The Alliance of Chambers in East Sussex (ACES)
GDPR Statement
Introduction
The UK Government introduced the EU’s General Data Protection Regulation (GDPR) ensuring compliance from May 25th 2018.
This means that EU residents have a greater say over how, why, what, where and when their personal data is used, processed, or disposed of. GDPR clarifies how personal data laws apply, even beyond the borders of the EU. This means that any organization that works with your personal data, irrespective of their location, has an obligation to protect your data.
ACES is dedicated to meet these obligations and is aware of the liability we have to ensure that all our suppliers meet GDPR mandates, regardless of their location.
Our Commitment
Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO 2001:2015. We have had a Data Protection Policy since 2013 and all our staff have signed their agreement to demonstrate their commitment to your privacy.
We recognise that GDPR helps us maintain the highest standards of protection for your data.
In the unfortunate event of a data breach we commit to advise you within 72 hours of our finding out about the breach.
Business Partners and Suppliers
To run ACES we use software provided by suppliers from across the globe. At present these include Microsoft Office 365, Xero accounting software, Google, Mobile Applications, Surveymonkey, Mailchimp, Online Ticket Seller, WordPress, CloudConnx, Southern IT, AFH Payroll, Paypal, Go-Cardless, PaymentSense, Natwest and Metro Bank.
We ensure that all our suppliers commit to GDPR and, should the needs of the business dictate that we change or add a supplier, we will ensure that any new supplier is also committed to observe GDPR. All these suppliers have committed not to use your data for any other reason and will not pass it on to a third party.
This contract also includes the need for the supplier to disclose any data breach to us within 48 hours so that we can advise you within 72 hours of the breach.
Our data is backed up three times a day to two separate locations.
How we manage GDPR
As you know, ACES exists to promote our members businesses. Photographs are taken at events and used to promote ACES members. If you would prefer your image is not used, please let us know when any photographs are taken.
We understand our obligation to help you manage GDPR and have run a series of workshops to help members who need assistance to be aware of their obligations. If you would like us to run another GDPR seminar, please let us know.
We analysed our GDPR requirements and have put in place this GDPR Privacy Policy Statement. We have carried out an Impact Assessment and we deleted any data that does not need to be retained. (Financial data is retained for seven years as required by HMRC.)
What does this mean for our members, suppliers and staff?
Our Outlook emails are automatically encrypted by Microsoft 365 to or from any other Microsoft 365 user. If you would like to make sure your emails are encrypted please contact your Microsoft 365 provider.
We can provide access to details of data held about you. Just email your request to info@edeal.org.uk and we will respond within 72 hours. We will delete your data on request, just email us at this address. (With the exception of financial data which must be kept for seven years.) We will delete your data if it has not been used for two years (other than financial data).
Hard copy data is held in our office which is not open to the public. Personal details are kept locked away.
We will perform data audits annually as part of our ISO quality management review.
We will continue to introduce members to each other as part of our legitimate business.
GDPR and the East Sussex Business Awards
GDPR privacy statements from our suppliers
Microsoft GDPR Statement
https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
Xero Privacy Statement
https://www.xero.com/ie/about/terms/privacy/
Google GDPR Statement
https://privacy.google.com/businesses/compliance/#?modal_active=none
SurveyMonkey GDPR Statement
https://www.surveymonkey.com/curiosity/surveymonkey-committed-to-gdpr-compliance/
Mailchimp GDPR Statement
https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation
Natwest Privacy Statement
https://www.natwestmarkets.com/content/dam/natwestmarkets_com/pdf/natwest-markets-privacy-notice.pdf
Metro Bank Privacy Statement
https://www.metrobankonline.co.uk/about-us/privacy-and-security/
Online Ticket Seller
https://onlineticketseller.com/policies/
Paypal Privacy Policy
https://www.paypal.com/en/webapps/mpp/ua/privacy-full
Paymentsense Privacy Statement
https://www.paymentsense.co.uk/legal/privacy/
WordPress GDPR Statement
https://en.support.wordpress.com/automattic-gdpr/
Eventbrite GDPR Statement
https://www.eventbrite.com/support/articles/en_US/Troubleshooting/eventbrite-eu-data-protection?lg=en_US
GDPR statements are available on request for:
CloudConnx – Cloud services
Southern IT – IT and telephony support
AFH Payroll
How should you check your GDPR compliance?
GDPR Statement
Introduction
The UK Government introduced the EU’s General Data Protection Regulation (GDPR) ensuring compliance from May 25th 2018.
This means that EU residents have a greater say over how, why, what, where and when their personal data is used, processed, or disposed of. GDPR clarifies how personal data laws apply, even beyond the borders of the EU. This means that any organization that works with your personal data, irrespective of their location, has an obligation to protect your data.
ACES is dedicated to meet these obligations and is aware of the liability we have to ensure that all our suppliers meet GDPR mandates, regardless of their location.
Our Commitment
Over the years, we have demonstrated our commitment to data privacy and protection by meeting the industry standards for ISO 2001:2015. We have had a Data Protection Policy since 2013 and all our staff have signed their agreement to demonstrate their commitment to your privacy.
We recognise that GDPR helps us maintain the highest standards of protection for your data.
In the unfortunate event of a data breach we commit to advise you within 72 hours of our finding out about the breach.
Business Partners and Suppliers
To run ACES we use software provided by suppliers from across the globe. At present these include Microsoft Office 365, Xero accounting software, Google, Mobile Applications, Surveymonkey, Mailchimp, Online Ticket Seller, WordPress, CloudConnx, Southern IT, AFH Payroll, Paypal, Go-Cardless, PaymentSense, Natwest and Metro Bank.
We ensure that all our suppliers commit to GDPR and, should the needs of the business dictate that we change or add a supplier, we will ensure that any new supplier is also committed to observe GDPR. All these suppliers have committed not to use your data for any other reason and will not pass it on to a third party.
This contract also includes the need for the supplier to disclose any data breach to us within 48 hours so that we can advise you within 72 hours of the breach.
Our data is backed up three times a day to two separate locations.
How we manage GDPR
As you know, ACES exists to promote our members businesses. Photographs are taken at events and used to promote ACES members. If you would prefer your image is not used, please let us know when any photographs are taken.
We understand our obligation to help you manage GDPR and have run a series of workshops to help members who need assistance to be aware of their obligations. If you would like us to run another GDPR seminar, please let us know.
We analysed our GDPR requirements and have put in place this GDPR Privacy Policy Statement. We have carried out an Impact Assessment and we deleted any data that does not need to be retained. (Financial data is retained for seven years as required by HMRC.)
- Identifying personal data
We have identified the minimum personal data we should request and retain and we dispose of any unnecessary data. Data is collected from you online via our website and App, in written format, over the telephone and face to face. - Providing visibility and transparency
The most important aspect of GDPR is how the collected data is used. We commit not to pass any data to a third party without your permission, other than to those suppliers detailed above. As an organisation we will provide details of data retained to any member, supplier, customer or member of staff on request in order to provide visibility and transparency. We do not retain details of individual Chamber members as these are retained at each ACES Chamber / the FSB. If we have personal details supplied to attend a networking event we will destroy this data within two years. Requests for details of data held should be emailed to info@edeal.org.uk - Enhancing data integrity and security
Data privacy and data security are equally important. Bank and payment details taken for payment purposes are shredded immediately after use. All data kept in hard copy is under lock and key. Cloud based data is controlled by our suppliers as above.
As you tighten your own data security measures, we would like to extend a helping hand. Do please contact us if you would like help or advice in improving your procedures and we will refer you to the appropriate adviser for help. - Portability and transferability of data
GDPR gives you the right to either receive all the data provided and processed by ACES or transfer it to another company depending on technical feasibility. ACES can provide such data on request in basic Microsoft formats.
What does this mean for our members, suppliers and staff?
Our Outlook emails are automatically encrypted by Microsoft 365 to or from any other Microsoft 365 user. If you would like to make sure your emails are encrypted please contact your Microsoft 365 provider.
We can provide access to details of data held about you. Just email your request to info@edeal.org.uk and we will respond within 72 hours. We will delete your data on request, just email us at this address. (With the exception of financial data which must be kept for seven years.) We will delete your data if it has not been used for two years (other than financial data).
Hard copy data is held in our office which is not open to the public. Personal details are kept locked away.
We will perform data audits annually as part of our ISO quality management review.
We will continue to introduce members to each other as part of our legitimate business.
GDPR and the East Sussex Business Awards
- Information held by Edeal Enterprise Agency on behalf of ACES is stored online on our dedicated awards website database.
- Your nomination form and data is accessible only to the judges and Buzzing Bee Media.
- By entering these awards, under GDPR you are deemed to have legitimate interest in the East Sussex Business Awards and may be contacted for marketing purposes about the event. Your information will not be passed on to any third parties other than to promote your business in the press and social media.
- By entering these awards you agree for photographs/video to be published.
- By entering these awards you agree to accept the event terms and conditions.
GDPR privacy statements from our suppliers
Microsoft GDPR Statement
https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
Xero Privacy Statement
https://www.xero.com/ie/about/terms/privacy/
Google GDPR Statement
https://privacy.google.com/businesses/compliance/#?modal_active=none
SurveyMonkey GDPR Statement
https://www.surveymonkey.com/curiosity/surveymonkey-committed-to-gdpr-compliance/
Mailchimp GDPR Statement
https://kb.mailchimp.com/accounts/management/about-the-general-data-protection-regulation
Natwest Privacy Statement
https://www.natwestmarkets.com/content/dam/natwestmarkets_com/pdf/natwest-markets-privacy-notice.pdf
Metro Bank Privacy Statement
https://www.metrobankonline.co.uk/about-us/privacy-and-security/
Online Ticket Seller
https://onlineticketseller.com/policies/
Paypal Privacy Policy
https://www.paypal.com/en/webapps/mpp/ua/privacy-full
Paymentsense Privacy Statement
https://www.paymentsense.co.uk/legal/privacy/
WordPress GDPR Statement
https://en.support.wordpress.com/automattic-gdpr/
Eventbrite GDPR Statement
https://www.eventbrite.com/support/articles/en_US/Troubleshooting/eventbrite-eu-data-protection?lg=en_US
GDPR statements are available on request for:
CloudConnx – Cloud services
Southern IT – IT and telephony support
AFH Payroll
How should you check your GDPR compliance?
- Create a data privacy team to oversee GDPR activities and raise awareness. If you are a sole trader you should consult with a solicitor, IT company and/or marketing company who have researched GDPR in detail. We can signpost you to businesses who have displayed a good understanding of GDPR.
- Review your current security and privacy processes
- Revise your contracts with third parties, suppliers and customers to meet the requirements of the GDPR
- Assess any third parties with whom you disclose data
- Identify the Personally Identifiable Information (PII)/Personal data that is being collected
- Analyse how this information is being processed, stored, retained and deleted
- Establish procedures to respond to data subjects when they exercise their rights
- Establish & conduct a Privacy Impact Assessment (PIA)
- Create processes for data breach notification activities
- Continuous employee awareness is vital to ensure continual compliance to the GDPR