Purpose of the policy and background to the General Data Protection Regulation

This policy explains to, staff and the public about GDPR. Personal data must be processed lawfully, fairly and transparently; collected for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary for processing; be accurate and kept up to date; be kept only for as long as is necessary for processing and be processed in a manner that ensures its security. This policy updates any previous data protection policy and procedures to include the additional requirements of GDPR which apply in the UK from May 2018. The Government have confirmed that despite the UK leaving the EU, GDPR will still be a legal requirement. This policy explains the duties and responsibilities of SALT Bakehouse and it identifies the means by which the we will meet our obligations.

Identifying the roles and minimising risk


GDPR requires that everyone within SALT Bakehouse must understand the implications of GDPR and that roles and duties must be assigned. SALT Bakehouse is the data controller.  It is the controller’s duty to undertake an information audit and to manage the information collected by SALT Bakehouse, the issuing of privacy statements, dealing with requests and complaints raised and also the safe disposal of information.


GDPR requires continued care by everyone within SALT Bakehouse and staff, in the sharing of information about individuals, whether as a hard copy or electronically.

Therefore, the handling of information is seen as medium risk to SALT Bakehouse (both financially and reputationally)  Such risk can be minimised by undertaking an information audit, issuing privacy statements, maintaining privacy impact assessments (an audit of potential data protection risks with customers), minimising who holds data protected information and SALT Bakehouse undertaking training in data protection awareness.

Data breaches

One of the duties is the investigation of any breaches. Personal data breaches should be reported to SALT Bakehouse for investigation.  Investigations must be undertaken within one month of the report of a breach. Procedures are in place to detect, report and investigate a personal data breach.

It is unacceptable for non-authorised users to access IT using employees’ log-in passwords or to use equipment while logged on. It is unacceptable for employees, volunteers and members to use IT in any way that may cause problems for SALT Bakehouse.

Privacy Notices

Being transparent and providing accessible information to individuals about how SALT Bakehouse uses personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice. This is a notice to inform individuals about what SALT Bakehouse does with their personal information. A privacy notice will be issued on our website

Information Audit

We will delete at the request of individuals email account information. We will delete email accounts that are nolonger active we will not hold company information if a company is nolonger an active customer.

Individuals’ Rights

GDPR gives individuals rights with some enhancements to those rights already in place:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling.

The two enhancements of GDPR are that individuals now have a right to have their personal data erased (sometime known as the ‘right to be forgotten’) where their personal data is no longer necessary in relation to the purpose for which it was originally collected and data portability must be done free of charge. Data portability refers to the ability to move, copy or transfer data easily between different computers.

If a request is received to delete information, then SALT Bakehouse will respond to this request within a month.

If a request is considered to be manifestly unfounded then the request could be refused or a charge may apply. The charge will be as detailed in SALT Bakehouse Freedom of Information Publication Scheme.

All employees, volunteers are expected to comply with this policy at all times to protect privacy, confidentiality and the interests of SALT Bakehouse.