Lichfield Folk Festival
Data Protection Policy

The General Data Protection Regulation (GDPR)

Context and overview
To be reviewed regularly.


Lichfield Folk Festival (LFF) needs to gather and use basic information about individuals.

These can include Committee members, officers, and other people the Committee may need to contact.

This policy gives guidance as to how personal data must be collected, handled and stored to meet good practice and to comply with the law.

This data protection policy ensures LFF:

  • Complies with General Data Protection Regulation (GDPR) and follows good practice
  • Protects the rights of involved in the Festival and other contacts
  • Is open about how it stores and processes individuals’ data
  • Protects itself from the risk of data breach


Data protection law

The General Data Protection Regulation (GDPR) replaces the Data Protection Acts of 1998 and 2003 and describes how organisations, including LFDC, must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically or on paper.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The General Data Protection Regulation (GDPR) has 6 important principles. These are

  1. Lawfulness, fairness and transparency - data should be gathered and used in a way that is legal, fair and understandable. Members have the right to know what is being gathered and have this corrected or removed.
  2. Purpose limitation - data must only be used for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission.
  3. Data minimisation The data collected should be limited only to what is required for the purpose stated.
  4. Accuracy The personal data should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.
  5. Storage limitation Personal data should only be stored for as long as is necessary.
  6. Integrity and confidentiality Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction

People, risks and responsibilities

The policy applies to all committee, officers and interested parties

It applies to all data that the committee holds relating to identifiable individuals

Data protection risks

This policy helps to protect LFF from data security risks, including:

  • Breaches of confidentiality eg. Information being given out inappropriately
  • Failing to offer choice – all individuals should be free to choose how the Committee uses data relating to them


  • Everyone within the Committee has responsibility for ensuring that data is collected, stored and handled appropriately.
  • The only people able to access data covered by this policy should be those who need it in order to carry out their duties and responsibilities.
  • Data should not be shared informally.
  • Data should be stored securely

Data storage

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. These guidelines also apply to data that has been printed out from electronically stored information:

  • Paper and printouts should not be left where unauthorised people can see them
  • Data printouts should be shredded when no longer required

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts.

Subject access requests

All individuals who are the subject of personal data held by LFF are entitled to

  • Ask what information the Committee holds about them and why.
  • How to gain access to it.
  • Be informed how to keep it up to date.
  • Be informed how the Committee is meeting its data protection obligations.

Lichfield Folk Festival (LFF)
Data Retention policy

The General Data Protection Regulation (GDPR)

Any data held shall only be kept for as long as it is necessary and useful.

Personal Data will be used only to notify dancers of events organised by LFF.

Personal Data will always be deleted if an individual has withdrawn consent or if the data is no longer up to date.