, payments, book-keeping and accounts7 yearsSecure digital deletion and shredding of paper records Safeguarding Data: Incident reports, documentation of procedure followed.10 years (or as legally required). Child protection records should be kept until the child reaches the age of 25.Secure storage, then deletion or shredding of paper records Marketing Data: Email marketing, whatsapp groupsUntil consent withdrawn or not engaged with our communication in over 2 years.Immediate removal Sensitive data: As required by our project funders, for example, barriers to participation e.g. asylum status, health conditions, employment status10 years from when collectedCollected anonymously 9.How We Use Personal Data We use personal data for the following purposes: ●To deliver services and programs effectively, ●To manage communications with employees, volunteers, and service users, ●To process payments, donations, or invoices (where applicable), ●To comply with legal or regulatory requirements, ●To monitor and improve the quality of our services and programs, ●To keep individuals informed about our work, events, and initiatives. 10.Data Security and Confidentiality We take data security seriously and have implemented appropriate technical and organisational measures to ensure the protection of personal data. These measures include: ●Encryption and password protection of digital data, ●Secure storage and disposal of paper-based records, ●Access controls to restrict data to authorised personnel only, ●Regular security audits and reviews of data protection practices. ●Use of GDPR-compliant third-party services. 11.Sharing of Personal Data We will not share personal data with third parties, except in the following circumstances: ●Where we are required by law to disclose data (e.g., to regulatory authorities or law enforcement), ●When we have explicit consent from the data subject, ●With trusted third-party service providers who process data on our behalf (e.g., for payment processing or cloud storage). In such cases, we ensure that these third parties comply with GDPR requirements and adequate safeguards (such as International Data Transfer Agreements) are in place. 12.Rights of Data Subjects Under the GDPR, data subjects have the following rights regarding their personal data: ●Right to Access: You have the right to request access to the personal data we hold about you. ●Right to Rectification: You have the right to request correction of any inaccurate or incomplete data we hold. ●Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data under certain conditions. ●Right to Restriction of Processing: You have the right to request the restriction of processing of your personal data under certain circumstances. ●Right to Data Portability: You have the right to receive your personal data in a structured, commonly used format and transmit it to another controller. ●Right to Object: You have the right to object to the processing of your personal data in certain situations, such as direct marketing. ●Right to Withdraw Consent: If we are processing data based on your consent, you have the right to withdraw that consent at any time. Requests can be made in writing or by email. We respond within one month.If you are unhappy with our response, you have the right to complain to the Information Commissioner’s Office (ICO): www.ico.org.uk 13.Data Breaches All staff and volunteers must immediately report any actual or suspected data breach to the Data Protection Lead. We will: ●Log all breaches in our internal register. ●Notify the Information Commissioner’s Office (ICO) within 72 hours, where required, ●Notify affected individuals without undue delay, where appropriate. 14.Training and Awareness We will provide training for all staff members and contractors on data protection principles and their responsibilities under GDPR where relevant. We aim to foster a culture of data protection awareness across the organisation. All staff, volunteers, and contractors receive data protection training: ●On induction. ●When roles or responsibilities change. Training completion is recorded for compliance purposes. 15.15. Accountability and Governance We maintain documentation of our processing activities in accordance with Article 30 of the UK GDPR. The Board of Directors oversees data protection compliance and ensures that appropriate policies, reviews, and resources are in place. 16.Changes to This Policy This policy will be reviewed annually and or sooner if there are significant legal or organisational changes.to ensure compliance with data protection laws and best practices. Any changes will be communicated to employees and stakeholders. 17.Contact Information For any questions, concerns or to exercise your legal rights regarding this policy or data protection practices, please contact: Data Protection Lead: Laura Forster Phone: 07349904889 Address: 13 Hyde Road, Paignton, Devon, United Kingdom, TQ4 5BW Email: info@weneedmusic.org