GDPR Compliance
How The British Fire Consortium meets its obligations under the UK General Data Protection Regulation.
Effective date: 1 January 2025
1. Our Commitment
The British Fire Consortium ("BFC") is committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take the privacy and security of personal data seriously and have implemented appropriate measures to ensure that all data is processed lawfully, fairly, and transparently.
The UK GDPR applies to the processing of personal data of individuals in the United Kingdom. It sets out principles for data processing, rights for data subjects, and obligations for organisations that handle personal data.
2. Data Protection Principles
In accordance with Article 5 of the UK GDPR, we adhere to the following data protection principles when processing personal data:
- Lawfulness, fairness, and transparency: data is processed lawfully, fairly, and in a transparent manner
- Purpose limitation: data is collected for specified, explicit, and legitimate purposes and is not processed in a manner incompatible with those purposes
- Data minimisation: data collected is adequate, relevant, and limited to what is necessary
- Accuracy: data is accurate and, where necessary, kept up to date
- Storage limitation: data is kept in a form that permits identification of data subjects for no longer than necessary
- Integrity and confidentiality: data is processed in a manner that ensures appropriate security
- Accountability: we are responsible for, and able to demonstrate compliance with, these principles
3. Lawful Basis for Processing
We only process personal data where we have a lawful basis to do so under Article 6 of the UK GDPR. The table below sets out the lawful bases we rely on for our core processing activities:
| Processing Activity | Lawful Basis |
|---|---|
| Managing membership applications and renewals | Performance of a contract |
| Processing training bookings and certifications | Performance of a contract |
| Sending essential membership communications | Legitimate interests |
| Sending marketing and promotional emails | Consent |
| Processing payments | Performance of a contract |
| Displaying member logos on our website | Legitimate interests / Consent |
| Responding to enquiries and providing support | Legitimate interests |
| Maintaining financial records | Legal obligation |
| Website analytics and cookies | Consent |
4. Your Rights Under UK GDPR
The UK GDPR provides data subjects with a number of rights. As a data subject, you have the right to:
- Be informed (Articles 13 & 14) — understand how your data is collected and used
- Access (Article 15) — obtain a copy of the personal data we hold about you
- Rectification (Article 16) — have inaccurate personal data corrected
- Erasure (Article 17) — request deletion of your data in certain circumstances (the "right to be forgotten")
- Restrict processing (Article 18) — request that we limit how we process your data
- Data portability (Article 20) — receive your data in a portable, machine-readable format
- Object (Article 21) — object to processing based on legitimate interests or direct marketing
- Not be subject to automated decision-making (Article 22) — we do not carry out automated decision-making or profiling
We aim to respond to all rights requests within one calendar month, as required by the UK GDPR. In certain circumstances, we may extend this period by a further two months where requests are complex or numerous.
5. Data Protection Impact Assessments
Where processing activities are likely to result in a high risk to the rights and freedoms of individuals, we carry out Data Protection Impact Assessments (DPIAs) in accordance with Article 35 of the UK GDPR. This helps us to identify and mitigate potential privacy risks before they arise.
6. Data Breach Procedures
In the event of a personal data breach, we will:
- Assess the severity and scope of the breach
- Notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms, as required under Article 33
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required under Article 34
- Document the breach and the steps taken to address it
7. International Transfers
We do not routinely transfer personal data outside the United Kingdom. In the unlikely event that an international transfer is required, we will ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, such as Standard Contractual Clauses (SCCs) or an adequacy decision.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our standard retention periods are:
- Membership records: duration of membership plus 6 years
- Training and certification records: retained in accordance with accrediting body requirements
- Financial records: 6 years (in line with HMRC requirements)
- Enquiry correspondence: 2 years from the date of last contact
- Marketing consent records: retained until consent is withdrawn
9. Technical & Organisational Measures
In accordance with Article 32 of the UK GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These include:
- Secure hosting and encrypted data transmission (SSL/TLS)
- Access controls and role-based permissions
- Regular review of security practices
- Staff and volunteer awareness of data protection responsibilities
- Secure disposal of personal data when no longer required
10. Contact & Complaints
If you wish to exercise any of your rights, have questions about our GDPR compliance, or wish to make a complaint, please contact us:
Email: info@britishfireconsortium.com
Address: The British Fire Consortium, United Kingdom
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113