GDPR compliance

Updated: 20 May 2018

This policy contains important information about our legal obligations under the General Data Protection Regulation (GDPR) and Yes Edinburgh West’s  internal governance processes.

On the 25th of May 2018 the processing of personal data by organisations must comply with the General Data Protection Regulation (GDPR). The GDPR replaces prior European Union (EU) privacy directive known as 95/46/EC (The Directive), which had been the basis of European data protection law since 1995. The GDPR is a binding act which must be followed throughout the EU by all organisations – regardless of where they are based – which handles data of European Union citizens.

Even though the United Kingdom (UK) is on course to leave the EU, the HM Government has made clear that it will continue to recognise and abide by EU legislation in this area.

The GDPR strengthens, harmonises, and modernises EU data protection law. It enhances individual rights and freedoms, consistent with European Union understanding as privacy as a fundamental human right. The GDPR regulates how organisations such as Yes Edinburgh West obtains, stores, uses, and eliminates personal data.

1. Yes Edinburgh West’s commitment to transparency and good governance of personal data

The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability and transparency. This document fulfils this requirement. This document details Yes Edinburgh West’s legal obligations and our internal governance practices which fulfils those obligations.

2. Our organisation

Yes Edinburgh West is a non-party political community group based in the west of Edinburgh that campaigned for a Yes vote in the 2014 Scottish Independence Referendum. Since 2014, Yes Edinburgh West has worked to explore how best to bring about Scottish independence and to prepare for a future referendum.

Yes Edinburgh West is a data controller. It collects personal data for the purpose of disseminating information about Yes Edinburgh West’s campaigning and social activities, as well as produces leaftlets and other information which may be of interest to independence-supporting or independence-curious denizens of the west of Edinburgh.

As a data controller, Yes Edinburgh West has a legal obligation to safeguard all personal data provided to it. At all times we must respect any personal data that is shared with us by keeping it safe and using it only in ways which is compliant with the GDPR. Yes Edinburgh West is legally responsible for a breach.

Yes Edinburgh West is not required by law to have a “Data Protection Officer” – however, our data is administered by our secretary and our treasurer, currently Bob Glen and Gerry Mulvenna respectively. Some roles within the organisation have duties which require them to process personal data. These roles are authorised to act and process data on behalf of Yes Edinburgh West. Individuals holding those roles are elected as office-bearers on an annual basis at the Annual General Meeting.

3. Legal obligations

Yes Edinburgh West has legal obligations where it must:

  • Ensure that individuals’ consent to their data being recorded, stored, and used in ways which are clearly presented to them.
  • Collect and store only the information that we need to achieve specific purposes, and hold it only for as long as it is needed to fulfil this purpose.
  • Keep personal data secure.
  • Ensure personal data is relevant and up-to-date.
  • Allow individuals to access, amend, and delete information about themselves on request.

4. Quality control & training

Yes Edinburgh West is required by law that all decision makers and key people within the organisation are aware that that law is changing to the GDPR. Yes Edinburgh West requires all individuals who handle personal data (called ‘Data processors’) to confirm that they have read and will comply with instruction laid out in the following documents:

  • Yes Edinburgh West Internal Governance document;
  • Privacy Notice document;
  • Briefing Paper with Guidelines document.

Yes Edinburgh West is a reflexive organisation. Office-bearers will discuss GDPR compliance and organisational effectiveness in conforming to best practice in the Annual General Meeting.

Those with access to personal data must obey their legal obligation to protect it and not use it in ways which are outside of our legal confines. Any sign of non-compliance or security breaches will be raised with our office-bearers immediately, and no longer than 72 hours.

Yes Edinburgh West does not outsource data processors.

5. Audit of data

The GDPR requires Yes Edinburgh West to map out document (a) what personal data it holds, (b) where it came from, (c) what it the data is collected for, (d) who has access to it, (e) where it is stored, (f) how long it is stored for, and (g) who it is shared with. The following sections fulfil this requirement.

(a) What data does Yes Edinburgh West hold?

To plan and coordinate our campaigning effectively we collect, store, and use the following kinds of personal data:

  1. Name;
  2. Address(es);
  3. Email address(es);
  4. Telephone number(s);
  5. Social media account information;
  6. Database of interests, skills, talents;
  7. Details of availability.

(b) Where did the personal data come from?

Personal data gathered by Yes Edinburgh West comes from the individual themselves via several routes:

  1. A registration card or sign-up sheet completed at a meeting or street stall
  2. A registration card completed at the doorstep.
  3. Self-completed online registration form on our website (yesedinburghwest.info).
  4. Self-completed online registration form on our IndyApp page.
  5. Self-completed registration form on our Facebook page (facebook.com/Yes Edinburgh West).

(c) Why does Yes Edinburgh West need this data?

Yes Edinburgh West collects personal information to:

  1. Disseminate information about its:
    1. events, including business meetings and social events, and;
    2. activist and campaigning activities relating to Scottish independence, and the welfare of our community here in the west of Edinburgh.
  2. Organise and coordinate our community of activists.
  3. Fundraise for local, national and other campaigns
  4. Organise our administration, including:
    1. Providing individuals with information that they have requested.
    2. Handle administration and coordination of office-bearer activities.

(d) Handle administration and coordination of activists and campaigners

  1. Handling payment (such as collecting donations or paying out expenses).
  2. Deal with enquiries and complaints
  3. Comply with any legal obligations required of us, and to comply with court orders.

(e) Who has access to the data?

Personal data is collected by Yes Edinburgh West activists using a GDPR-compliant sign-up sheet. Direct access to the database is limited to those who are elected as office-bearers. Those who have access to the databases have undergone GDPR-training. We do not share personal information with any other external organisation. Currently those who have direct access to personal data are:

  1. Co-conveners, positions currently held by Ian Grant and Anne Donohoe
  2. Secretary, a position currently held by Bob Glen
  3. Treasurer, a position currently held by Gerry Mulvenna
  4. Meet and greet officer, a position currently held Mary Knox

(f) Where is the personal data stored?

Personal data is stored on MailChimp and Google drive, which are GDPR-compliant and protected with robust-passwords which are regularly changed.

(g) How long is the data stored for?

In general, unless still required in connection with the purpose for which it was collected and/or processed, we must remove personal information from our records six years after the date it was collected (ie no more than six years after Scottish independence). However, we must remove personal information before this if:

  1. The relevant individual exercises their right of erasure.
  2. Yes Edinburgh West no longer has a lawful entitlement to process it.
  3. The information is no longer required in connection to our campaigning objectives (i.e. after Scotland redeclares itself a nation state).

(h) Who does Yes Edinburgh West share information with?

Yes Edinburgh West does not share information with any other external organisation except under the circumstance of the prevention or detection of criminal activity, or to comply with court orders.

6. Sensitive personal data

The GDPR recognises that certain categories of personal information are sensitive and therefore require significantly more protection. This includes (but not limited to) medical and health information, ethnicity, religious and political opinions. Yes Edinburgh West is a community organisation that campaigns for Scottish independence. Therefore, it is assumed that those who give us their personal data have some interest in furthering the cause of Scottish independence. However, Yes Edinburgh West is a community with diverse religious and political views. Yes Edinburgh West does not collect, store, or use information regarding religious or political beliefs, or any other type of sensitive personal information. If in the future there was a clear reason for collecting, storing, or using sensitive personal data of this nature, we must do so only with the individuals’ explicit consent and develop more robust systems for its protection.

7. Communicating Yes Edinburgh West’s privacy policy

Yes Edinburgh West is legally required to communicate its privacy policy. This is publicly available on our website (yesedinburghwest.info/privacy).

A direct link to the Privacy Policy will be attached to all opt-in emails. To subscribe to Yes Edinburgh West, individuals will be required to confirm that they have read Yes Edinburgh West’s Privacy Policy.

Yes Edinburgh West’s Privacy Policy is subject to review by the office-bearers. The Privacy Policy and Data Protection Governance will be raised at the Annual General Meeting to confirm that the office-bearers remain satisfied that the Privacy Policy continues to be up-to-date and relevant.

Yes Edinburgh West members will be emailed if there are many major changes in its Privacy Policy.

8. Procedures for facilitating subject access requests

Where we rely on consent to collect, store and use personal data, individuals have the right to withdraw that consent at any time, and without reason. This includes the right of individuals to ask Yes Edinburgh West to stop using their personal data to contact them, or to be unsubscribed from our emailing list. The rights detailed in the GDPR, and how Yes Edinburgh West must action them, are detailed below:
(a) Right to be informed – individuals have the right to be told how their personal information is/will be used.

  1. Yes Edinburgh West complies with this through its Privacy Policy. The Privacy Policy is published on its website and sent to all new subscribers in their ‘opt-in’ process. All subscribers must confirm that they have read the Privacy Policy to be added to Yes Edinburgh West’s databases.

(b) Right of access – Individuals have the right to access the information that Yes Edinburgh West holds about them. If an individual requests a copy of all the information that Yes Edinburgh West hold about them, the following process must be adhered to:

  1. The Data Processor handling the request must first ask for identification via a scan or photocopy, or affirmation through a known third party. This is to verify the person requesting the data is entitled to do so and to prevent data breaches.
  2. Once the Data Processor has received identification, they must send the information within 28 days, free of charge. This is done by copying and pasting the information in Microsoft Word and sending by email (or printing and sending to the individual’s address).

(c) Right of erasure – Individuals have the right to have personal information deleted from Yes Edinburgh West’s records.

  1. The Data Processor handling the request must first ask for identification via a scan or photocopy, or affirmation through a known third party. This is to verify the person requesting the data is entitled to do so and to prevent data breaches.
  2. Once the Data Processor has received identification, they must go to MailChimp and delete the individual’s data entry within 28 days of the request and free of charge.
  3. Any correspondence via email should also be deleted by searching for the Individual’s email address.
  4. Once deleted, Yes Edinburgh West cannot hold information on this individual.

(d) Right of rectification – Individuals have the right to correct or amend personal data held about themselves.

  1. The Data Processor handling the request must first ask for identification via a scan or photocopy, or affirmation through a known third party. This is to verify the person requesting the data is entitled to do so and to prevent data breaches.
  2. Once the Data Processor has received identification or verified the identity of the requester, they must go to MailChimp and update the individual’s data entry within 28 days of the request, free of charge.

(e) Right to restrict processing – Individuals have the right to ask for processing of personal data to be restricted if there is disagreement about its accuracy or legitimate use.

  1. The Data Processor handling the request must first ask for identification via a scan or photocopy, or affirmation through a known third party. This is to verify the person requesting the data is entitled to do so and to prevent data breaches.
  2. Once the Data Processor has received identification or verified the identity of the requester, they must go to MailChimp and update the individual’s preferences within 28 days of the request and free of charge.

(f) Right of data portability – Individuals have the right to have their personal information provided to them in a machine-readable format. Yes Edinburgh West does not have any automatically processed data.
(g) Right to object – Individuals have the right to object to their data being processed at all, or in specific ways.

  1. The Data Processor handling the request must first ask for identification via a scan or photocopy, or affirmation through a known third party. This is to verify the person requesting the data is entitled to do so and to prevent data breaches.
  2. Once the Data Processor has received identification or verified the identity of the requester, they must go to MailChimp and update the individual’s preferences and obey their objections within 28 days of the request, free of charge.

(h) Right not to be subjected to automatic data profiling – Yes Edinburgh West does not engage in automatic data profiling practices.
(i) Right to complain to the Information Commission Office (ICO) – Individuals who believe there is a problem with the way that Yes Edinburgh West handles their data, they can complain to the ICO.

There is an exception for requiring identification. If the request is made verbally or by email by the requester to an office-bearer of Yes Edinburgh West who is personally known to them, then no identification is required. This is likely to be the most common route for identification.

For more information on individuals rights, see here [– https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/]

9. Lawful basis for processing personal data

The GDPR requires Yes Edinburgh West to have a lawful basis for processing personal data. This is documented here in this GDPR Governance Document and also in the Privacy Policy. We must also provide the lawful basis of processing personal data when answering subject access requests.

We are required to have at least one lawful basis for processing personal information. These are:

  • Personal information is processed on the basis of a person’s consent.
  • Personal information is processed on the basis of a contractual relationship.
  • Personal information is processed on the basis of legal obligations.
  • Personal information is processed on the basis of legitimate interests.
  1. Consent: Yes Edinburgh West seeks consent to use personal information to send electronic communication with content such as newsletters, campaign coordination, campaigning activities, meetings, events, and social events.
  2. Contractual relationship: Yes Edinburgh West’s interactions with its subscribers and activists are voluntary and not contractual. However, if an individual purchases something via our online shop, we will have entered into a contractual relationship.
  3. Legal obligations: Yes Edinburgh West may be obliged to process personal information due to legal obligations. We will only do so in accordance with legal requirements and/or to fulfil a court order.
  4. Legitimate interests: Applicable law allows personal information to be collected and used if it reasonably necessary to further our legitimate interests (so long as it is fair use, balanced, and does not unduly impact on individuals’ rights). We will rely on this ground to process personal data when it is not practical to ask for consent (such as emailing or texting the individual for day-to-day activist coordination).

10. Consent

When relying on consent, Yes Edinburgh West must ensure that consent is freely given, specific, informed, and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes, or inactivity. Consent must be verifiable. It must also be separate from other terms & conditions and need a simple process for withdrawing consent.

In May 2018 Yes Edinburgh West emailed everyone on the list and asked them to “opt-in” to our mailing list.

The GDPR has special protection for children’s personal data. Scots law considered anyone under the age of 16 a child and therefore cannot consent to have their data collected, stored, or used without their legal guardian’s consent.

Yes Edinburgh West does not process data of anyone under the age of 16 years old. If Yes Edinburgh West discovers, or has reason to believe, that it is storing personal data of anyone 15 years old or younger then it will delete the information.

11. Data storage systems & security policy

Yes Edinburgh West uses several GDPR-compliant systems to gather, store, and use data for the purpose of organising its campaigning activities and the dissemination of information. These are:

  • MailChimp – a system to store contact information and send bulk emails.
  • Google Docs – a system used for storing governance, organisational and campaigning documents relating to Yes Edinburgh West.

All accounts used by Yes Edinburgh West for campaigning purposes is password-protected and based on GDPR-compliant systems. Only office-bearers have access to those systems and have undergone GDPR training. The passwords will be changed periodically.

12. Data breaches

Yes Edinburgh West is required to have procedures in place to detect, report, and investigate a personal data breach. The GDPR introduces a duty on all organisations to report certain types of data breach to the Information Commission Office (ICO), and, in some cases, the individuals affected by the breach.

Organisations only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals, such as if the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or other significant economic and social disadvantage. In some cases, the individuals whose data has been leaked may also have to be notified. Failure to report a breach may result in a fine, along with a fine for the breach itself.

Yes Edinburgh West perceived the risk of data breaches to be low. Yes Edinburgh West’s data storage systems are GDPR-compliant, password-protected, and accessed to a limited number of individuals. Access to these data systems are restricted to Yes Edinburgh West’s data processors who understand Yes Edinburgh West’s privacy policies and agree to adhere to Yes Edinburgh West’s data protection protocols.

Yes Edinburgh West is not a large organisation, nor does it store sensitive personal information. As such, Yes Edinburgh West does not perceive a significant risk of targeted hacking.

Yes Edinburgh West does not share data with external organisations, except in the circumstance of crime prevention and detection, or when ordered by a court of law.

MailChimp registers all access to its system. Data Processors will remain vigilant of any suspicious activity. If a data breach is suspected, the data processor will raise it with Yes Edinburgh West’s office-bearers immediately via email. The office-bearers will nominate a representative to change the password and contact MailChimp to seek further information. Depending on what is uncovered, the nominated representative will contact the ICO for further advice.

13. ‘Data Protection Impact Assessments’

Yes Edinburgh West is not legally required to conduct Data Protection Impact Assessments (previously called Privacy Impact Assessments).

14.Data Protection Officers

Yes Edinburgh West is not legally required to have a “Data Protection Officer” – however, our data is administered by our secretary and treasurer, currently Bob Glen and Gerry Mulvenna respectively.

15. International data transfers

Yes Edinburgh West does not transmit data outside of the European Union. Although the United Kingdom is due to leave the European Union in March 2019, it will remain as part of the European Convention of Human Rights and the EU’s data protection infrastructure until at least 1 January, 2021.

16. Financial transactions

Financial transactions are carried out via our bank account with RBS. If we owe individuals any money then we will request their bank details, but we do not store banking details after the transaction is complete.

Donations are carried out on our website, which is handled through ‘GoCardless Ltd’, a third-party payment service provider. Their privacy policy is available here.

17. Law enforcement

We must disclose personal information to regulatory and/or government bodies and/or law enforcement agencies with a legally-binding request and/or when required to do so to satisfy other legal obligations.

18. Policy amendments

Yes Edinburgh West will keep this Governance Document under annual review. Changes to this document must be reflected in the Privacy Policy which then must be posted on our website. If Yes Edinburgh West makes significant changes to this policy, it must notify its membership by email with the updated Privacy Policy.

19. Further information

For further information, queries, or comments, please contact info@yesedinburghwest.info