Privacy Statement
About Us
The Association of MBAs and Business Graduates Association (AMBA & BGA) is the impartial authority on postgraduate management education and is committed to raising its profile and quality standards internationally for the benefit of business schools, students and alumni and employers. AMBA established that vision in 1967 and it’s as relevant today as it was almost 50 years ago.
The Business Graduates Association is an international membership and quality assurance body of world-leading and high-potential Business Schools who share a commitment for responsible management practices and lifelong learning, and are looking to provide positive impact on their students, communities, and the economy as a whole.
Students and graduates of BGA member, validated and accredited Schools may join BGA as individual members.
We also provide guidance and advice to students and graduates, and connect employers and suppliers of services to the Higher Education industry with our member schools and individuals.
Our GDPR Owner and data protection representatives can be contacted directly here:
- Catherine Walker, Finance & Commercial Director (c.walker@associationofmbas.com)
- Association of MBAs & Business Graduates Association, 25 Hosier Lane, London, EC1A 9LQ
Updates to this privacy statement
This privacy statement is regularly reviewed. This current version was published in May 2018 to coincide with the EU’s General Data Protection Regulation (GDPR), and updated on 8 November, 2019.
Personal data
Under the GDPR personal data is defined as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
How and why does AMBA & BGA need to collect and store personal data?
This privacy statement tells you how we, AMBA & BGA, will collect and use your personal data. In order for us to provide you with the relevant service(s) we need to collect personal data for correspondence purposes and/or detailed service provision. In any event, we are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.
Will AMBA & BGA share my personal data with anyone else?
We may pass your personal data on to third-party service providers contracted to AMBA & BGA in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only to fulfil the service they provide you on our behalf or directly to us. When they no longer need your data to fulfil this service, they will dispose of the details in line with AMBA & BGA’s procedures. If we wish to pass any sensitive personal data onto a third party we will only do so once we have obtained your consent, unless we are legally required to do otherwise.
We use Dotmailer, a UK-hosted third party provider operated by Dotdigital to send and manage our email communications which is certified as adhering to the EU-US Privacy Shield. Please note that Dotdigital is a third-party service that is not owned or managed by AMBA & BGA. This privacy policy only refers to the way AMBA & BGA will use your information. You should refer to Dotdigital’s privacy policy we do not accept any responsibility or liability for their policies. We are reviewing our email service provider arrangements.
When we send you email communications, we monitor whether you have opened the communication and clicked on any included links, using industry standard technology. This will enable us to track and analyse your level of engagement/interest in the communication we are sending you and will provide us with further insight on what type of communications are most of interest to you.
How will AMBA & BGA use the personal data it collects about me?
AMBA & BGA will process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR). We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.
We do not carry out automated decision making or profiling.
How long will AMBA & BGA hold the information for?
AMBA & BGA is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. AMBA & BGA will process and store personal data for as long as it remains necessary for the identified purpose or as required by law, which may extend beyond the termination of our relationship with you.
Under what circumstances will AMBA & BGA contact me?
Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. We endeavour to contact you only with information relevant to you.
Can I find out the personal data that the organisation holds about me?
AMBA & BGA at your request, can confirm what information we hold about you and how it is processed. If AMBA & BGA does hold personal data about you, you can request the following information:
- Identity and the contact details of the person or organisation that has determined how and why to process your data.
- Contact details of the data protection officer, where applicable.
- The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of AMBA & BGA or a third party, information about those interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, we will ensure there are specific measures in place to secure your information.
- How long the data will be stored.
- Details of your rights to correct, erase, restrict or object to such processing.
- Information about your right to withdraw consent at any time.
- How to lodge a complaint with the supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.
What forms of ID will I need to provide in order to access this?
AMBA & BGA accepts the following documentation as proof of ID when information on your personal data is requested:
- Signed passport
- Signed driving licence
Your ID will only be used to verify who you are and will not be stored or kept in our database.
Your rights as a data subject
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: in the event that refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 3.6 below.
Complaints
In the event that you wish to make a complaint about how your personal data is being processed by AMBA & BGA (or third parties as described in above), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and AMBA & BGA’s data protection representatives.
The details for each of these contacts are:
| Supervisory authority contact details | AMBA Data Protection Owner contact details |
Contact Name: | Information Commissioner’s Office | Catherine Walker |
Address line 1: | Wycliffe House | Association of MBAs & Business Graduates Association |
Address line 2: | Water Lane | 25 Hosier Lane |
Address line 3: | Wilmslow | London |
Address line 4: | Cheshire | EC1A 9LQ |
Address line 5: | SK9 5AF | |
Email: | casework@ico.org.uk | c.walker@associationofmbas.com |
Telephone: | 01625 545 745 | 02072462686 |
Read more about how and why we use your data by expanding the section(s) relevant to you below:
Website Visitors
Event Registrants
Prospective students and graduates registered with AMBA & BGA
BGA members (students and graduates)
Website Visitors
We use Google’s suite (analytics (GA), search console, tags and ads) to track site user interaction and to provide a better experience for our website users. We have Google codes installed on our site which creates one or more text files on your computer (called a “cookie”). The cookies contain an ID number which is used to uniquely identify your browser and track each element of our website you visit that has a google code enabled.
We use this data to determine the number of people using our site and to better understand how they find and use our web pages. With this information we can continually improve the information that we provide on our site and the processes for actions such as event and member registration. We can also use it to increase the number of new people finding our site, and help those who have already visited our site, find interesting material easily on the internet
Google Analytics, Search Console, Tags and Ads stores the following data:
- Time of visit, pages visited, and time spent on each page of the webpages
- Interactions with site-specific widgets
- Referring site details (such as the URL a user came through to arrive at this site)
- Type of web browser
- Type of operating system (OS)
- Flash version, JavaScript support, screen resolution, and screen colour processing ability
- Network location and IP address
- Document downloads
- Clicks on links leading to external websites
- Errors when users fill out forms
- Clicks on videos
- Scroll depth
Google also collects information about you from its Doubleclick tracking and profiling service, from ad-supported apps on your Android or iOS device, from your YouTube and Gmail activity and from your Google account. This data is put together and used to make inferences about your age, gender, interests, hobbies, shopping habits and living circumstances.
Your rights
If you already have Google cookies, they will be updated with the latest information about your visit to the site.
As we cannot access any personal data about you ourselves, we are not the Data Controller for your Google’s suiteor Doubleclick profile data. You would need to contact Google directly for this information.
You have the right to object to this tracking and to stop it happening.
How do I prevent being tracked by Google Analytics, and other google tools?
If you are uncomfortable with this tracking, you can take the following actions:
We use LinkedIn tracking to track site user interaction and provide relevant material to users who have already visited our website. We have a LinkedIn code installed on our site which creates one or more text files on your computer (called a “cookie”).
The cookies contain an ID number which is used to uniquely identify your browser and track each element of our website you visit that has a LinkedIn code enabled. We use this data to retarget previous site users with material that is relevant to them, given the webpages that they’ve visited that contain a LinkedIn code.
LinkedIn codes on our site store the following data:
- Time of visit and pages visited,
- Type of web browser
- Type of operating system (OS)
- Network location and IP address
As we cannot access any personal data about you ourselves, we are not the Data Controller for your LinkedIn profile data. You would need to contact LinkedIn directly for this information.
You have the right to object to this tracking and to stop it happening.
How do I prevent being tracked by LinkedIn?
If you are uncomfortable with this tracking, you can take the following actions:
• Use a tracking-blocker, such as Privacy Badger
• Clear cookies after every browsing session
• Opt-out
The personal data we may process on you is:
Personal data type: | Source |
Network location and IP address | Google and LinkedIn as outlined above |
Inferred age range and gender | Google and LinkedIn as outlined above |
The personal data we collect will be used for the following purposes:
- To improve the information that we provide on our site
- To improve the processes for actions such as event and member registration
- To increase the number of new people finding our site
Our legal basis for processing the personal data:
- Our legitimate interests (see ‘How we define our Legitimate Interests’ below)
For further information, see our Cookie Policy and Website Terms of Use.
Event Registrants
Depending on the type of event, we either use our own website (www.businessgraduatesassociation.com), a third party platform called ‘EventsForce’, or a third party platform called ‘GoToWebinar’ to process event bookings.
In all cases we use a third party email platform called ‘Dotmailer’ to communicate with our event registrants, and we may also communicate with Webinar registrants via the GoToWebinar platform.
If you are a speaker at an AMBA & BGA event, we will publicly promote your involvement via Twitter, LinkedIn, Facebook and Instagram and emails to our members and contacts. This data may continue to be processed by those platform providers after the event has ended.
Bookings on www.businessgraduatesassociation.com:
The personal data we may process on you is:
Business contact details eg email address/phone number/postal address
Personal data type: | Source |
Name | Event registration form on www.businessgraduatesassociation.com |
Job Title & Company or Business School name | Event registration form on www.businessgraduatesassociation.com |
Business contact details eg email address/phone number/postal address | Event registration form on www.businessgraduatesassociation.com |
Dietary and/or special assistance requirements where applicable | Event registration form on www.businessgraduatesassociation.com |
The personal data we collect will be used for the following purposes:
- To administer your event attendance, ie raise invoices, provide event materials such as badges and delegate lists, inform caterers of dietary requirements etc.
- To analyse event attendance and interest, eg to identify booking patterns based on attendee area of responsibility or geographic area.
-
- Contacting you by phone or email to market our services and future events to you as a professionally relevant individual.
- Your data will only be used where the product or service might be relevant to you in your professional capacity.
Our legal basis for processing for the personal data:
- Our legitimate interests (see ‘How we define our Legitimate Interests’ below)
- Performance of a contract (ie to run the event which you have booked to attend)
The special categories of personal data concerned are:
- Health data – ie dietary requirements, where applicable
Disclosure
AMBA & BGA will pass on your personal data to further third parties as necessary to administer your event attendance, such as caterers or event hosts if you have particular dietary requirements, printers of event materials such as delegate lists and badges (where applicable), and fellow event attendees (in the form of the delegate list).
AMBA & BGA will also pass on your personal data to trusted Partners and Sponsors of the respective events in the form of a delegate list. Attendees have the option to opt in to their inclusion of the delegate list during the booking process.
Bookings via Eventsforce:
Please note that Eventsforce is a third-party service that is not owned or managed by AMBA & BGA. This privacy policy only refers to the way AMBA will use your information. You should refer to Eventsforce’s privacy policy as we do not accept any responsibility or liability for their policies.
Eventsforce is based in the UK, which is recognized by a European Commission adequacy decision as providing an adequate level of data protection. For further details, please see the European Commission website
The personal data we may process on you is:
Personal data type: | Source |
Name | Eventsforce event registration form |
Professional details and/or Business School name | Eventsforce event registration form |
Business School programme details | Eventsforce event registration form |
Contact details eg email address/phone number/full or partial address | Eventsforce event registration form |
Nationality and country of residence | Eventsforce event registration form |
Date of Birth and gender | Eventsforce event registration form |
Dietary and/or special assistance requirements where applicable | Eventsforce event registration form |
The personal data we may process on you is:he personal data we collect may be used for the following purposes:
- To administer your event attendance, i.e. raise invoices, provide event materials such as badges and delegate lists, inform caterers of dietary requirements etc.
- To analyse event attendance and interest, eg to identify booking patterns based on attendee area of responsibility or geographic area.
- Where applicable, to activate your membership of AMBA or update your record on our member database (see “AMBA Members (students & graduates)” section of this Privacy Policy for further details)
- Contacting you by phone or email to market our services and future events to you as a professionally relevant individual.
- Your data will only be used where the product or service might be relevant to you in your professional capacity.
Our legal basis for processing for the personal data:
- Our legitimate interests (see ‘How we define our Legitimate Interests’ below)
- Performance of a contract (ie to run the event which you have booked to attend)
The special categories of personal data concerned are:
- Health data – ie dietary requirements where applicable
Disclosure
AMBA will pass on your personal data to further third parties as necessary to administer your event attendance, such as caterers or event hosts if you have particular dietary requirements, printers of event materials such as delegate lists and badges (where applicable), and fellow event attendees (in the form of the delegate list).
Bookings via GoToWebinar:
Please note that GoToWebinar is a third-party service run by LogMeIn Inc. that is not owned or managed by AMBA. This privacy policy only refers to the way AMBA will use your information. You should refer to LogMeIn Inc.’s privacy policy as we do not accept any responsibility or liability for their policies.
LogMeIn Inc. operates in the USA and subscribes to the EU-US Privacy Shield, which commits subscribers to adhering to European standards of data protection. For further details, please see:
The personal data we may process on you is:
Personal data type: | Source |
Name | GoToWebinar event registration form |
Email address | GoToWebinar event registration form |
The personal data we collect may be used for the following purposes:
- To administer your event attendance, ie provide link to attend live webinar, send reminder and follow-up emails
- To identify event attendance and interest.
Our legal basis for processing for the personal data:
- Our legitimate interests (see ‘How we define our Legitimate Interests’ below)
- Performance of a contract (ie to run the event which you have booked to attend)
Prospective students and graduates registered with AMBA & BGA
The personal data we may process on you is:
Personal data type: | Source |
Name | Registration form or event registration |
Email address | Registration form or event registration |
Employment status/professional information | Registration form or event registration |
Nationality | Registration form or event registration |
Location | Registration form or event registration |
Year of Birth | Registration form or event registration |
Gender | Registration form or event registration |
MBA programme preferences | Registration form or event registration |
The personal data we collect may be used for the following purposes:
- Contacting you by email to share information on our services (eg relevant thought leadership content, and guidance and advice)
Our legal basis for processing for the personal data:
By consenting to this privacy statement you are giving us permission to process your personal data specifically for the purposes identified.
Consent is required for AMBA & BGA to process both types of personal data, but it must be explicitly given. Where we are asking you for sensitive personal data we will always tell you why and how the information will be used.
You may withdraw consent at any time by emailing membership@associationofmbas.com.
BGA members (students and graduates)
Where you have registered as an individual member of BGA, we will process your personal information as set out in this section.
The personal data we may process on you is:
Personal data type: | Source |
Name | Member registration form or event registration |
Email address | Member registration form or event registration |
Telephone Number(s) | Member registration form or event registration |
Professional information | Member registration form or event registration |
Nationality | Member registration form or event registration |
Location/address | Member registration form or event registration |
Year of Birth | Member registration form or event registration |
Gender | Member registration form or event registration |
Programme details ie programme studied and graduation date | Member registration form or event registration |
The personal data we collect will be used for the following purposes:
- To administer your membership, e.g. to provide access to online member resources and to send you information on content, products, events and services to which you are entitled as an BGA member primarily through email communications.
- To understand the make-up of our membership in order to inform membership product development.
- To contact you to conduct our research which informs you and other stakeholders of trends in the MBA landscape.
Our legal basis for processing for the personal data:
- Our legitimate interests (see ‘How we define our Legitimate Interests’ below)
- Contractual (ie to fulfill our contractual obligations to you as a member)
Disclosure
BGA will pass on your personal data to the below third parties as is necessary to service your membership. We do not share your personal information with third parties for commercial purposes.
Our online Career Development Centre is provided by the Abintegro platform, and limited information including your name, email address and BGA membership number is passed through to their systems when you access this resource. For further information, please see Abintegro’s privacy policy and terms of use.
Our Digital Credentials are provided by Accredible and limited information including your name and email address is passed to their systems if you purchase a digital credential. For further information, please see Accredible’s privacy policy. (Valid from 1 January 2021)
Business School Staff and Faculty
Commercial Contacts
Employees and job applicants
Business School Staff and Faculty
We may process personal information necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Where you are a member of staff or faculty at an affiliated member business school within the AMBA & BGA network (ie having accredited programmes or being a member of the AMBA Development Network), we may hold professional contact data about you.
Where you are a professionally relevant contact for our business school services, ie you are a member of staff or faculty at a prospective, or candidate member business school, we may hold professional contact data about you.
The personal data we may process on you is:
Personal data type: | Source |
Name | If not directly from you or from colleagues at your institution, then publicly accessible sources such as LinkedIn, business school websites, business cards, events we have jointly attended, industry referrals etc, or from colleagues on your behalf. |
Job Title & Business School name | If not directly from you or from colleagues at your institution, then publicly accessible sources such as LinkedIn, business school websites, business cards, events we have jointly attended, industry referrals etc, or from colleagues on your behalf. |
Professional contact details eg business school email address/phone number/postal address | If not directly from you or from colleagues at your institution, then publicly accessible sources such as LinkedIn, business school websites, business cards, events we have jointly attended, industry referrals etc, or from colleagues on your behalf. |
Professional information including age, nationality, gender, highest academic qualification, years experience. | Documentation submitted by the business school in the course of the accreditation/reaccreditation process. |
The personal data we collect will be used for the following purposes:
- Contacting you by phone, email or post to market our business school services to you as a professionally relevant individual at a non-member institution.
- In order to maintain our relationships with member institutions and meet our obligations to them, contacting you by phone, email or post to market our specific services available to you as a professionally relevant individual at a member institution (such as conferences, relationship building, further accreditation services, third party suppliers to the HE sector, thought leadership and further online resources and services available to students and graduates of your institutions accredited programmes).
- To contact you to conduct our research which informs you and other stakeholders of trends in the MBA and business education landscape.
- Your data will only be used where the product or service might be relevant to you in your professional capacity.
- Where professional information relating to business school faculty is provided to us by the institution in the course of the accreditation or reaccreditation process, we will use this to assess the institution’s suitability for accreditation against our accreditation criteria (available on our website here), but for no further purpose.
Our legal basis for processing for the personal data:
- Our legitimate interests (see ‘How we define our Legitimate Interests’ below) and
- Contractual obligation (i.e. to provide the services for which the Institution pays)
Commercial Contacts
We may process personal information necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
We may hold business contact data about you if you are a professionally relevant contact for our services, and you are employed in an organisation which is a separate legal entity, or if we have an existing or ongoing business relationship with you or your company.
The personal data we may process on you is:
Personal data type: | Source |
Name | If not directly from you, then publicly accessible sources such as LinkedIn, business school websites, business cards, events we have jointly attended, industry referrals etc, or from colleagues on your behalf. |
Job Title & Company name | If not directly from you, then publicly accessible sources such as LinkedIn, business school websites, business cards, events we have jointly attended, industry referrals etc, or from colleagues on your behalf. |
Business contact details eg email address/phone number/postal address | If not directly from you, then publicly accessible sources such as LinkedIn, business school websites, business cards, events we have jointly attended, industry referrals etc, or from colleagues on your behalf. |
The personal data we collect will be used for the following purposes:
- Contacting you by phone or email to market our services to you as a professionally relevant individual.
- Your data will only be used where the product or service might be relevant to you in your professional capacity.
- Where we have an ongoing business relationship, the information will be used in order to carry out any contractual obligations and maintain our relationship with you.
Our legal basis for processing for the personal data:
- Our legitimate interests (see ‘How we define our Legitimate Interests’ below)
Employees and job applicants
If you apply to work at AMBA & BGA, we will only use the information you give us to process your application.
If you are unsuccessful in your job application, we will hold your personal information for 6 months after we’ve finished recruiting the post you applied for. After this date we will destroy or delete your information.
If you are successful, as your employer the Association of MBAs & Business Graduates Association needs to keep and process information about you for normal employment purposes. As part of our pre-employment checks we require references covering the previous five-year period, in addition to proof of qualifications and proof of eligibility to work in the UK.
The information we hold and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left. This includes using information to enable us to comply with your employment contract, to comply with any legal requirements, pursue the legitimate interests of the Charity and protect our legal position in the event of legal proceedings.
For further information and the full Privacy Notice for Employees, please contact the Data Protection Owner or the HR representatives.
How we define our legitimate interest
Professionally relevant individuals.
We may rely on legitimate interest as the legal basis for processing where this is not overridden by your interests and rights or freedoms.
We have therefore conducted a Legitimate Interest Test which includes the following considerations:
- The relationship between ourselves and you as the data subject
- The sensitivity of the personal data involved
- The reasonable expectations we think you have
- Whether you’d be likely to object to the processing or find it intrusive
- Any vulnerability you may have
- How big an impact could this processing have on you as an individual
- The safeguards we have in place to minimise the risk and impact of a breach
- Whether a mechanism exists via which you can challenge our assessment
The Purpose Test
We consider that we have a legitimate interest in carrying out a business in favour of the well-being of all our employees and shareholders. This is enshrined in the EU Charter of Human Rights – Article 16 – Freedom to conduct a business. For customers and prospective customers, identified as working for legal entities and whom we consider are professionally relevant post holders; we consider we have a legitimate interest to process your data for the purposes of marketing of products and services. This purpose is supported by Recital 47 of the GDPR which states that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”
We believe that professionals rely on being kept up to date about products or services to help them achieve their business objectives. Direct marketing is generally seen as an important tool to facilitate this. However, we will always respect your wishes, if you’re the recipient of our marketing.
The Balancing Test
A balancing test has been undertaken to compare our legitimates interests and the interests or fundamental rights and freedoms of prospective customers who require protection of their personal data,
We will only process personal data if we have determined that our services are ‘professionally relevant’ to you and your organisation. Material that we send to you may be relevant based on your profile, because of the type, size or location of the organisation that you work in, or because you are the right post-holder for a certain set of decisions based on factors like your role, seniority, and responsibilities.
We believe that the recipients of our marketing have a reasonable expectation that we as a Controller will process their Personal Data. The data we may hold on recipients originates from primary research by our research team, publicly available material held on websites, events we have jointly attended, personal data we have captured via business cards or similar interaction, referrals from other organisations, or from your colleagues.
The personal data we hold is limited and in addition is never sensitive data, and in most cases exists in the public domain.
Our assessment has taken into consideration the security measures that AMBA & BGA has in place based on the ISO27001 framework combined with the safeguards we have put in place through the implementation of the British Standard BS10012:2017 – Personal Information Management Framework delivering readiness to GDPR. Outputs of this framework include, but are not limited to:
- Data Protection Impact Assessments as standard
- data minimisation
- de-identification
- technical and organisational measures
- privacy by design and default
- adding extra transparency
- additional layers of encryption
- multi-factor authentication
- data retention limits
- restricted access
- opt-out options
- anonymisation
- encryption, hashing, salting
- other technical security methods used to protect data
Our conclusion is that the likelihood of impact and the severity of negative impact or distress of the data processing we undertake is negligible.
However, we want to respect your wishes about how and if you are contacted. On occasion we will contact you to verify your position, check how you would prefer to receive direct marketing, whether by post, by phone or by email and to remind you of your rights via our latest privacy statement. You may of course tell us you do not wish to be contacted at all, and we will respect your wishes, add you to a suppression list, and not contact you again. If you feel we are not being fair with you, please tell us. We would like to correct this. You may also complain to the UK regulator, Information Commissioners Office (www.ico.org.uk).
Private Individuals
We may rely on legitimate interest as the legal basis for processing where this is not overridden by your interests and rights or freedoms.
We have therefore conducted a Legitimate Interest Test which includes the following considerations:
- The relationship between ourselves and you as the data subject
- The sensitivity of the personal data involved
- The reasonable expectations we think you have
- Whether you’d be likely to object to the processing or find it intrusive
- Any vulnerability you may have
- How big an impact could this processing have on you as an individual
- The safeguards we have in place to minimise the risk and impact of a breach
- Whether a mechanism exists via which you can challenge our assessment
The Purpose Test
We consider that we have a legitimate interest in carrying out a business in favour of the well-being of all our employees and shareholders. This is enshrined in the EU Charter of Human Rights – Article 16 – Freedom to conduct a business.
Moreover, as a membership body, we consider that we have a legitimate interest in holding the personal information of individuals who have signed up to BGA membership, and that this is essential for the provision of membership services.
The Balancing Test
A balancing test has been undertaken to compare our legitimates interests and the interests or fundamental rights and freedoms of individuals who require protection of their personal data,
We believe that BGA members, prospective students registered with BGA, and event registrants have a reasonable expectation that we as a Controller will process their Personal Data. The data we may hold on these individuals originates from registration forms filled out by the individual him or herself or from online analytics such as Google Analytics.
The personal data we hold is limited and is not sensitive data.
Our assessment has taken into consideration the security measures that BGA has in place based on the ISO27001 framework combined with the safeguards we have put in place through the implementation of the British Standard BS10012:2017 – Personal Information Management Framework delivering readiness to GDPR. Outputs of this framework include, but are not limited to:
- Data Protection Impact Assessments as standard
- data minimisation
- de-identification
- technical and organisational measures
- privacy by design and default
- adding extra transparency
- additional layers of encryption
- multi-factor authentication
- data retention limits
- restricted access
- opt-out options
- anonymisation
- encryption, hashing, salting
- other technical security methods used to protect data
Our conclusion is that the likelihood of impact and the severity of negative impact or distress of the data processing we undertake is negligible.
However, we want to respect your wishes. If you feel we are not being fair with you, please tell us. We would like to correct this. You may also complain to the UK regulator, Information Commissioners Office (www.ico.org.uk).