GDPR Policy WECare Worldwide

Transcription

1 GDPR Policy WECare Worldwide MAY 2018 GDPR policy, WECare Worldwide WECare 1

2 WECare Worldwide s commitment to GDPR WECare Worldwide ( WECare ) is both a UK registered charity ( ) and a Sri Lankan NGO (SL FL ) which was set up by UK veterinary surgeon Janey Lowes in October WECare aims to provide high standard veterinary care for street animals in need around the world and started operations in Sri Lanka due to the huge overpopulation of street dogs, often with extensive injuries or severe disease. Over the last 3 years, WECare have treated almost 4,000 animals in need and look to increase this number in a dramatic way in the near future. WECare s donors, supporters and stakeholders are crucial to the charity s survival and sustainability and so respecting their data, the protection of it, how it s stored and their ability to object at any point is an absolute priority to WECare. We aim for transparency in everything we do, so that we can serve the community, both local and global, in an honest and trustworthy manner. How does GDPR affect WECare? Key definition: The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. This document aims to cover how, and in which areas, GDPR will be implemented within WECare. The following points will be covered in more detail: 1. How WECare processes data where it s stored, how long it s stored for, when it s refreshed. 2. Consent if we have consent, how we received, where it s logged. 3. Why WECare processes data lawful processing, purpose, legitimate interest. 4. Employee data personal data files. 5. Objection, erasure, right to withdraw how WECare deals with erasing data, giving individuals the right to withdraw and objection requests. 6. Data breaches what happens if someone s data is breached. WECare documents all information regarding how data is stored and where data is stored. Breaches, update logs and activities relating to article 30(1) of the GDPR are all documented and managed by the data controllers. Consent WECare s consent form is on the charity s website ( and is separate to any other terms and conditions. WECare has positively asked for consent from every individual on it s mailing list. Consent has been given for the following: WECare communication via no more than four times a month, with information regarding the charity s progress, recent animal cases and general updates/education about the situation in Sri Lanka. GDPR policy, WECare Worldwide WECare 2

3 For information stored on WECare s CRM system (Zoho) until they have asked for information to be deleted. WECare Worldwide will ask individuals to opt back in yearly to avoid data being stored unnecessarily. WECare communication via direct mail no more than four times per year. WECare does not rely on third party processors to manage the charities data- only WECare employees will process data. If this procedure is amended at any point, the charity will inform all individuals with data currently stored on our system. WECare keeps a detailed record of the date at which individuals gave consent for their data to be stored and to have WECare communications delivered to them. This record is stored on Zoho. The charity has an unsubscribe section on its platform (Mailchimp) which is easily accessible and is a very-simple 2 step procedure. Upon requesting consent, this link was clearly communicated. Individuals can choose for their data to be removed from the CRM system and Mailchimp at any point. Once this request has been given, an alert will be sent to the controllers at WECare and data will be removed within 72 hours. The charity will confirm the removal of this data to the recipient, once completed. Being Informed WECare has its GDPR policy available on the website at all times, and all WECare signatures will carry a link to this page. This will allow any individual looking to gain understanding of how and where their data is stored the opportunity to do so. WECare Worldwide s purposes for processing personal data includes: To have individual s data stored so that they can receive updates from the charity and to be kept informed of any changes To keep individual s data so that trends and patterns can be analysed to assist future promotions of the charity To invite individuals to key WECare events To record transactions for accounting purposes relating to goods or services supplied by individuals and process the associated payments in settlement of these. For anti-money laundering regulation and identification purposes, WECare holds copies of Trustees current passports. To carry out appropriate processes in respect of WECare s employees (for further details, see Employee Data Protection Policy) Privacy Information WECare will store individual s data for 24 months after consent has been received. After this one year period has drawn to a close, the charity will again request consent from individuals for the storage of their information and permission for regular contact. Data will not be shared with third parties, only WECare staff will have access to information and should not contact individuals that have given consent without the permission of one of the data controllers, namely Janey Lowes, Rebecca Carruthers and Yasmin Davoodi. The charity will review its GDPR policy every 3 months to ensure the individuals best interests are considered and that data is being stored securely and safely. GDPR policy, WECare Worldwide WECare 3

4 All individuals have the right to access their personal data and supplementary information. If a request is given to WECare, this will be fulfilled within fourteen working days. WECare Worldwide stores the following information for all stakeholders: Full name Company name address Telephone number Postal address Additionally for donors: Donation channel Donation amount Additionally for suppliers (individuals): Bank account details Additionally for employees: Date of birth Bank account details National insurance number Copy of passport or driver s licence Health records (see Employee Data Protection Policy) Employment records (see Employee Data Protection Policy) Gender Ethnicity (Equal opportunity monitoring) Nationality (Equal opportunity monitoring) Religion (Equal opportunity monitoring) Additionally for trustees: Date of birth Bank account details (expenses reimbursement purposes) Copy of passport or driver s licence If an individual requires access to their information, to use on other online platforms, they can the data controllers and their request will be answered within 7 working days. When signing up to WECare communications (via the website, or at WECare events) individuals will always have full access to the charities GDPR policy and will be asked if they would like to give consent to be communicated with and for their data to be processed, WECare will not process an individual s data without this consent. communications will not be sent without this consent. Security of data WECare have a number of systems and policies in place to protect data including password protection of devices and where devices allow, the use of anti-virus and firewalls. Encryption software will be set up in s containing personal or sensitive information and removable devices will also be encrypted to prevent data breaches arising from loss or theft of these devices. GDPR policy, WECare Worldwide WECare 4

5 Data is stored on Google Drive, which is protected by 2-step verification. All charity staff members have password-controlled devices, which should be refreshed every 3 months. Google Drive is not downloaded on employee devices, which means that data can only be accessed through Google mail, once employees have signed in on their computer. Data is in a folder within the WECare Google Drive and only the data controllers can access this folder. This ensures that, in the event of theft or loss of a device, data is still secure and can not be accessed by third parties. If there is a breach of data, the breach will be rectified and reported to the ICO within 72 hours. If the breach is likely to result in a high risk of adversely affecting individuals rights and freedoms, the individual will be contacted within 24 hours. A record will be kept should any breaches take place of data. Google drive has an alert system set up on the data folder which means that if a document is downloaded, the data controllers will receive an alert. If there is suspicious activity on the folder, the data controllers will flag the breach with ICO and the individual. We will also block the account that the breach has come from and change passwords to all data folders. In order to maintain secure systems, WECare employ the expertise of IT professionals and as such to protect data or resolve IT issues, on occasion there will be circumstances whereby they will have access to personal data. All agents, contractors, or other parties working on behalf of the Charity handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Charity arising out of this Policy and the GDPR. Data controllers Charity data controllers are responsible for ensuring the safety and security of stakeholder information. Details are: Company name: WECare Worldwide Data controllers of WECare Worldwide: Janey Lowes, Rebecca Carruthers, Yasmin Davoodi Contact details: janey@wecareworldwide.org.uk, yasmin@wecareworldwide.org.uk, rebecca@wecareworldwide.org.uk Lawful basis of processing data The processing of individual s data benefits WECare and the efforts of the charity. Processing of information takes place every month. When subscribers donate to platforms to support the charity s work, each individual is asked whether or not they would like their information to be processed and are given the right to object or erase their data. The individual s relationship to WECare is usually as a supporter of the charity and thus they already have a vested interest in the organisation. We approach the supporter at this time to give the opportunity to opt in to receive further updates and communications. Individuals are not vulnerable; WECare asks all individuals to confirm the fact that they are 16 years or over. If individuals object to their data being processed, WECare will remove their data from the database and stop processing their information within 72 hours. GDPR policy, WECare Worldwide WECare 5

6 Individuals have the right to object to their data being used at any point when processing. The charity has an opt out option on s and individuals will be asked for permission to process their data once the charity has access to it. For example, if an individual donates to the charity, WECare will them and ask them if they are happy for their data to be processed. At that point, they then have the right to object to their data being processed. At any point, individuals have the right to erase or amend their data from WECare. This can be done via or via the charities Facebook pages/website contact form. Once this request has been made, the charity will complete this request within seven working days. Legitimate Interest WECare only relies on legitimate interest when trying to contact individuals for the first time. We contact only those who may be interested in partnering with the charity for key events and sponsorship. Individuals will only be contacted to a company address, no other data will be stored of these individuals. WECare Worldwide focuses on three main elements of legitimate interest: Identify a legitimate interest in animal welfare and/or the veterinary field and profession Balance it against the individual s interests, rights and freedoms. Legitimate interest can include commercial interests, individual interests or broader societal benefits. WECare uses (Gmail account) and will never contact those that have not opted in using promotional material such as e-shots. A legitimate interest assessment will be taken each time someone is contacted that has not given consent. Individuals will be ed once and given a second follow-up. If they do not reply within 21 days, individuals will not be contacted again. WECare Worldwide does not hold any special category data (except employee health records as outline in the Employee Data Protection policy) or criminal offence data and all individuals who have confirmed consent have agreed to the fact that they are over 16 years of age. If data has been obtained from third party sources and consent has not been given, the charity will store information for one month, this will then be deleted from every system the data is stored on. Automated decision-making and profiling WECare does not currently use automated decision-making tools as part of its marketing strategy. Mailchimp ( platform tool) is used manually. If the charity decides to adopt an automated system in the future, it will only be used to contact those that have given explicit consent. At any time when individuals receive these automated marketing communications, they will be given the opportunity to object the right to be contacted and erase any future processing of their data. WECare does use data to profile buyers and this is based on information available on third party channels such as Facebook, Twitter, Instagram and Google Analytics. Any profiling that is used on specific people has been included in the consent form which Is provided to the individual at the time of consent. Data Retention GDPR policy, WECare Worldwide WECare 6

7 WECare does not retain personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed. When personal data is no longer required, all reasonable steps will be taken to safely erase or otherwise dispose of it without delay. Personal Data is held by the Charity for the below purposes and time periods: PAYE and payroll purposes As evidence that the Charity has reported information accurately, WECare Worldwide is required by HM Revenue and Customs to keep records which will include personal data, for 3 years from the end of the tax year they relate to. Accounting records In order to comply with requirements from HM Revenue and Customs and the Charity Commission, accounting records, including any relevant personal data are retained by WECare Worldwide for a period of 6 years from the end of the accounting period they relate to. Transferring Personal Data to a Country Outside the EEA Due to the locations in which it operates, WECare transfers ( transfer includes making available remotely) personal data to countries outside of the EEA, however great care is taken to ensure the protection of any personal data held, and the measures taken to reduce risks are outlined above in the security of data section of this policy. WECare platforms Platform Data it holds Review period Zoho CRM Donation information 24 months Volunteer and staff information G Drive Donation information 12 months Staff photos Gmail addresses of donators 12 months and volunteers WECare website Donation information Volunteer applications 12 months GDPR policy, WECare Worldwide WECare 7