GDPR and BIDs β an opportunity to think about your data!
Commentary
When GDPR first came into force, it prompted a huge amount of activity. Organisations reviewed mailing lists, updated privacy notices, introduced new policies and spent time understanding what the new rules meant in practice. For many, that initial rush has long passed. But for Business Improvement Districts, data protection remains every bit as important today as it was then.
BIDs routinely handle personal data in the course of their work. That can include information relating to levy payers, employees, board members, contractors, partners, residents, visitors and consumers. It may cover names, contact details, images, CCTV or body-cam footage, event and campaign data, mailing lists, app records, location data and information linked to loyalty schemes or business engagement activity. Under the current UK framework, BIDs need to think in terms of UK GDPR and the Data Protection Act 2018, with further updates now being made through the Data (Use and Access) Act 2025.
For BID boards, the key point is this: data protection should not be treated as something that sits only within individual member organisations. Even where directors are confident that their own businesses have strong processes in place, the BID itself will often have separate responsibilities as a data controller, and sometimes will need to manage relationships where suppliers or partners act as processors on its behalf.
That matters because the range of data a BID collects and uses has continued to grow. Business crime partnerships, radio schemes, consumer campaigns, digital newsletters, footfall technology, town centre events, photography and video content, and destination apps can all create data protection considerations that need proper attention. Personal data is not limited to obvious contact details. It can also include images, online identifiers and location-based information where individuals can be identified.
A well-run BID should therefore be clear about what personal data it holds, why it holds it, what lawful basis it relies on, who it shares information with, how long records are kept and how that data is secured. These are not just technical compliance questions. They go to the heart of good governance and good operational practice. The ICOβs guidance remains clear that organisations must be able to justify their processing, apply the data protection principles in practice and demonstrate accountability.
Data sharing is one of the most important areas for BIDs to get right. Many work closely with local authorities, police teams, businesses, security partnerships, event partners and service providers. Where data is processed by a third party on behalf of the BID, there should be an appropriate written contract in place. Where data is shared between organisations for agreed purposes, there should be a clear understanding of roles and responsibilities, and in many cases a formal data sharing agreement is the right approach.
The relationship with the local authority is particularly important. BID operating agreements and related governance documents should accurately reflect how information is obtained, used and shared, especially where levy payer or contact data is involved. This is also a good opportunity to review privacy notices, retention policies, breach procedures, subject access request handling and cyber-security arrangements to make sure they are still fit for purpose.
For BIDs, this should not be seen simply as a compliance burden. Done properly, data protection supports stronger governance, better decision-making and greater confidence among levy payers, partners and stakeholders. It helps ensure that the systems underpinning an effective BID are secure, focused and well managed. In a sector that increasingly depends on digital communication, shared intelligence and partnership working, that is a real operational advantage.
The legal framework will continue to evolve, and BIDs should keep an eye on updated ICO guidance as changes are introduced. But the core principles remain familiar: be clear about purpose, be transparent, collect only what you need, keep it secure and be able to explain the decisions you have made.
How we can help
We help BIDs review their data protection arrangements, governance documents and data sharing practices so they are practical, proportionate and fit for the way modern BIDs operate.
Whether you need support with privacy notices, data mapping, contracts, data sharing agreements, policies or governance reviews, we can help you put the right framework in place.
To find out how we can support your BID, get in touch.