Data Protection Policy


This policy applies to all staff, volunteers and interns of Youth Business International (YBI).


The purpose of this policy is to enable Youth Business International to:

  • Comply with the law in respect of the data it holds about individuals;
  • Follow good practice;
  • Protect Youth Business International’s donors, staff, volunteers and interns, members and other individuals;
  • Protect the organisation from the consequences of a breach of its responsibilities.

Brief Introduction to the Data Protection Act and General Data Protection Regulation

The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly. Anyone who processes personal information must comply with the following principles, to demonstrate information is:

  • Fairly and lawfully processed;
  • Processed for limited purposes;
  • Adequate, relevant and not excessive;
  • Accurate and up to date;
  • Processed in line with the rights of Data Subjects;
  • Secure; and
  • Not transferred to other countries without adequate protection.

The Act also provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

The General Data Protection Regulation places conditions on the organisation’s accountability and governance of this framework. This requires YBI to keep records of processing activities, detailing the type of people whose personal data is being processed, e.g. staff, trustees, donors, etc. and the type of personal information being processed, e.g. name, age, contact details. Why the personal information is needed, how it is obtained and stored, whether and with whom it is shared, how long it is required and the process for deletion. In order to comply with the regulation YBI’s Data management Form should be used and referred to for activities in which personal data is processed.

Were a data breach to happen YBI is liable for 4% of annual income or a fine of up to €20 million.


Youth Business International will:

  • Comply with both the law and good practice;
  • Respect individuals’ rights;
  • Be open and honest with individuals whose data is held; and
  • Provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently.

Youth Business International is the Data Controller and all processing of personal data will be undertaken in accordance with data protection principles. Youth Business International recognises that its first priority is to avoid causing harm to individuals. Information about individuals will be processed securely and not disclosed to any person unlawfully or unnecessarily.

For processes involving personal data, the responsible staff lead will complete a Data Management Form. This form will be authorised by the Data Protection Officer to confirm it meets the required data protection criteria:

  • The information collected will be specific to the purposes required and these purposes will be explained to the individual concerned;
  • Data collected will be accurate and maintained for the duration of its use;
  • Personal data will be retained only for the duration necessary
  • Data processed will meet the individual’s rights:
    • Right of access to a copy of the information comprised in their personal data;
    • Right to object to processing that is likely to cause or is causing damage or distress;
    • Right to prevent processing for direct marketing;
    • Right to have inaccurate personal data rectified, blocked, erased or destroyed;
    • Right to claim compensation for damages caused by a breach of the regulations.

For the avoidance of any doubt, YBI makes no automated decisions in any regard.

YBI aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. Individuals may exercise their right to a copy of the information held concerning them, see ACCESS TO DATA.


Personal Data is any information, whether in manual or electronic form, that identifies an individual from that information alone or in combination with other information that is likely to be held by YBI.

The principle categories of individuals which YBI processes the personal data of include:

  • Employees - current and past
  • Employees of YBI Network members
  • Volunteers & Interns
  • Job applicants
  • Donors
  • Suppliers
  • Beneficiaries

Processing means the use made of personal data including:

  • Obtaining and retrieving;
  • Holding and storing;
  • Making available within or outside the organisation; and
  • Printing, sorting, matching, comparing, and destroying.


The Board of Trustees recognises its overall responsibility for ensuring that Youth Business International complies with its legal obligations.

The Data Protection Officer is Youth Business International’s Finance Director, Hannah Leyro-Diaz, who has the following responsibilities:

  • Briefing the board on Data Protection responsibilities;
  • Reviewing Data Protection and related policies;
  • Advising staff on Data Protection issues;
  • Ensuring that Data Protection induction and training takes place;
  • Handling subject access requests;
  • Approving unusual or controversial disclosures of personal data;
  • Ensuring contracts with Data Processors have appropriate data protection clauses;
  • Electronic security;
  • Approving data protection-related statements on publicity materials and letters.

Each member of staff, volunteer and intern at Youth Business International who handles personal data will comply with the organisation’s operational procedures for handling personal data (including induction and training) to ensure that good Data Protection practice is established and followed.

All staff, volunteers and interns are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Significant breaches of this policy will be handled under Youth Business International’s disciplinary procedures.


All staff who have access to any kind of personal data will be given copies of all relevant policies and procedures during their induction process, including the Data Protection policy, Confidentiality policy and the operational procedures for handling personal data, relevant to the execution of their responsibilities. All staff will be expected to adhere to all these policies and procedures. Data Protection will be included in the induction training for all volunteers and interns.

Youth Business International will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.


This section of the policy only addresses security issues relating to personal data. It does not cover security of the building, business continuity or any other aspect of security.

Only staff who need access to personal data will be given this privilege. Access to information on the main database is controlled by a password and only those needing access are given the password.

Staff are trained in the secure handling of data, with particular attention given to personal data and sensitive personal data. Any recorded personal data will be:

  • Kept in locked cabinets;
  • Protected by the use of passwords if kept on computer;
  • Destroyed confidentially when it is no longer needed.

Staff, volunteers and interns will use appropriate care to ensure personal data is not shared in insecure ways, e.g. via email or in file-sharing repositories without password protection and that personal data is only shared in this way when necessary.

Staff volunteers and interns will be careful about information that is displayed on their computer screen and make efforts to ensure that no unauthorised person can view the data when it is on display.

Data Breaches

It is the responsibility of the staff member handling personal data to ensure this is done with the greatest care and adherence to this policy. Where a breach occurs or is suspected, the staff member discovering it should inform the Data Protection Office immediately.

The Data Protection Officer is responsible for ensuring the correct procedures are followed in order to understand, mitigate or minimise the harm of a data breach and to inform the relevant authorities.


Youth Business International has a single database, protected by password, holding basic information about a limited number of data subjects.

Youth Business International will regularly review its procedures for ensuring that its records are adequate and limited to only that which YBI needs to carry out the tasks required:

  • The database system is reviewed to facilitate the entry of accurate data;
  • Data on any individual is held in as few places as necessary, and all staff, volunteers and interns will be discouraged from establishing unnecessary additional data sets;
  • Effective procedures are in place so that all relevant systems are updated when YBI is informed of any individual changes;
  • Staff, volunteers and interns who keep more detailed information about individuals are given additional guidance on accuracy in record keeping;
  • Data is corrected if shown to be inaccurate.

Youth Business International stores archived paper records of donors and volunteers securely in the office only for the durations that these are needed.


Consideration will be made of the lawful basis for personal data to be processed, e.g. whether YBI has a legitimate interest and does not require consent to be granted for it to process personal data or whether consent is deemed appropriate. The decision of the lawful basis being applied and the rationale for that decision shall be recorded in the Data Management Form.

Information about donors will only be made public with their consent. This includes photographs.

Consent will be freely given and explicit, although the form of consent may vary according to the situation, e.g. verbal consent may be accepted for personal data use where written consent is impractical or otherwise inappropriate. Regardless of the form, consent will be recorded with sufficient detail to reasonably corroborate its validity, e.g. time and date of consent, and any further details as necessary.

Youth Business International acknowledges that, once given, consent can be withdrawn, see Access to Data for guidance on YBI’s approach. YBI is committed to fulfilling its obligations for the removal of personal information following withdrawal.


Subject Access Requests can be made to YBI’s Data Protection Officer at [email protected].

When requesting personal information from YBI, the following information should be included:

  • Full name
  • Address
  • Contact details, e.g. email address, telephone number
  • Any information which may help to identify or distinguish the Subject (individual whose personal data is being requested) from others;
  • Such as details of the specific information you require (e.g. personnel file) and any relevant dates

 Upon receipt of the required information to help YBI identify all personal data held, YBI commits to responding within 1 month (our legal obligation). We do endeavour to respond to queries as soon as is practicable.

Whilst the most efficient way to make a Subject Access Request is to contact YBI at [email protected], all requests that YBI can corroborate as genuine are valid. This includes but is not limited to postal, email, telephone and social media requests. Verbal requests are also valid if this is the most appropriate means of communication with us.

If YBI does not receive all the information required for the identification of personal data we shall revert for this.

YBI takes the use and security of personal data seriously and will meet all reasonable requests for information. If YBI considers the request to be unreasonable, impractical or is otherwise unable to meet the request, we will revert providing our reasons with the expectation of being able to meet the Subject Access Rights without disproportionate effort in terms of:

  • The cost of providing the information;
  • The length of time it will take;
  • How difficult it will be;
  • The effect on the subject of not having the information in permanent form.

YBI is committed to providing access to your personal data in the most suitable form. Please make clear in your Subject Access Request if you require the information in a specific format (e.g. Braille, large print, email or audio format) in order for YBI to meet our obligations in this regard and under the Equality Act.


Any issues regarding Subject Access Rights request should be made via email to [email protected] or in the most appropriate manner according to the circumstances of the subject.

If we are unable to satisfactorily resolve the issue complaints should be directed to the Information Commissioner’s Office (ICO)


Because confidentiality applies to a much wider range of information than Data Protection, Youth Business International has a separate Confidentiality Policy. This Data Protection Policy should be read in conjunction with Youth Business International’s Confidentiality Policy.

Staff, volunteers and interns are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities. (See Confidentiality Policy).

In order to provide some services, Youth Business International will need to share client’s personal data with other agencies (Third Parties).

Where anyone within Youth Business International feels that it is necessary to disclose information in a way contrary to the confidentiality policy, or where an official disclosure request is received, this will only be done after discussions with the Data Protection Officer. All such disclosures will be documented.


Youth Business International is committed to ensuring that individuals are aware that their data is being processed and:

  • for what purpose it is being processed;
  • what types of disclosure are likely; and
  • how to exercise their rights in relation to the data.

Individuals will generally be informed in the following ways:

  • Staff: in the staff terms and conditions;
  • Volunteers and interns: in the volunteering terms and conditions;
  • Job applicants: in the recruitment documents (e.g. JD, job adverts);
  • All other individuals (including, but not limited to, past employees, employees of YBI Network members, donors, suppliers and beneficiaries): upon request

Standard statements will be provided to staff for use on forms where data is collected.


The policy will be reviewed at the first quarterly governance and risk meeting of the year by the Chief Executive and approved by the Board of Trustees. It will also be reviewed in response to changes in relevant legislation, contractual arrangements, good practice or in response to an identified failing in its effectiveness. 

Please click here to read the full document.

Those who make it possible

View all
JPMorgan Chase & Co.

JPMorgan Chase & Co.

IKEA Foundation

IKEA Foundation

Argidius Foundation

Argidius Foundation

European Bank for Reconstruction and Development (EBRD)

European Bank for Reconstruction and Development (EBRD)

Subscribe to our newsletters...