1. Introduction

Global Child and Maternal Health (GCMH) is committed to ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines how we collect, process, store, and protect personal data.

2. Scope of the Policy

This policy applies to all personal data processed by GCMH, including but not limited to:

• Employees, volunteers, donors, beneficiaries, and supporters.
• Digital and in-person interactions, including website engagement, fundraising activities, and programme participation.
• Data shared with third parties for service provision.
  
  

3. Principles of Data Protection

We adhere to the following principles when processing personal data:

1. Lawfulness, Fairness, and Transparency – We process data lawfully and transparently.
2. Purpose Limitation – We collect data for specified, explicit, and legitimate purposes.
3. Data Minimisation – We only collect necessary and relevant data.
4. Accuracy – We keep data accurate and up to date.
5. Storage Limitation – We retain data only as long as necessary.
6. Integrity and Confidentiality – We ensure data security and protection.
7. Accountability – We are responsible for demonstrating compliance.
   
   

4. Lawful Basis for Processing Personal Data

We process personal data under the following lawful bases:

• Consent – When individuals give explicit permission (e.g., for newsletters).
• Contractual Obligation – When data is necessary for fulfilling agreements.
• Legal Obligation – To comply with statutory or regulatory requirements.
• Legitimate Interest – When processing is necessary for our operations and does not override individual rights.
  
  

5. Individual Rights Under GDPR

Under UK GDPR, individuals have the following rights:

• Right to be Informed – Clear information on how we process data.
• Right of Access – Request a copy of personal data held.
• Right to Rectification – Request corrections to inaccurate data.
• Right to Erasure – Request deletion of personal data (where applicable).
• Right to Restrict Processing – Request limits on data processing.
• Right to Data Portability – Obtain data in a structured format.
• Right to Object – Object to processing based on legitimate interests.
• Rights Related to Automated Decision-Making – Ensure decisions with legal effects are not solely automated.

To exercise these rights, individuals can contact us at [Insert Contact Email].

6. Data Collection and Processing

We collect personal data through:

• Online forms, website interactions, and social media engagement.
• Donation platforms, volunteer applications, and service participation.
• Third-party providers (where legally permitted and necessary).
  
  

7. Data Sharing and Third Parties

We may share data with:

• Service providers (e.g., IT systems, payment processors).
• Regulatory authorities (if legally required).
• Partner organisations (with explicit consent when needed).

We ensure all third parties comply with UK GDPR and data protection laws.

8. Data Security Measures

We implement appropriate security measures to protect personal data, including:

• Encryption of sensitive data.
• Secure access controls and authentication protocols.
• Regular data protection training for staff and volunteers.
• Regular data audits and security assessments.
  
  

9. Data Retention Policy

We retain data based on the following guidelines:

• Donor and financial records: 6 years (for regulatory compliance).
• Volunteer and employee records: Up to 3 years post-engagement.
• Event and engagement records: 2 years, unless further retention is required.
  
  

10. International Data Transfers

If we transfer personal data outside the UK, we ensure:

• Adequate protection mechanisms (e.g., UK Standard Contractual Clauses).
• Compliance with applicable data protection regulations.
  
  

11. Data Breach Response Plan

In case of a data breach:

1. We assess the nature and impact of the breach.
2. Notify affected individuals and relevant authorities within 72 hours (if required).
3. Implement corrective measures to prevent future breaches.
4. Maintain records of incidents and responses.
   
   

12. Data Protection Officer (DPO)

For GDPR-related inquiries or concerns, please contact: [Insert DPO Name]
Email: [Insert Contact Email]
Phone: [Insert Contact Number]

13. Complaints and Reporting

If individuals believe their data has been misused, they may:

• Contact us at hello@globalcmh.org.
• Lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.
  
  

14. Policy Review and Updates

This policy is reviewed annually and updated as necessary. The latest version will always be available on our website.

By engaging with GCMH, individuals acknowledge that they have read and understood this GDPR Policy. Continued interaction with our services implies agreement with our data protection practices.