Logo
  • WES
  • News
  • Schemes
  • Our Sponsors
  • Venues
  • Events
  • Resources
  • Contact Us
Join WES Today

Data Protection (GDPR) Policy

Approved By

Full Council

Author

Dan Gwalter

Confidentiality
Public
Date Published
November 4, 2025
Document Reference

WES-POL-0014

Notes

Owner (Role)
Secretary
Policy Group
Risk Data and Digital
Review Date
November 4, 2027
Status
Published
Version

1.0

Visible on Website
  • 1. Purpose
  • 2. Scope
  • 3. Definitions
  • 4. Policy Statement
  • 5. Roles and Responsibilities
  • 6. Policy Detail and Procedures
  • 6.1 Data Collection and Use
  • 6.2 Data Storage
  • 6.3 Data Sharing
  • 6.4 Data Retention
  • 6.5 Subject Access Requests (SARs)
  • 6.6 Breach Management
  • 7. Related Policies and References
  • 8. Compliance and Breach Handling
  • 9. Review and Version Control
  • 10. Approval Record

1. Purpose

This policy outlines how the Western Equestrian Society (WES) manages personal data in compliance with the UK General Data Protection Regulation (UK GDPR). It ensures that WES: respects the privacy of its members and contacts; processes data lawfully, fairly, and transparently; retains only what it needs; and protects data from misuse or unauthorised access.

2. Scope

This policy applies to all personal data held by WES in electronic or paper form, including: membership records; Council, WES Pros, and volunteer data; event bookings and show entries; digital communications and marketing lists; and complaint or disciplinary records.

It applies to all Officers, Council members, volunteers, and third parties acting on behalf of WES.

3. Definitions

  • Personal Data: Information that identifies a living individual (e.g. name, email, address)
  • Special Category Data: Sensitive data including health, race, or disability status
  • Data Subject: The person whose data is being held or processed
  • Controller: The organisation deciding why and how data is used (WES)
  • Processor: A third party acting on behalf of WES (e.g. Member Mojo, SurveyMonkey)
  • Data Breach: Any loss, unauthorised access, or improper disclosure of personal data

4. Policy Statement

WES collects and uses personal data to support membership services, event management, governance, and Society communication. We only collect data we need, store it securely, and use it for clear purposes.

All processing is based on one or more lawful grounds under UK GDPR: Contractual (managing membership or event participation); Legitimate interest (running the Society effectively); Consent (optional newsletters or photo permissions); or Legal obligation (retaining financial or safeguarding records).

WES does not sell or share data for commercial purposes.

5. Roles and Responsibilities

Role
Responsibility
Secretary
Acts as WES Data Lead; maintains policy, breach log, and ensures compliance
Treasurer
Ensures financial records meet HMRC and GDPR retention standards
All Officers
Handle data securely and report any breaches or concerns
Council
Oversees data protection governance; approves updates and handles escalation

6. Policy Detail and Procedures

6.1 Data Collection and Use

  • Only data needed to deliver services will be collected
  • Consent will be used for optional communications or photography and must be active, informed, and revocable
  • Sensitive data (e.g. medical conditions) will be collected only where necessary for safeguarding or access needs

6.2 Data Storage

  • Membership and email data is stored via secure cloud systems (e.g. Member Mojo, Google Workspace, JotForm, Tally Forms)
  • Access is restricted to relevant Officers and protected by passwords and 2FA where available

6.3 Data Sharing

  • Data may be shared internally only where necessary for operations
  • No personal data will be shared externally unless legally required or explicitly consented to
  • Third-party platforms must provide GDPR-compliant terms and security standards

6.4 Data Retention

Data Type
Retention Period
Membership and contact data
10 years (due to renewal opportunities)
Event records
Indefinitely (due to points collation record keeping)
Financial data
6 years (HMRC rules)
Complaints and disciplinary records
6 years from case closure

6.5 Subject Access Requests (SARs)

  • Requests must be made in writing to the Secretary
  • WES will respond within 30 days, free of charge, unless the request is manifestly unfounded or excessive
  • The response will confirm what data is held, its source, and how it is used

6.6 Breach Management

  • Any data breach must be reported to the Secretary immediately
  • A breach log will be maintained
  • If the breach is serious (risk of harm or legal breach), WES will consider whether to notify the ICO and affected individuals within 72 hours

7. Related Policies and References

  • Subject Access Request Procedure (WES-POL-0015)
  • Data Breach Reporting Procedure (WES-POL-0016)
  • Risk Management Policy (WES-POL-0013)
  • Disciplinary Procedure

8. Compliance and Breach Handling

Failure to handle personal data responsibly or to report a breach may result in disciplinary action. WES reserves the right to restrict access or role privileges where compliance is not assured.

9. Review and Version Control

Version
Date
Author
Changes Made
0.1
18/07/2025
DG
Initial policy draft
0.5
08/10/2025
DG
Changes following Chairman's review
1.0
04/11/2025
DG
Published

10. Approval Record

Approved By
Date
Notes
Full Council
04/11/2025
Approved for immediate use