These principles guide our data processing practices, ensuring compliance with data protection regulations and safeguarding individual rights and privacy.

1. Data Protection Policy Principles. Funding the Commons Inc. is dedicated to processing data in strict compliance with its responsibilities under the Data Protection Act (DPA). The DPA outlines the following principles for the lawful and transparent processing of personal data:

• Data must be processed lawfully, fairly, and transparently in relation to individuals.
• Data should be collected for specific, explicit, and legitimate purposes and not used in ways that are incompatible with those purposes. Certain exceptions apply, such as archiving for public interest, scientific, historical research, or statistical purposes.
• Data must be adequate, relevant, and limited to what is necessary for the intended processing purposes.
• Data should be accurate and, when necessary, kept up to date. Any inaccuracies should be promptly rectified or erased.
• Personal data should not be retained longer than necessary for the intended processing purposes. Storage for extended periods is acceptable for archiving, research, or statistical purposes, provided the appropriate technical and organizational measures are in place to safeguard individuals' rights and freedoms.
• Data must be processed securely to protect against unauthorized or unlawful processing, accidental loss, destruction, or damage. Appropriate technical and organizational measures should be implemented.

2. General Provisions.

• This policy pertains to all personal data processed by Funding the Commons Inc.
• The designated Responsible Person is responsible for ensuring continuous compliance with this policy within Funding the Commons Inc.
• A periodic review of this policy, at a minimum, shall take place annually.
• Funding the Commons Inc will register as an organization processing personal data with the Information Commissioner's Office.

3. Lawful, Fair, and Transparent Processing.

• To guarantee that its data processing is conducted lawfully, fairly, and transparently, Funding the Commons Inc shall maintain a Register of Systems.
• The Register of Systems will undergo an annual review.
• Individuals possess the right to access their personal data, and any such requests directed to Funding the Commons Inc will be promptly addressed.

4. Lawful Purposes.

• All data processed by Funding the Commons Inc must adhere to one of the following lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
• Funding the Commons Inc will record the appropriate lawful basis in the Register of Systems.
• When consent is relied upon as the lawful basis for data processing, evidence of opt-in consent will be retained alongside the personal data.
• In cases where communications are sent to individuals based on their consent, the option for individuals to withdraw their consent should be clearly available, and systems should be established to ensure that such revocations are accurately reflected in Funding the Commons Inc's systems.

5. Data Minimization.

• Funding the Commons Inc will ensure that personal data remains adequate, relevant, and limited to what is necessary in relation to its processing purposes.
• Data minimization will be accomplished through the implementation of various technical and organizational measures, including:

Collecting only the essential personal data required for specific purposes. Regularly assessing and removing data that is no longer necessary. Utilizing pseudonymization and anonymization techniques to safeguard personal data. Enforcing access controls and other security measures to protect personal data against unauthorized access or use.

• By adhering to data minimization practices, Funding the Commons Inc contributes to the protection of personal data and the prevention of potential harm to individuals.

6. Accuracy. Funding the Commons Inc is committed to taking reasonable measures to maintain the accuracy of personal data. When required by the lawful basis of data processing, steps will be established to ensure that personal data remains current. To ensure data accuracy in data protection, Funding the Commons Inc will employ the following methods:

• Data Validation: This involves verifying that data meets specific criteria, such as staying within a defined range or adhering to a particular format.
• Data Scrubbing: This entails identifying and eliminating inaccurate or irrelevant data from the dataset.
• Data Deduplication: This involves identifying and removing duplicate records from the dataset.
• Data Standardization: This ensures consistent formatting and coding of data across the dataset.
• Data Auditing: Regular reviews of data to identify and correct errors.
• Access Controls: Restricting access to sensitive data to authorized personnel.
• Data Encryption: Encoding data to safeguard it from unauthorized access.
• Regular Backups: Creating regular data copies to mitigate data loss.
• Incident Management: Preparedness for responding to data breaches or incidents that may impact data accuracy.
• Employee Training: Providing education and training on data accuracy and security to employees to enhance their understanding of their role in data protection.

7. Archiving and Removal. Funding the Commons Inc is dedicated to ensuring that personal data is retained no longer than necessary. To achieve this, an archiving policy will be established for each area in which personal data is processed, and this policy will undergo an annual review. The archiving policy will consider what data must be retained, for how long, and the reasons for retention. Several methods for archiving and removing data are employed by Funding the Commons Inc, including:

• Backup and Restoration: Regular data backups are created and securely stored. Inactive data can be restored from backups when needed, while data no longer required can be deleted from the backups.
• Cloud Storage: Data is stored on cloud-based servers, such as Google Drive. Data can be easily archived by moving it to cloud storage, and removal involves deleting it from the cloud storage account.
• Data Archiving Software: This software can automatically archive data based on specific criteria like file age or type. It also facilitates searching and restoring archived data when necessary.
• Data Erasure Software: This software securely deletes data from various storage devices, including hard drives, servers, and removable media. It ensures data cannot be recovered.
• Physical Destruction: Highly sensitive data may be subject to physical destruction of storage devices, such as hard drives, to prevent data recovery.
• Data Retention Policy: Funding the Commons Inc maintains a data retention and disposal policy that outlines the procedures for archiving and removing data, designates responsible individuals, and specifies secure data deletion methods.

8. Security. Funding the Commons Inc ensures the secure storage of personal data using updated software. Access to personal data is restricted to authorized personnel, and appropriate security measures are in place to prevent unauthorized information sharing. When personal data is deleted, it is done securely to render the data irrecoverable. Robust backup and disaster recovery solutions are implemented. Funding the Commons Inc employs the following methods for securing data:

• Encryption: Sensitive data is transformed into code to safeguard it from unauthorized access. Encryption can be applied to data at rest (stored data) or in transit (data being transmitted).
• Access Controls: Access to sensitive data is limited to authorized personnel through user accounts, roles, and permissions.
• Firewalls: Hardware or software is used to block unauthorized network or device access by defining rules to regulate incoming and outgoing traffic.
• Intrusion Detection and Prevention: Software or hardware is used to identify and prevent unauthorized access to networks or devices, including the detection and blocking of malicious traffic.
• Backup and Disaster Recovery: Regular data backups are made, and a plan is in place for data restoration in case of a disaster.
• Patch Management: Consistent updates of software and systems are performed to rectify vulnerabilities and protect against emerging threats.
• Physical Security: Data is safeguarded from physical threats like theft or damage through measures such as securing server rooms and employing surveillance cameras.
• Employee Training: Employees receive education and training in data security and best practices, helping them understand their role in data protection.
• Incident Management: Procedures are in place for responding to security incidents, such as data breaches, to minimize damage and restore data security.
• Compliance: Adherence to data security regulations and industry standards, like HIPAA and PCI-DSS, is a fundamental aspect of our security practices.

9. Breach. In the event of a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, Funding the Commons Inc will promptly assess the risk to individuals' rights and freedoms. If appropriate, the breach will be reported to the Information Commissioner's Office (ICO). Funding the Commons Inc employs the following methods for implementing a data breach response:

• Identifying and Classifying Data: This involves recognizing the types of data collected, stored, and processed by Funding the Commons Inc, and classifying it based on its sensitivity level. This aids in assessing the potential impact of a data breach and prioritizing response actions.
• Establishing an Incident Response Team: A team is assembled to manage and respond to data breaches. This team comprises individuals from various departments, including IT, legal, and PR, ensuring comprehensive coverage of response efforts.
• Developing an Incident Response Plan: A detailed plan is created, outlining steps to be taken in case of a data breach. It covers procedures for identifying, containing, and mitigating breaches, as well as notifying affected individuals and regulatory authorities.
• Regularly Testing and Updating the Plan: The incident response plan is routinely tested to identify weaknesses and make necessary updates. It is also kept up to date to reflect changes in technology and regulations.
• Employee Education and Training: Employees receive education and training on best practices for data security and familiarity with Funding the Commons Inc's data breach response plan. This ensures that employees understand their roles in data protection and know how to respond to breaches.
• Third-Party Vendor Management: Evaluation and management of data security risks associated with third-party vendors. This involves conducting regular security audits, reviewing vendor contracts, and ensuring vendor compliance with data protection regulations.
• Implementing Technical Controls: Technical controls, including encryption, access controls, firewalls, intrusion detection, and backup and disaster recovery, are applied to protect against data breaches.
• Compliance: Adherence to data protection regulations and industry standards, such as HIPAA, PCI-DSS, and GDPR, is essential. Necessary actions are taken to ensure compliance with these regulations.
• Incident Management: Procedures are in place to respond to data breaches, minimize damage, and restore data security.