Policy Statement 

Evo Devo’s  Data Protection Policy ensures that information it holds about individuals is  processed in a fair and proper way, and that information is processed lawfully and in  accordance with the Principles of Data Protection Legislation, specifically the General Data  Protection Regulation (GDPR) and UK Data Protection Act 2018 (DPA). 

The types of information that we may be required to handle include details of current, past and  prospective employees, members, athletes, customers, volunteers, suppliers, sponsors and  others that we communicate with. The information, which may be held on paper or  electronically, is subject to certain legal safeguards specified in the Legislation.  

Implementation / Status 

Evo Devo will ensure compliance with the Data Protection Principles through the  dissemination of this policy. This policy may be amended at any time and will be reviewed every  two years.  

Primary responsibility for ensuring that this policy is implemented and adhered to lies with the  Company Secretary, supported by the Chief Executive and the Board of Directors. The Data  Protection Officer (DPO) is responsible for the day-to-day management of this and can be  contacted via contact@evodevocycling.org.uk. Any questions regarding  this policy should be referred to the DPO. 

In particular, the disclosure or processing of personal data relating to any living person without  the authorisation of the data controller (in this case, British Cycling) is not permitted and may be  a criminal offence unless such disclosures fall within the DPA or ‘whistle blowing’ legislation. Unauthorised processing may include accessing personal information of individuals where there  is no business need (for example, relating to high profile members or athletes out of curiosity) or  sharing information without authorisation (such as selling information to third parties). 


Data is information which is stored electronically, on a computer or other electronic media, or in  certain paper based filing systems. 

Personal Data means data relating to living individuals who can be identified from the data and  includes any expression of opinion and any indications of the intentions of anyone in respect of  the individual.


Special Category Data (or sensitive personal data as it was known under previous data  protection law) is any personal data consisting of information as to: 


ethnic origin; 



trade union membership; 


biometrics (where used for ID purposes); 


sex life; or 

sexual orientation 

Data relating to criminal convictions is not considered special category data under the GDPR  but is given special protection under the DPA and therefore should also be considered  ‘sensitive’. 

Special category data can only be processed under strict conditions, and will often require the  express consent of the person concerned. 

Data Controller is a person who (either alone or jointly or in common with other persons)  determines the purposes for which and the manner in which any personal data are, or are to be,  processed. For the purposes of this policy the data controller is Evo Devo and its  employees. 

Data Processor is an organisation who processes personal data on behalf of the data  controller and strictly under the instructions of the data controller. An example would be the third  party we use to run payroll on our behalf. 

Data Subject is the person who is the subject of the personal data and includes, but is not  limited to members, employees, contractors and consultants, volunteers and athletes. All data  subjects have legal rights in relation to their personal data. 

Processing means obtaining, recording or holding information or data, or carrying out any  operation or set of operations on the information or data. This includes the organisation,  adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination,  alignment, combination, blocking, erasure or destruction of the information or data. This also  includes transferring data to third parties. 

Data Protection Principles 

The GDPR sets out seven key Principles which Evo Devo must follow when processing  personal data:  

Lawfulness, fairness and transparency 

We will ensure that our processing of personal data is lawful and fair and will actively  communicate privacy information to the individuals concerned via our privacy notices.

Staff should ensure that these privacy notices are provided to individuals at the point of data  collection (or as soon as possible afterwards if this is not practical, for example where personal  data is collected over the phone). Forms used to collect personal data should reference the  appropriate privacy notice as a minimum. 

If we are relying on consent to hold and use information then this should be clear, unambiguous  and freely given. That means that we have to make it clear what the individual is consenting to  and it must be a free choice. Individuals can withdraw their consent at any time and this must be  respected. Records of consent must be kept for compliance purposes. 

Purpose limitation 

Personal information may only be processed for the purpose(s) set out in the privacy notice. If  you need to use personal data for any other purpose, then we will need to reissue the privacy  notice with the appropriate information and where necessary gain consent for this additional  processing. Please contact the DPO if you think you have a genuine business requirement to  use personal data for a purpose outside of the relevant privacy notice.  

Data minimisation 

We must only collect the minimum amount of data necessary for the purpose that we are  processing personal information. For example, when collecting information for event entry, we  should only obtain the information we need for that person to enter the event.  


We will ensure that personal information is kept accurate and up to date, and where we are informed that personal data is inaccurate we will rectify this without undue delay. This means  that if someone informs you that their personal details have changed or that they think the  information we hold on file for them is inaccurate, you should take steps to update/correct it as  soon as possible.  

Staff should periodically check that their own personal details held by HR are accurate and  inform them of any changes. This can be done via the iTrent system. 

Storage limitation 

Personal data may only be kept for as long as it is needed to fulfil the purpose that it was  collected for, after which it must be deleted or anonymised. Evo Devo  data retention  schedule is based on our legal and statutory obligations as well as business need. Please see  the Data Retention Policy for more information. 

Integrity and confidentiality (security) 

We will take all steps reasonably necessary including policies, procedures and security features  to ensure that personal data is treated securely and protected from unauthorised and unlawful  access and use. 


Where we have given individuals (or where they have chosen) a password which enables them  to access personal data, the individual concerned is responsible for keeping this password  confidential and passwords must not be shared with anyone. 

Please see the Information Security Policy for more information.  


We take our data protection responsibilities seriously and have registered as a data controller  with the Information Commissioner’s Office (ICO) under reference Z1066209. We have  implemented technical and organisational measures to ensure (and demonstrate) compliance  with the GDPR.  

The DPO is responsible for helping us to comply with our legal obligations set out in the GDPR  and DPA. The DPO monitors our data protection compliance and provides advice and  guidance as to how we can improve our data handling practices. At this time, the DPO is Emma  Bertenshaw who can be contacted via emmabertenshaw@britishcycling.org.uk.  

Legitimate Interest Assessments 

In order for processing to meet the first principle (fair, lawful and transparent), Evo Devo  must identify an appropriate lawful basis for processing. One possible lawful basis is legitimate  interests which may cover our general business processes. However, in order to rely on  legitimate interests we must conduct and document a formal Legitimate Interest Assessment  (LIA) to demonstrate that our use of data is not in any way unfair or damaging on the individual  concerned. Please contact dataprotection@britishcycling.org.uk for the LIA template and  guidance from the DPO.  

Data Subject Rights 

Data must be processed in line with data subjects’ rights. Under the GDPR, individuals have a  right to: 

  • Be informed about how their personal data will be used – typically via a privacy notice  (see Principle 1 – fairness, lawfulness and transparency above); 
  • Request access to any data held about them by a data controller; 
  • Prevent the processing of their data for direct marketing purposes (note – this is an  absolute right); 
  • Ask to have inaccurate data amended without undue delay; 
  • Object to processing in certain circumstances and to withdraw their consent for  processing where this is the lawful basis; 
  • Request that their personal data is deleted by the data controller in certain  circumstances; 
  • Restrict processing of their personal data where the individual disputes the accuracy of  the data or lawfulness of the processing; 
  • Request that their data is provided to another data controller in a machine-readable  format (data portability) in certain circumstances; 
  • Prevent personal data being processed for the purpose of automated decision making,  including profiling, in certain circumstances; and


  • Complain to the Information Commissioner’s Office (ICO) about the data controller’s use  of their personal data. 

Evo Devo usually only has one calendar month to respond to a request so it is imperative  that all staff are aware of the rights above and their obligation to immediately forward any  requests to dataprotection@britishcycling.org.uk. Requests can be made in writing (e.g. via  email or letter) as well as verbally in person or over the telephone, or via social media. For more 

information please see Evo Devo  Data Subject Request Policy.  

Data Breaches 

Under the GDPR, Evo Devo only has 72 hours to report certain types of data breaches to  the ICO. If you are aware of an actual or potential data breach, you should immediately contact  the DPO via dataprotection@britishcycling.org.uk so that she can investigate and establish  whether the breach needs to be reported on. Please see Evo Devo  Data Breach  Management Policy for more detailed guidance. 

Data Protection by Design 

The GDPR introduces the requirement for organisations to address privacy considerations at  the outset and to include data protection requirements in any new project or process involving  personal data. It is therefore important that the DPO is involved in new processes where  personal data is being used. In some cases, we will need to complete a Data Protection Impact  Assessment (DPIA) prior to commencing the project to ensure that all privacy risks have been  addressed and mitigated and that the processing is lawful. The DPIA Policy includes further  information and templates for staff.