End of Year Accounts and Other BID Documentation

Soho Road BID CIC Statutory Explanatory Notes

SEN letter 2016

SEN Letter 2017

SEN Letter 2018

SEN Letter 2019

SEN Letter 2020
SEN Letter 2021

SEN Letter 2022

SEN Letter 2023

Soho Road BID CIC Annual Plan 

Annual Plan 2017-18

Annual Plan 2018-19

Annual Report 2019-20

Annual Report 2020-21

Annual Report 2021-22

Annual Report 2021-22

Annual Report 2022-23

Annual Report 2023-24

Annual Report 2024-25

Soho Road BID CIC Data Protection & Privacy Notice

New GDPR Soho Rd BID Data Protection Policy

SOHO ROAD BID CIC

 

Data Protection & Information Security Policy

1. Purpose

This Policy sets out how Soho Road Business Improvement District CIC (“the BID”) complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and associated data protection legislation.

The BID is committed to:

• Protecting the personal data of levy payers, businesses, staff, contractors and stakeholders
• Processing personal data lawfully, fairly and transparently
• Preventing personal data breaches
• Responding effectively and proportionately to incidents
• Demonstrating accountability and good governance

2. Status of the BID

The BID acts as a Data Controller in respect of personal data it collects and processes. The Board of Directors retains ultimate accountability for data protection compliance.

3. Scope

This Policy applies to:

• All Board Members
• Employees
• Contractors
• Consultants
• Volunteers
• Third-party service providers processing data on behalf of the BID

4. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data, including collection, storage, sharing, deletion or disclosure.

Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

5. Data Protection Principles

The BID shall comply with the seven principles of UK GDPR:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

All processing must satisfy these principles.

6. Lawful Basis for Processing

The BID processes personal data under one or more of the following lawful bases:

• Legal obligation (e.g. levy administration)
• Public task / legitimate interests (economic development of the BID area)
• Contract (supplier and employment relationships)
• Consent (marketing communications and optional communications channels)

Consent-based communications must:

• Be explicit and recorded
• Be capable of withdrawal at any time

7. Categories of Data Processed

The BID processes personal data relating to approximately 750 businesses within the BID area, including:

• Names of business owners and representatives
• Contact details (email, telephone, address)
• Levy-related information
• Appeals or correspondence records
• Supplier and contractor details

The BID does not routinely process special category data.

8. Data Security Measures

8.1 Organisational Measures

• Role-based access to information
• Confidentiality obligations for Board and staff
• Mandatory annual data protection training
• Clear desk and secure storage procedures
• Documented retention schedule

8.2 Technical Measures

• Password-protected systems
• Two-factor authentication where available
• Secure cloud-based storage
• Encrypted backup systems
• Regular system updates

8.3 Communications Controls

• No bulk disclosure of personal data without lawful basis
• Mandatory double-checking of recipients before sending communications
• Password protection for sensitive attachments
• Restriction on use of informal channels (see Section 9)

9. WhatsApp & Informal Communications Policy

Given previous incident history, the BID adopts the following controls:

1. WhatsApp groups may not be used to disclose personal data unless:
   • There is a lawful basis
   • The Data Lead has approved the communication
2. Names of individuals involved in levy disputes, appeals or objections must not be shared via group channels.
3. Sensitive matters must be handled via secure email.
4. Broadcast messages must not include identifiable personal data.
5. All communications groups must have a named administrator and clear usage rules.

Failure to comply may result in disciplinary or governance action.

10. Personal Data Breach Procedure

10.1 Reporting

All suspected breaches must be reported immediately to the designated Data Protection Lead.

10.2 Containment

The BID will take immediate steps to:

• Stop further disclosure
• Recover information where possible
• Restrict access

10.3 Risk Assessment

The Data Protection Lead will assess:

• Nature of the data involved
• Number of individuals affected
• Potential risk to rights and freedoms

10.4 ICO Notification

The BID will notify the ICO within 72 hours where required by law.

10.5 Communication to Individuals

Where there is a high risk to individuals, they will be informed without undue delay. All decisions shall be documented in a Breach Log.

11. Training

• Induction training for new staff and Board members
• Annual refresher training
• Role-specific guidance where required

12. Data Retention & Disposal

• Personal data shall not be retained longer than necessary
• Secure deletion procedures shall apply
• Paper records shall be securely shredded

13. Third-Party Processors

The BID shall:

• Enter into written Data Processing Agreements
• Conduct due diligence checks
• Ensure third parties implement appropriate safeguards

14. Complaints

Data protection complaints shall be handled through the BID’s internal complaints procedure before referral to the ICO.

15. Insurance

The BID shall maintain appropriate:

• Cyber & Data Protection Insurance
• Directors & Officers Insurance
• Professional Indemnity Insurance

16. Review

This Policy shall be reviewed annually or following any significant breach.

Signed:

Chair of the Board
Date:

Approved by the Board: 26/02/2026
Review Date: 26/02/2026
Version: 1.0

RISK REGISTER ENTRY – BID GOVERNANCE

Risk Title: Data Protection Breach / Regulatory Exposure
Risk Category: Governance / Legal / Reputational
Risk Owner: Board / Data Protection Lead

Risk Description:

Unauthorised disclosure, loss or misuse of personal data relating to levy payers or stakeholders, resulting in ICO investigation, reputational damage, legal claims or financial loss.

Inherent Risk Rating:

Likelihood: Medium
Impact: High
Overall: High

Existing Controls:

• Board-approved Data Protection Policy
• Breach reporting procedure
• Restricted communications policy
• ICO reporting protocol
• Annual training
• Secure IT systems

Additional Mitigations:

• Cyber insurance
• Quarterly compliance review
• Formal communications approval process
• Annual audit of data handling practices

Residual Risk Rating:

Likelihood: Low-Medium
Impact: Medium
Overall: Medium