Data Protection Policy
The Institution of Lighting Professionals takes its responsibilities regarding the General Data Protection Regulations very seriously. This document sets out ILP policy and the framework through which the Institution will manage the processing of data in a compliant manner.
The ILP will ensure that
- Their actions are lawful, fair and transparent
- Their actions are expected by the data subject
- They store only enough data to do the task required
- They are accurate
- They only keep data for as long as necessary
- They keep data securely
- They can demonstrate compliance with GDPR
Data subjects have the right to
- Know what’s going to be done with ILP data
- Receive a copy of their data upon request
- Have incorrect data corrected promptly
- Have data erased where there is no reason to keep it
- Restrict processing
- Data portability
- Object to data being processed
- Not be subject to automated processing
The ILP will honour these rights, at no charge, within one month of any written request.
As a data controller, the ILP will
- Be accountable and demonstrate compliance
- Adopt privacy by design
- Take care with using third party processors
- Keep records of processing
- Treat security seriously
- Tell the regulator if there is a breach, within 72 hours
- Tell data subjects about high risk breaches
- Carry out privacy impact risk assessments
The ILP will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This includes
- Encryption of data where appropriate.
- Consideration of the ongoing confidentiality, integrity, availability and resilience of the systems we use.
- Testing our procedures on an ongoing basis.
Legal basis for processing personal data
- Consent (for example, for marketing and fundraising activities)
- Performance of a contract (for example, issuing AGM notices and membership benefits such as the Lighting Journal)
- Compliance with a legal obligation (for example, for VAT accounts)
- To protect the vital interests of a data subject
- Necessary for the performance of a task carried out in the public interest
- Legitimate interests
The ILP will determine their legal basis for processing personal data for each activity and document this.
Consent will be gained by asking for an unambiguous affirmative action for a specific and explicit activity. For example, opting in to the ILP e-newsletter.
- The ILP will explain this transparently at the point of data collection, separately from other terms and conditions.
- The ILP will explain how to withdraw consent.
- The ILP will keep a record of this process.
- Consent will be maintained and refreshed every three years
Data Protection staff
An ILP member of staff will
- Inform and advise the organisation, train staff and volunteers
- Conduct internal audits
- Monitor compliance with GDPR
- Be the first point of contact for the ICO and data subjects
The ILP will not
- Data blend or profile
- Pass details of event attendees to exhibitors and sponsors without consent
- Capture any data relating to anyone below 18 years old
- Hold special category data unless this relates to staff or governance issues.