Business Development Association (BDA) - UK

Last Update: 5 December 2024

1) Introduction and identity of the person responsible for processing

The Business Development Association (BDA) is fully committed to protecting personal data and ensuring compliance with UK GDPR and the Data Protection Act 2018. As a global authority in business development, headquartered in London, we apply the highest standards of transparency, accountability, and security in managing the data of our members, certified professionals, partners, and website users. privacy@bda-global.org.

(For the legal framework: see the ICO's page on the Data Protection Act 2018.)

2) Our Core Data Protection Principles

In line with UK GDPR, we ensure that all data processing is based on the following principles:

1. Lawfulness, fairness & transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity & confidentiality
7. Accountability

3) Legal Bases

We do not process any personal data without a clear legal basis. The six possible grounds under Article 6 of the UK GDPR are:
Consent, contract, legal obligation, vital interests, public interest/official function, legitimate interest. We will explain the appropriate basis for collection and use to you and document it internally.

Note: We only rely on “special categories” of data (health, belief, etc.) when necessary and on an additional legal basis under the UK GDPR, and on an exceptional and limited basis.

4) What we collect and how we get it

We may collect:

• Identification and contact information: Name, title, email, phone.

• Professional data: Experience, qualifications, and professional history relevant to applying for BDA certifications or accreditations.

• Technical data: IP address, browser/device type, and cookie identifiers.

• Transaction data: Fee payments via secure payment providers.

• Interactions for use: Register for tests, downloads, attend seminars and events.

Collection sources: Directly from you, through our online platforms, or from our authorized partners under written data processing agreements.

5) Processing purposes

We use your data to:

1. Management of Certification Applications (BDA-CP™/BDA-SCP™) and Examinations,

2. Managing memberships, accreditations, and partner relationships,

3. Provide content and resources (such as the BDA BoCK® Guide) and improve our Platforms,

4. Organizational and service communication (test dates/policies/updates),

5. Fulfilling legal and regulatory obligations in the UK.

We will never sell or share your data for marketing purposes with third parties without a valid and stated legal basis.

6) Cookies and Electronic Communications

We use cookies and similar technologies to improve your experience and measure performance. We'll clearly tell you what we're using and why, and we obtain your prior consent where required under the PECR; except for "cookies that are necessary" to provide the service. (ICO clarification: Cookies fall first under PECR and require explicit, non-implied consent, except where necessary.) 

7) Protection and security

We implement appropriate technical and organizational measures, including encryption in transit/at rest wherever possible, access controls, staff training, and regular control testing. In the event of a personal data breach that potentially exposes individuals to risk, we assess whether to report it to the ICO within 72 hours of becoming aware of it and notify individuals if the risk is high, in accordance with ICO guidelines.

8) Data Sharing and Third Party Processors

We may share your data as needed with:

• Hosting, operation, e-payment and e-learning service providers,

• BDA partners are certified under strict data protection agreements,

• Regulatory bodies or competent authorities when there is a legal obligation.
  Your data is only accessed on a “need to know” basis, and confidentiality obligations are imposed on all parties.

9) International data transfers

When transferring your data outside the UK, we comply with UK GDPR requirements for international transfer, using one of the UK's legal safeguards such as:

• International Data Transfer Agreement (IDTA), or

• British Addendum to the EU SCCs.

We can also rely on UK suitability regulations as issued by the government (ICO guidance on IDTA/Addendum and international transfers). 

10) Data retention period

We retain data only for the purposes and for the period necessary, and then delete or de-identify it. The periods vary by category (e.g., retaining certificate records for professional verification, retaining transactions in accordance with UK accounting/tax requirements). The periods will be explained in our internal retention log and detailed retention policy upon request.

11) Your rights under the UK GDPR and how to exercise them

You have the following rights: access to your data, rectification, erasure (“right to be forgotten”), restriction of processing, portability, and objection (including direct marketing). We are committed to responding within one month of receiving the request, with the possibility of extending it by up to two additional months in complex cases. You can exercise your rights via privacy@bda-global.org(ICO timeframe).

 

Withdrawal of consent: Where processing is based on your consent, you may withdraw it at any time and this will not affect the lawfulness of processing prior to your withdrawal.

 

12) Automated Decision-Making

We do not make decisions that produce legal effects or similarly affect individuals purely automatically without human intervention. If this changes in the future, we will provide you with clear information about the logic used, the significance and expected outcomes of the processing, and your rights to object and request human intervention. (ICO Guidance on Automated Decision Making and Profiling).

13) Children and Sensitive Data

We do not target our Services to children under the applicable age limit in your state, and we do not seek to collect "special categories" of data. If we do accidentally collect this data, we will delete it or process it in accordance with strict legal requirements and the law.

14) Governance and Accountability

• We maintain records of processing activities, apply privacy by design and default, and conduct Data Protection Impact Assessments (DPIAs) when necessary.

• We regularly review policies, train employees, and manage risks to ensure ongoing compliance.

15) Communications, Complaints, and the Regulatory Authority

For any inquiries or to exercise your rights: privacy@bda-global.org
If you are not satisfied with our response, you can lodge a complaint with the Information Commissioner's Office (ICO) in the UK via their official website. 

16) Changes to this statement

We may update this statement to reflect legislative developments or our internal processes. We will indicate the date of its most recent update at the top of the page, and we encourage you to review it periodically.

Important warning

This document is intended to explain our practices and compliance standards and is not legal advice. If you are a partner organization or testing/training center, please review your respective bilateral data protection agreements and compliance channels.

Commitment Summary:
BDA ensures that your data is processed lawfully, fairly, and transparently; for specific purposes and with the minimum amount of data necessary; with strict protection; and full accountability in line with the UK GDPR, the Data Protection Act 2018, and ICO guidance.