OUR EUGDPR STATEMENT OF COMPLIANCE
We have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how we comply. If you have given us your email address (by emailing us, or subscribing to our website or newsletter via our website or during events, for example), please read this to be reassured that we’re looking after your data responsibly.
We value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for large corporations and we as a small literacy not-for-profit organisation do our best to comply.
We are a not-for-profit organisation working with schools and libraries to promote stories and literacy among young people. We’ve briefed our members about this regulation and these requirements.
The information we hold:
• Email addresses of people who have emailed us and to whom we have replied – automatically saved in gmail, 1and1.co.uk (our mail and web service provider) and iCloud and mailchimp.com (a newsletter service).
• Email addresses and names of people who have signed up to our mailing list via the opt-in link on our website are held by mailchimp.com
• Email addresses, postal addresses and names of people who we have worked with over the years, for running our bi-annual festivals and regular literary quizzes. These are held as lists in our email servers as above.
• Our YouTube account may contain viewer comments. But we hold no data about them. These are managed and processed by YouTube as per their own policies of usage.
• We have access to the followers of our Twitter account. While we are the data controllers of this account, we do not process this data. Anyone who do not wish to follow, can unfollow at any time as per Twitter’s regular procedures.
• Our wordpress website www.cwisl.org.uk holds a database of followers. This is held and run with JetPack plugin (by Automatic) who we believe are fully Compliant. We’re not the data processor. Automatic have a privacy statement here.
As an organisation, we do not share this information with anyone.
Communicating privacy information
• We will also communicate this to existing subscribers to our mailing list and remind them that they can unsubscribe at any time. The unsubscribe message is included in every mailing. When they unsubscribe, their data is automatically deleted.
• We will post this message on our YouTube account as well. If anyone unsubscribes from our channel, their data is automatically deleted.
• We will post this message on our Twitter account too. If anyone chooses to unfollow our twitter account, their data is automatically deleted.
• On request, we will delete data.
• If someone asked to see their data, we would take a screenshot of their entry/entries and send to them.
Subject access requests
We’re a volunteer led and volunteer managed organisation. We will aim to respond to all requests within a reasonable timeframe – not more than 7 days and usually much sooner.
Lawful basis for processing data
If people have emailed us or contacted us via the website, they have given us their email address. If anyone has subscribed to our mailing list or YouTube channel or followed us on Twitter they have actively opted in, in the knowledge that we will contact them occasionally.
We do not actively add it to a list except for the various databases listed above and will not do so without valid permission.
Once we have communicated our privacy terms of holding their data, we regard this consent as confirmed for a year, or until the person asks us to remove the data. We will remind our subscribers to review their subscription regularly.
We’re not normally contacted by children and do not correspond with them through our various social media presence. However we do not know the ages of our subscribers on Twitter, YouTube or Mailing lists and can only act on known information. Any request for parental consent will be handled by the data processor in each case – be it Twitter, YouTube, MailChimp or the various mail and webservers we use.
We protect the data we hold by strong passwords across the digital platforms we use. If any of those platforms were compromised we would take steps to follow their advice immediately.
Data Protection by Design and Data Protection Impact Assessments
We have familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that we are using best practice.
Data Protection Officers
We’re not a major organisation so we do not need to appoint a Data protection Officer.
Our lead data protection supervisory authority is the UK’s ICO as of 25th May 2018.