What is the GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. Under the GDPR, the data protection principles set out the main responsibilities for organisations.
Article 5 of the GDPR requires that personal data shall be:
- a) processed lawfully, fairly and in a transparent manner in relation to individuals;
- b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
All staff and decision makers at Sky Badger have been made aware that the law is changing to the GDPR. They appreciate the impact this is likely to have and have identified areas that could cause compliance problems under the GDPR.
Information Sky Badger holds about you
We have identified certain groups that need high levels of security and data control. We do this with all individuals but not companies in line with the GDPR regulations.
We do not share your information with any third parties in a way that can identify individuals. We only share information as part of our annual return and accounts to the Charity Commission as well as grant givers and supporters (statistical purposes). Information shared includes numbers of helpdesk cases and what they are about in a very general way.
Personal Data Held
- Description of case (helpdesk has specific controls – see below)
- Emails to and from Sky Badger Staff
- Duration of relationship in regards to volunteering commitments etc.
The only exception to this anonymised data reporting is made public through annual case studies from the helpdesk and our volunteers. Permission to share their information is requested separately and is only published with their explicit permission and certain facts may be anonymised if requested by that individual.
Sky Badger has extra security levels relating to our helpdesk to make sure that all information is kept in the strictest confidence. This includes all information being managed through our Salesforce database. The helpdesk information is only accessible to approved and trained helpdesk staff and the CEO in her role in anonymising this data for annual reporting and in her role as DPO (Data Protection Officer).
Personal Data Help for Helpdesk Cases
- Description of case including any pertinent details regarding conditions and needs being advised upon.
- Emails to and from Sky Badger Staff
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the all Sky Badger users that have data stored by us to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. These conditions for erasure are outlined in article 17 and include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. If at any time you wish us to delete you data from our records before the 12 month requirement, please contact as at firstname.lastname@example.org
Communicating privacy information
Sky Badger has reviewed our current privacy notices and has put a plan in place for making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use your information. This includes our new need to explain our lawful basis for processing the data, your data retention periods and that individuals have a right to Preparing for the General Data Protection Regulation (GDPR)
Sky Badger fully complies with the ICO regulations in managing data.
Sky Badger procedures ensure that the rights individuals have, including how to delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including
Subject access requests
Sky Badger has updated our procedures in how we will handle requests to take account of the new rules:
- We will not be charging for complying with a request.
- We will have a month to comply, rather than the current 40 days.
- We can refuse or charge for requests that are manifestly unfounded or excessive.
- If we refuse a request, we must tell you why and that you have the right to complain to the supervisory authority and to a judicial remedy. We will do this without undue delay and at the latest, within one month.
Lawful basis for processing personal data
The lawful bases for processing are set out in Article 6 of the GDPR. ‘applies whenever we process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
GDPR definition: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
When requesting consent, Sky Badger includes the name of our organisation and the names of any third parties who will rely on the consent, why we want the data (the purposes of the processing), what you will do with the data (the processing activities); and that you can withdraw their consent at any time.
We confirm consent through…
- ticking an opt-in box on paper or electronically;
- clicking an opt-in button or link online;
- selecting from equally prominent yes/no options;
- choosing technical settings or preference dashboard settings;
- responding to an email requesting consent;
- answering yes to a clear oral consent request;
- volunteering optional information for a specific purpose – eg filling optional fields in a form (combined with just-in-time notices) or dropping a business card into a box.
There is a specific provision in Article 8 on children’s consent for ‘information society services’ (services requested and delivered over the internet).
Volunteering: If any children under the age of 16 volunteer for Sky Badger we require parental consent in advance of the programme beginning.
Helpdesk: We do not deliver counselling or support directly to children. All advice is delivered to parents and carers.
Sky Badger have the right procedures in place to detect, report and investigate a personal data breach. We are already required to notify the ICO (and possibly some other bodies) if Sky Badger suffers a personal data breach.
Data Protection by Design and Data Protection Impact Assessments
Sky Badger has adopted a privacy by design approach and carries out a Privacy Impact Assessment (PIA) as part of this. We also carry out PIAs – referred to as ‘Data Protection Impact Assessments’.
Data Protection Officers
The Chief Executive, Ms Naomi Marek is Sky Badger’s Data Protection Officer. She will be required to report to the Trustees in regards to data protection. Training will be provided when necessary and expert guidance to fulfil this role will be gathered from Sky Badger’s IT expertise.
Website access controls, hacking prevention, firewalls and threats.
- The website uses https:// so that website traffic is passed over a secure connection.
- There is a plugin installed called WordFence that enhances the security of the site - It can enforce strong passwords for user accounts (or the frequency they need to be changed), monitor password attempts to prevent hacking and block threats from known IP addresses.
- The website server is a Virtual Private Server run by Ecohosting. It has a firewall and access is restricted by password and IP address - If you need any information about this, let me know and I can find out.
- The 'contact us' and 'volunteering' forms use the "Web-to-Lead" plugin and pass the data straight into Salesforce without storing any of it on the website.
- The other contact forms on the website use the WordPress plugin 'Contact Form 7'. The default setting for this plugin is that it emails the contact data to a chosen email address and doesn't store any data on the website.
- Salesforce complies with a variety of data protection laws and regulations. Their services have earned numerous security-related certifications based on the administrative, technical, and physical safeguards they use to protect our customers’ personal data. For some of their services, these certifications include the International Organization for Standardization (ISO) 27001 and 27018 standard, the American Institute of CPAs’ (AICPA) System and Organization Controls (SOC) reports, the Payment Card Industry Data Security Standards (PCI), the TÜV Rheinland Certified Cloud Service, and the UK Cyber Essentials Scheme. Their services also have earned the TRUSTe Certified seal, signifying that the privacy certification organization TRUSTe.
- Salesforce publishes Trust and Compliance documentation for each of their major services. This documentation describes the architecture of each service, the security- and privacy-related audits and certifications the service has received, and the applicable administrative, technical, and physical controls. The documentation also describes the infrastructure environment and entities material to their provision of services.