There’s a lot of talk in the media, and on social media, about the GDPR, the new EU-wide data protection law that comes into force today. I particularly like the GDPR jokes, and my favourite so far is this Christmas-themed cracker:
He's making a list
He's checking it twice
He's gonna find out who's naughty or nice
Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679
— joe (@mutablejoe) May 20, 2018
But there’s more to the General Data Protection Regulation than jokes and the flurry of ‘resubscribe’ emails currently doing the rounds. At Involve, we’ve been getting ready for the GDPR’s introduction for some months now, and we’ve prepared a general privacy statement that outlines how we use and look after people’s personal information. If you’ve got any data-related queries, please do get in touch with us at firstname.lastname@example.org.
Involve’s Privacy Statement
This privacy statement sets out how Involve looks after people’s personal information. It takes into account the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.
Involve is committed to looking after your personal data. We will:
Members of the public we work with on projects
If we are working with you on a project we will give you full details about how we will use and look after your personal information. We normally do this by giving you a consent form. That form will also clearly set out the lawful basis for processing your data, and it will explain your legal rights.
Our newsletter subscribers
We use Mailchimp to send out our regular newsletter. If you subscribe to our newsletter, your details will be held on Mailchimp’s servers in the USA. Mailchimp has signed up to the EU-US Privacy Shield, which is one of the approved international agreements for protecting the data of EU citizens. We only send you our newsletter with your consent, and you can unsubscribe at any time.
Professional networks and sub-contractors
Like many organisations, we keep contact details of people in our professional networks, for example people from organisations that we collaborate with, people we subcontract to, people we meet at conferences, etc. Our professional networks are very important to us, as they enable us to build alliances. We store this data in Insightly, which is a US-based company providing customer relationship management software. Insightly have signed up to the EU-US Privacy Shield. We have decided that we have a legitimate interest in holding this information, and that is the lawful basis we are using to process this data. You can ask us to delete any data we hold about you by emailing email@example.com, and we will action this request within 10 days. We also clean up our contacts database at least once a year by deleting out of date contact information or by updating records, for example where people have moved into different roles.
Open Government Network
Involve coordinates the UK’s Open Government Network, and we use the Discourse online forum to support the network. If you are part of this network and sign up to the forum, we will let you know separately what steps we are taking to ensure that your data is properly protected.
If you apply for a job at Involve, we look after the information that you send us and we store it securely. For unsuccessful candidates, we delete this information after 6 months, unless you’ve asked us to keep your CV on file.
We keep very limited information about our individual donors (enough to enable us to thank them and to comply with money laundering obligations). We currently use PayPal to process donations.
Behind the scenes
We have updated our data protection policy to ensure that we comply with the GDPR. We’ve undertaken a data audit, so that we know what personal information we hold and process, and we’ve documented our lawful bases for processing personal data. We have also been checking that our online systems and databases are GDPR-compliant, and we’ve reviewed the security of our different storage systems.
If you need further information or if you have a complaint
If you have any questions about how we look after people’s personal information, or if you have a complaint about how we are handling your data, please get in touch with us at firstname.lastname@example.org or call our office on 020 3745 4334. We will try our best to answer your questions or resolve your complaint.
You can also make a complaint to the Information Commissioner, who is the official data protection regulator in the UK. Their contact information can be found on their website at www.ico.org.uk.
You can download a copy of this statement here: Involve’s General Privacy Statement