For Eastbourne unLtd Chamber of Commerce and Edeal
The UK Government recently introduced the EU’s General Data Protection Regulation (GDPR) and will be ensuring compliance from May 25th 2018.
This means that EU residents have a greater say over how, why, what, where and when their personal data is used, processed, or disposed of. GDPR clarifies how personal data laws apply, even beyond the borders of the EU. This means that any organization that works with your personal data, irrespective of their location, has an obligation to protect your data.
Eastbourne unLtd Chamber of Commerce is dedicated to meet these obligations and is aware of the liability we have to ensure that all our suppliers meet GDPR mandates, regardless of their location.
Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO 2001 and 2015. We have had a Data Protection Policy since 2013 and all our staff have signed their agreement to demonstrate their commitment to your privacy.
We recognize that GDPR will help us move towards the highest standards of operations in protecting your data and we commit to be ready for the big day on May 25th 2018.
In the unfortunate event of a data breach we commit to advise you within 72 hours of our discovering the breach.
Business Partners and Suppliers
To run the Chamber of Commerce we use software provided by suppliers from across the globe. At present these include Microsoft Office 365, Xero accounting software, Zoho CRM software, Google Documents, Business On-Demand, Mobile Applications, Surveymonkey, Mailchimp, Eventbrite, Facebook, LinkedIn, Twitter, PRG, Switchplane, WordPress, Weebly, CloudConnx, Southern IT, M-Tech, AFH Payroll, Paypal, Go-Cardless, PaymentSense, Natwest, HSBC, Metro Bank and the Bank of England. We also supply your name and business address to Platinum Publications so that you can receive our business magazine, ACESussex, by post.
Historic Chamber data is kept at The Keep in Falmer, a secure facility run by East Sussex County Council. They retain all Chamber information in the public interest and have securely destroyed any other data that was held in our historic files.
All these suppliers have committed not to use your data for any other reason and will not pass it on to a third party.
We will ensure that all our suppliers commit to GDPR before May 25th and, should the needs of the business dictate that we change or add a supplier, we will ensure that any new supplier is also committed to observe GDPR.
How are we preparing for GDPR?
As you know, we are the largest town-based Chamber of Commerce in the South East and we exist to promote our members businesses. To do this we already ask you how you would like your data presented on our website and in our directory / diary. We also ask you for permission to use your image when photographs are taken at Chamber events.
We understand our obligation to help you get ready for May 25th and have run a series of workshops to help those members who need assistance to be aware of their obligations.
We have analysed GDPR requirements with the help of advisers from within the Chamber and have put in place this GDPR Statement and Policy. We have carried out an Impact Assessment and we are deleting any data that does not need to be retained. (Financial data is retained for six years as required by HMRC.)
All data will be deleted within seven years of a member lapsing, termination of a supply agreement or a member of staff leaving the Company).
New staff will be GDPR trained on induction and training will be repeated for existing staff annually.
- Identifying personal data
We have identified the minimum personal data we should request and retain and we undertake to dispose of any unnecessary data before May 25th. Data is collected from you online via our website and App, in written format, verbally over the telephone and face to face.
Data is held in various places depending on how you interact with us. This includes data held on hard copy, on our websites managed by PRG and Switchplane, on the Chamber App, on Microsoft 365 managed by Southern IT, in Google Documents, in Mailchimp, in Surveymonkey, on our Zoho CRM system, on our Xero accounting system, on our HSBC and Natwest approved supplier listings, at the Bank of England, on PayPal, on Go-Cardless and at Platinum Business Publications.
- Providing visibility and transparency
The most important aspect of GDPR is how the collected data is used. We commit not to pass any data to a third party, other than those suppliers detailed above, without your permission. As a Chamber of Commerce we will provide details of data retained to any member, supplier, customer or member of staff on request in order to provide visibility and transparency. Requests for details of data held should be emailed to email@example.com.
- Enhancing data integrity and security
Data privacy and data security are equally important. Bank and payment details taken for payment purposes are deleted or shredded immediately after use. All data kept in hard copy is under lock and key. Cloud based data is controlled by our suppliers as above.
As you tighten your own data security measures, we would like to extend a helping hand. Do please contact us if you would like help or advice in improving your own procedures and we will refer you to the appropriate adviser for help.
- Portability and transferability of data
GDPR gives you the right to either receive all the data provided and processed by the Chamber or transfer it to another company depending on technical feasibility. The Chamber can provide such data on request in basic Microsoft formats.
What does this mean for our members, suppliers and staff?
Before May 25th we will be contacting our members to ask them to confirm how we may use their data and whether they want to continue to receive emails about Chamber activity.
We will be encrypting emails we send which contain personal data.
We can provide access to details of data held about you. Just email your request to firstname.lastname@example.org We will delete your data on request, just email us at this address. (With the exception of financial data which must be kept for six years.) We will delete your data automatically if it has not been used for six years.
Hard copy data is held in our office which is not open to the public.
We will perform data audits annually as part of our ISO quality management process.
Your rights under GDPR
- The right to be informed what data is held about you and how it is held.
- The right of access. Let us know what you want to know about your data by email to email@example.com and we will provide you with the information within 72 hours.
- The right to rectification. If we have incorrect personal data about you, email firstname.lastname@example.org and we commit to put it right within 72 hours.
- The right to erasure. If you would like us to remove data about you we will remove it immediately on receipt of an email from you to email@example.com This will exclude any financial data we are required to keep by law for six years.
- The right to restrict processing. If you object to any data held about you, you have the right to restrict any further processing of that data.
- The right to portability. We will provide any personal data held electronically to any third party on receipt of a written request from you. This right is designed to allow you to change a supplier and take your data with you. For example, if an optician holds your eye test data you are entitled to get them to pass it on to another optician if you choose to move your business.
- The right to object. You can object at any time to any personal data we hold about you. Just email us the details to firstname.lastname@example.org and we will amend it or delete it within 72 hours (subject to financial regulations and legal considerations).
- The right to understand any automated decision making. Neither the Chamber nor Edeal use automated decision making but where “the computer says no” at a different organisation you are entitled to justification of this decision.
GDPR privacy statements from our suppliers
GDPR statements will be available from May 25th
on request for:
Mobile Applications – Chamber App management
Business On Demand – CRM set up and training
PRG – managing the Chamber website
Switchplane – managing the Edeal website
CloudConnx – Cloud services
Southern IT – IT and telephony support
M-Tech – IT support
What should you do to be GDPR-ready?
If you are just getting started with GDPR compliance in your business, here’s a quick to-do list to bear in mind.
- Create a data privacy team to oversee GDPR activities and raise awareness. If you are a sole trader you should consult with a solicitor, IT company and/or marketing company who have researched GDPR in detail. We can signpost you to businesses who have displayed a good understanding of GDPR.
- Review your current security and privacy processes
- Assess any third parties with whom you disclose data (suppliers, shareholders , clients) and revise your contracts with them to meet the requirements of the GDPR
- Identify the Personally Identifiable Information (PII)/Personal data that is being collected
- Analyse how this information is being processed, stored, retained and deleted
- Establish procedures to respond to data subjects when they exercise their rights
- Establish & conduct a Privacy Impact Assessment (PIA)
- Create processes for data breach notification activities
- Continuous employee awareness is vital to ensure continual compliance to the GDPR so create an ongoing induction and training plan
Our GDPR Policy Document is available on request to members, clients, suppliers and staff.
Email here for a copy