Data Protection Policy

1. Purpose

1.1 Purpose

The purpose of the Data Protection Policy is to set out what the Bank needs to do as a minimum to comply with data protection legislation.

Personal data is defined as “Information identifying a Data Subject or information relating to a Data Subject that BBB can identify (directly or indirectly) from that data alone or in combination with other identifiers BBB possess or can reasonably access. Personal Data includes Special Categories of Personal Data and Pseudonymised Personal Data, but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour”.

This Policy forms part of the Risk Management Framework and should be read in consultation with the associated standards and procedures that help set out what is expected of colleagues when handling personal data. The full list of definitions used in this Policy is available at Section 7.

The applicable laws include the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

In addition to meeting its legal obligations, the BBB as an Arm’s Length Body (ALB) is required to meet the Government Functional Standards where applicable. Obligations relating to Government Functional Standard (GFS005) – Digital, Data and Technology and GFS007 – Security activity elements are contained and prescribed through this policy and associated standards.

1.3 Alignment to Risk Appetite

This Policy sits under the Level One Risk category, Operational and Resilience Risk.

It aligns to the Level Two Risk Category, Information Management, which is defined as ‘The risk of failing to treat information as a strategic asset, appropriately manage and maintain the organisation’s information across its lifecycle to support its necessary use, resilience, integrity and availability.’

BBB’s Risk Appetite Data Management is Medium.

The correct handling of personal data is vital to achieving BBB’s strategic objectives while complying with its legal and regulatory obligations.

2. Scope

This Policy applies to all BBB entities, operations and subsidiaries, and Colleagues. It also applies in part to third parties that are contracted to process personal data for or on our behalf, in particular where the third party is a data processor, or we have instructed a third party to carry out direct marketing on our behalf.

It does not form part of any employees’ contract of employment, and we may amend it at any time.
This Policy applies to all BBB Personal Data we process regardless of where the data is stored, its age, format, or whether it relates to past or present employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject.

3. Requirements

3.1 Data Protection Principles

The data protection principles are key to data protection law and determine that Personal Data shall be:

  1. Processed fairly, transparently and lawfully
  2. Processed only for specified and not incompatible purposes
  3. Adequate, relevant and necessary for the purpose
  4. Accurate and, where necessary, kept up-to-date
  5. Not kept longer than necessary for the purpose
  6. Kept secure by technical/organisational means

The seventh principle requires the Controller [BBB] shall be responsible for, and be able to demonstrate compliance with, the above principles.

3.2 Accountability

To comply with the data protection principles, we

  1. Register the British Business Bank plc as a Data Controller (and any other of its entities that act as a Data Controller) with the Information Commissioner’s Office for inclusion on the Register of fee payers (registration No. ZA084015)
  2. Appoint a Data Protection Officer and register their name, contact details and address with the Information Commissioner’s Office
  3. Maintain a Record of Processing Activities to identify the business activities that process Personal Data as required by law (GDPR Article 30) and know what lawful basis applies to the data processing.
  4. Minimise the Personal Data we collect and challenge ourselves at the beginning of and during our business activities to ensure the Personal Data attributes are relevant, necessary and appropriate.
  5. Ensure the Personal Data we process is managed, so that it is accurate, meaningful and complete. 
  6. Adopt privacy by design principles to avoid or remove excessive Personal Data from our processing using, where possible, aggregated, anonymised, or pseudonymised data or in the case of testing and training, fictitious data.
  7. Provide Data Subjects with a privacy statement or privacy notice when we collect their Personal Data to make clear what Personal Data we need and why and all the required information as set by law. Where a short privacy statement is used, it must include reference to the relevant privacy notice and how it can be accessed. Privacy notices and statements to be reviewed at least once a year to ensure they are accurate and up to date. 
  8. Tell Data Subjects if we process their Personal Data that we have obtained from a third party and to do so within one month of us receiving the information unless one of the following exceptions apply: the Data Subjects already know, it would be a disproportionate effort, or disclosure is restricted by another law or regulation. 
  9. Evidence the consent decisions from Data Subjects for the processing of their Personal Data to confirm what the Data Subjects consented to and when, that it was a real choice, easy to understand, freely given and an affirmative action (not vague, packaged, conditional, or an opt out). Consent can be withdrawn at any time and such decisions must be recorded. 
  10. Maintain a suppression list of the names and contact details of any Data Subjects or business that has confirmed they do not wish to receive any direct marketing or any other communications about our market research, consultation or events. Such requests must be actioned promptly and in effect within one month.
  11. Action requests from Data Subjects (or their representatives) exercising their data protection rights to:

    • withdraw their consent;
    • access the Personal Data we hold about them;
    • be informed as to why we hold their Personal Data and what we do with it;
    • have their Personal Data corrected, erased, restricted, transferred to another controller; or
    • ask for a manual review of an automated decision that has a significant effect on them.

    Such requests must be actioned promptly and completed within one month

  12. Complete a Data Protection Impact Assessment Screening Questionnaire as part of all business change, scheduled projects or business activities that involve new or significant changes to the way Personal Data is intended to be processed.
  13. Complete Data Privacy Impact Assessments for processing that has been identified as having high inherent risks to the privacy rights and freedoms of individuals to ensure the risks can be managed to an acceptable level or a decision made as to the appropriateness of the proposed processing. 
  14. Share Personal Data where it is lawful and appropriate to do so. We aim to adhere to the Information Commissioner’s recommendations and ensure all regular sharing with third parties is covered under a written agreement or contract and keep a record of all ad hoc sharing so we know what personal data has been shared, when, why and with whom. If you receive a request to share or disclose Personal Data, please forward the request to the Data Protection Office at [email protected], so it can be logged, tracked and advice given before the sharing takes place.
  15. Register the restricted transfers of Personal Data to third countries and to carry out the appropriate data transfer risk assessments. Restricted transfers apply to the transfer of personal data to countries that do not have a data protection adequacy agreement with the UK, but also includes situations where a third party can access BBB data from countries that don’t have the UK adequacy agreement. 
  16. Ensure contracts with third party suppliers and delivery partners are compliant with data protection and security requirements with appropriate due diligence, data processing clauses and agreements, risk assessments and audits to protect the Personal Data throughout the contract period and make appropriate provisions for the return, retention or disposal at the end of the contract. 
  17. Ensure appropriate organisational and technical measures are in place, within the Bank and its third party contractors and delivery partners, to protect the Bank from Personal Data breaches that may result in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, and help ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services as well as the ability to restore Personal Data in a timely manner. 
  18. Retain Personal Data for only as long as we need to and delete or destroy Personal Data in a timely and secure manner in line with the Bank’s Record Retention Schedule and / or the Record of Processing Activities.
  19. Mandate all Employees (and authorised users) complete the Bank’s data protection and information security training within one month of their start date and again as part of the annual training programme. The training content will be reviewed every year and updated accordingly.
  20. Report personal data breaches via the Bank’s Incident Portal to help determine if the Data Protection Officer must notify the Information Commissioner within the statutory timescale of 72 hours and / or the affected data subjects. 
  21. Manage complaints about the handling of Personal Data in line with the Bank’s Complaints Handling procedure.

3.3 Record keeping

Data protection accountability relies on good record keeping, so that the Bank can evidence or reflect on its actions and decisions and demonstrate compliance with the law.

4. Roles and Responsibilities 

4.1 All Colleagues

Data Protection is everyone’s responsibility. All colleagues are required to adhere to this policy to help comply with data protection law and to enable the Bank to meet its data protection obligations. 

4.2 Data Owners 

The Data Owner role is defined in the Data Management Policy and for the purpose of this Policy are responsible for the Personal Data within their respective business areas and ensuring its integrity, confidentiality and availability and overall protection.

4.3 Data Stewards 

The Data Steward role is defined in the Data Management Policy and act on behalf of the Data Owners, and for the purpose of this Policy will take an active role in protecting Personal Data by contributing to the creation and maintenance of key records such as the Records of Processing Activity, Data Protection Impact Assessments, Data Sharing Agreements, and Privacy Notices. 

4.4 Risk Champions 

Risk Champions review the Business Area risks via the Risk Control Self-Assessment (RCSA) process to help identify and manage information risks, including data protection risks, to an acceptable level on behalf of the Data Owner. 

4.5 Board Risk Committee (BRC)

The BRC is the approval body for this Policy and is responsible for its review and approval on a bi-annual basis or whenever major changes are submitted.

4.6 Executive Committee

The BRC has delegated responsibility to the Executive Committee to provide management oversight regarding the implementation of this Policy and to recommend necessary changes.

4.7 Chief Operating Officer 

The Chief Operating Officer is the Policy owner and custodian for the development and endorsement of this Policy.

4.8 Data Protection Officer (DPO)

The Bank is required to appoint a DPO to help the Bank fulfil its data protection obligations by: 

  • Informing and advising on our data protection obligations
  • Monitoring our compliance with data protection laws
  • Raising awareness and providing data protection training
  • Advising on Data Protection Impact Assessments (DPIA)
  • Liaising with the Information Commissioner’s Office in relation to customer complaints 
  • Reporting any breaches of data protection law and regulations to the ICO
  • Ensuring data protection risks are managed appropriately.

The DPO is not liable for the Bank’s compliance with its data protection obligations; the Bank remains accountable for complying with data protection obligations regardless of whether the DPO is an employee or a contracted third party. 

The DPO is supported by a Data Protection Office which includes support from BBB colleagues as appropriate.

5. Non-Compliance

This Policy sets out what we expect from you to ensure BBB complies with applicable laws and regulations.

The Bank’s failure to comply with data protection law, either deliberately or accidentally, can have significant consequences to the data subjects whose data has been processed and to the organisations that processed the Personal Data. Data subjects have the right to receive compensation (GDPR Article 82) and the UK’s Supervisory Authority (Information Commissioner’s Office) has enforcement powers that include issuing monetary fines up to £17.5 million or 4% of an organisation’s annual turnover (GDPR Article 83) for infringements of certain provisions in the law, see Appendix A for details.

Compliance is mandatory and any breach may lead to disciplinary action, which could result in dismissal, and in some cases, individuals can be prosecuted, see Appendix B.

Operational Control and the Data Protection Officer will monitor compliance with this policy. 

6. Aligned Standards and Procedures

Personal Data is processed in a large number of business activities and therefore features in the majority of business processes, policies, standards and procedures. The list below covers the main documents that will help colleagues comply with this Policy:

  • Data Protection Impact Assessments Standard
  • Data Protection Rights Standard
  • Personal Data Sharing Standard
  • Direct Marketing and PECR Standard (TBC)
  • Data Management Policy (and accompanying standards) 
  • Supplier Management Policy, Procurement and Contracting Standards 
  • Records Management Policy (and accompanying Standard) 
  • Records Retention Schedule 
  • Risk Incident Review Reporting Procedure 
  • Disclosing Personal Data to Third Parties Procedure 
  • Information Classification and Handling Standard 
  • Pseudonymisation and Anonymisation Standard 
  • Information Security Policy 
  • IT Acceptable Use Policy

7. Policy Controls 

The Policy controls are visible here: Data Protection Policy Controls - Power BI

8. Definition of Terms

Anonymisation

The process of removing personal identifiers, both direct and indirect, that may lead to an individual being identified.

Automated Decision Making (ADM)

A decision based solely on Automated Processing (including profiling) which produces legal effects or significantly affects an individual. The GDPR prohibits Automated Decision-Making (unless certain conditions are met), but not Automated Processing.

Agreement, which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of Personal Data relating to them.

Controller

The person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR. BBB are the Controller of all Personal Data relating to BBB Colleagues and Personal Data used in BBB business for BBB’s own commercial purposes.

Criminal Offence Data

Defined in Article 10 of the GDPR and section 11(2) of the DPA 2018 as Means personal data relating to criminal convictions and offences and includes personal data relating to criminal allegations and proceedings. Collectively referred to as criminal offence data.

Data Availability

Means that authorised users can access the Personal Data when they need it for authorised purposes.

Data Confidentiality

Means that only people who have a need to know and are authorised to use the Personal Data can access it.

Data Integrity

Means that Personal Data is accurate and suitable for the purpose for which it is processed.

Data Privacy Impact Assessment (DPIA)

Tools and assessments used to identify and reduce risks of a data processing activity. DPIA can be carried out as part of Privacy by Design and should be conducted for all major system or business change programs involving the Processing of Personal Data.

Data Protection Act 2018 (DPA)

The UK has implemented the DPA to give effect to and supplement the General Data Protection Regulation.

Data Subject

A living identified or identifiable individual about whom BBB holds Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

General Data Protection Regulation (GDPR)

GDPR ((EU) 2016/679). Personal Data is subject to the legal safeguards specified in the GDPR, see also UK GDPR.

Joint Controller

Multiple persons or organisations that determines when, why and how to process Personal Data. They are responsible for establishing practices and policies in line with the GDPR. BBB are the Controller of all Personal Data relating to BBB Colleagues and Personal Data used in BBB business for BBB’s own commercial purposes. A joint controller relationship may occur when personal data is used by another party e.g. SUL Finance Partners are a joint data controller with BBB

Overseas Processing and Adequacy Agreements

The Information Commissioner has deemed it safe to process personal data in the following countries: EU Member States: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.

EEA states: Iceland, Norway and Liechtenstein.

Adequacy arrangements: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay, Please note this list may change, so for the most up to date list see the ICO website at International data transfers | ICO.

Personal Data Breach

Any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that we or BBB third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

Privacy by Design

Implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.

Privacy Notices (also referred to as Fair Processing Notices)

Separate notices setting out information that may be provided to Data Subjects when the BBB collects information about them. These notices may take the form of general privacy statements applicable to a specific group of individuals (for example, employee privacy notices or the website privacy policy) or they may be stand-alone, one-time privacy statements covering Processing related to a specific purpose.

Processing or Process

Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.

Processor

A processor is an entity or individual that processes personal data in accordance with a data controller’s written instructions.

Pseudonymisation or Pseudonymised

Replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure.

Records of Processing Activity (ROPA)

This document details all activities where BBB processes personal data. This includes where the personal data comes from, the lawful basis for processing, who this data is shared with and where it is stored.

Special Category Personal Data (SC-PD)

Defined in Article 9(1) of the GDPR and section 35(8) of the DPA 2018 as information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data

UK GDPR

Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 retain the EU GDPR after the Brexit transition and create UK GDPR that will sit alongside an amended version of the Data Protection Act 2018. The key principles, rights and obligations will remain the same, but there are implications for the rules on transfers of personal data between the UK and the EEA

9. Further Information 

For further information about data protection, see Data Protection Office (british-business-bank.co.uk). 

If you have any data protection queries or concerns you can contact Operational Control at [email protected]

10. Version control

11. Appendix A: Administrative Fines and Penalties

The GDPR can impose fines on companies for non-compliance at the lower and higher thresholds listed below. The Data Protection Act 2018 mirrors these thresholds and the UK Regulator, the Information Commissioner’s Office, can impose the relevant fines for non-compliance in relation to the handling of personal data in UK.  

Lower Administrative Fine = a fine of up to £8.7 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

Higher Administrative Fine = a fine of up to £17.5 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

GDPR Article No.Article TitleAdministrative fine
5Principles relating to personal data processingHigher
6Lawful Basis for Processing Higher
7Conditions for consentHigher
9Processing of special categories of personal dataHigher
12Transparency and communication in relation to data subject rights Higher
13Providing information to data subjects when data is first collectedHigher
14Providing information to data subjects when data is collected via third partiesHigher
15Right of access by the data subjectHigher
16Right to rectificationHigher
17Right to erasure (“right to be forgotten")Higher
18Right to restriction of processingHigher
19Communicate rectification, erasure or restriction requirements to third party recipientsHigher
20Right to data portabilityHigher
21Right to objectHigher
22Automated individual decision-making, including profilingHigher
11Processing not requiring identificationLower
25Data protection by design and by defaultLower
26Joint controllersLower
28ProcessorLower
29Processing under the authority of the controller or processorLower
30Records of processing activitiesLower
31Cooperation with the supervisory authorityLower
32Security of processingLower
33Notification of a personal data breach to the supervisory authorityLower
34Communication of a personal data breach to the data subjectLower
35Data protection impact assessmentLower
36Prior consultationLower
37Designation of the data protection officerLower
38Position of the data protection officerLower
39Tasks of the data protection officerLower
DPA 2018 Section NoSection TitlePenalty
155Non-compliance with the Information Commissioner’s noticesHigher
158Non-compliance to the Information Commissioner’s feesMaximum of £4350
170Unlawful obtaining of personal data (e.g. without Controller consent)Possible prosecution
171Knowingly or recklessly re-identifying de-identified personal dataPossible prosecution
173Alteration, etc. of personal data to prevent disclosure to a data subjectPossible prosecution

12. Appendix B: Appropriate Policy Document for processing special category and criminal offence data

Introduction

The Data Protection Act 2018 (DPA 2018) outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing special category (SC) and criminal offence (CO) data under certain specified conditions.

If we rely on the substantial public interest condition in Article 9(2)(g) of the General Data Protection Regulation (GDPR) to process special category or criminal offence data, we also need to meet one of the 23 substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018, many of which require an APD. 

The APD is intended to complement the Record of Processing Activity (GDPR Inventory) and

  1. describe what special category or criminal offence data is processed
  2. confirm what Schedule 1 conditions are used
  3. explain the procedures that are in place to comply with the data protection principles
  4. confirm what retention and erasure policies are in place

Description of the special category data and criminal offence data processed

The Bank processes Personal Data about businesses and companies, which includes sole traders, representatives and associates and directors, as well as Personal Data about our past, present and prospective delivery partners, suppliers, contractors, interns, employees and non-executive directors, complainants and requesters (for information).  

The Personal Data processed depends on the business activity and our relationship with the data subject, but may include name, address, contact details, bank accounts, payment details, background checks, criminal offence data, racial and ethnicity data, sexual orientation, religious and philosophical beliefs, and health data.

Data Protection Act 2018 Schedule 1 condition for processing

The table below shows the Schedule 1 conditions that BBB rely on that require an Appropriate Policy Document to process special category data and criminal offence data: 

DPA 2018 Schedule 1Description of conditionData likely to be processedProcessing Activities
1. Employment, social security and social protectionProcessing necessary in connection with the laws of employment, social security and social protection.Racial or ethnic origin; religious or philosophical beliefs; health; sexual orientation

Assess eligibility for services or benefits

 

Assess employee health and wellbeing

 

Equalities and equal opportunities

6. Statutory and government purposesProcessing necessary for the exercise of a function conferred on a person by enactment or rule of law or the exercise of a function of the Crown, a Minister or a government department.HealthReport and investigate accidents and incidents at the workplace
7. Administration of justice and parliamentary purposesProcessing necessary for the administration of justice.Racial or ethnic origin; religious or philosophical beliefs; health; sexual orientation; criminal offencePrepare or conduct legal defence or proceedings
8. Equality of opportunity or treatmentProcessing necessary for identifying or keeping under review the existence or absence of equality or opportunity or treatment between groups of people with the view to enabling equality to be promoted or maintained at a group not individual level.Racial or ethnic origin; religious or philosophical beliefs; health; sexual orientationComply with the Equality Act 2010 through customer or employee surveys, consultations, etc.
10. Preventing or detecting unlawful actsProcessing necessary to prevent or detect an unlawful act or unlawful failure to act.Criminal offence

Investigate allegations or suspicions of misconduct

Conduct Know Your Customer due diligence

Conduct background verification on customers (e.g. Start Up Loan applications)

Investigate allegations or suspicions under the Bribery Act 2006, Fraud Act 2010 or Money Laundering Regulations

14. Preventing fraudProcessing carried out to protect public money and prevent and detect fraud.Criminal offenceInvestigate allegations or suspicions under the Bribery Act 2006, Fraud Act 2010 or Money Laundering Regulations
15. Suspicion of terrorist financing or money launderingProcessing necessary for certain disclosures made under the Terrorism Act 2000 and Proceeds of Crime Act 2002.Criminal offenceDisclosing information in relation to money laundering and terrorist financing

Procedures for ensuring compliance with the principles

The Data Protection Policy sets out our approach to handling Personal Data, which also applies to our processing of special category data and criminal offence data, and how we intend to comply with the data protection principles of accountability, lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (security). 

Retention and erasure policies 

The Records Retention Policy and accompanying Record Retention Schedule sets out our approach to the retention and disposal of Personal Data, which also covers special category data and criminal offence data.

Do you have a Freedom of Information Act (FOIA) request?

View our archive of previously answered Freedom of Information Act enquiries or use our contact us form to submit your own.