Data Protection (GDPR) - B-YS Privacy Policy

Privacy Policy

1. The Trustees of the British Yemeni Society ( BYS ) Society take your privacy seriously and are compliant with the GDPR which comes into effect on 25 May 2018.

2. What we do with your data –

  1. The Secretary enters this on to our database so that we can contact you about events, send out newsletters and emails and send you the Society’s Journal;
  2. Most of our mailings at present are sent out using a platform called Mailchimp. We store the relevant details in our MailChimp account. Here are links to the Mailchimp Privacy Policy and Terms of Use;
  3. The Treasurer uses your details to create the analysis for the accounting system and so that all subscriptions can be recorded and reminders sent out;
  4. The Treasurer keeps your Gift Aid Forms on file and uses the details of your name, address and postcode to complete regular Gift Aid claim forms which are sent online to HMRC where relevant donations and subscriptions have been received;
  5. Where we use the Journal’s printer to send out the Journals we will let them have an encrypted copy of the mailing list

3. What we do not do with your data  -

  1. We do not sell it on to any third party or rent or hire it to any third party
  2. We will not sell or share your data  for marketing purposes nor will we link it to any form of social media.  W may invite you via a link to the B-YS Group on Facebook so that you can see what is happening within that group.

4. What you expect from us – your rights

  1. That we will ensure you have the right of access to your data
  2. That your personal data is correct and up to date
  3. That we will correct any errors once informed
  4. That, if requested we will delete your data. You will remain a member of the Society, but will not receive information about events, or receive newsletters or e-mails. We will also be unable to send you the Society's Journal.

5. Within the Society your data will be kept secure and used by the Chairperson, Secretary, Treasurer and, if there is a separate person in the future for that task, the Membership Secretary, Events Secretary, Gift Aid Secretary or Fundraising Secretary. Your data will be kept under lock and key and where in electronic form the computer(s) will be protected by password, firewall and anti-virus program.

6. Right to Complain

You have the ultimate right to complain to the overall regulator for Data Protection in the UK which is the Information Commissioner's Office, using the following web address https://ico.org.uk/concerns/

7. Right to forget

GDPR gives a “right to be forgotten” so that historical records are deleted at your request. This is also known as a” right to erasure” which can be given by you in writing to the Data Processor or given verbally. We should act on that deletion within one month of receipt of your request unless we need to keep the information for legal purposes.

8. Gift Aid and accounting records

HMRC require us to keep Gift Aid declarations and donations details relating to them for 6 years after the end of the accounting period in which that declaration or donation is received. For example, a Gift Aid donation made on 1 January 2018 could not be deleted until 1 January 2025.

9. Specifically:

  • Your Membership application form is kept by the Secretary on file;
  • Your Gift Aid form is kept on separate file by the Treasurer;
  • Your Standing Order Mandate form is sent off to your bank as soon as received by the Treasurer.

Should any or all of the above procedures be automated in the future, access to such program and data will be through password protected login by the Treasurer and yourself when completing the online form.         

GDPR Glossary

  • Consent - freely given, specific, informed and explicit consent by statement or action signifying a person’s agreement to the processing of their personal data
  • Data Breach – the loss of data by an organisation, usually as a result of hacking or similar activities
  • Data Controller - organisations that collect and manage personal data from EU residents, e.g. a Local Group. In our case The Trustees are the Data Controller
  • Data Portability - the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller
  • Data Processor - organisations that process data on behalf of data controller including 3rd party agencies – our Data Processor is the Secretary and the Treasurer
  • Data Protection Act 1998 – the legislation that will be replaced by GDPR.
  • Data Protection Officer – the person responsible within an organisation for ensuring it is compliant with data protection laws and regulations, and for controlling that organisation’s data protection policies and procedures
  • Data Sharing – the process through which different parts of an organisation, or different organisations, share data with each other.
  • Data Subject – the person / EU citizen about whom data is collected or held
  • Encrypted Data - personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access
  • GDPR – General Data Protection Regulation. The new EU wide data protection legislation that comes into force on 25th May 2018.
  • Information Commissioner’s Office (ICO) – the UK regulator responsible for data protection
  • Lawful Processing – the means by which organisations collect and manage people’s data (see also consent and legitimate interest)
  • Legitimate Interest – where GDPR compliant consent has been given previously, and organisations have evidence of this, personal data can continue to be used without the need for refreshed consent, provided that the interests of the data subject are not harmed
  • Personal Data - any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person
  • Privacy Impact Assessment - a tool used to identify and reduce the privacy risks of organisations by analysing the personal data that are processed and the policies in place to protect the data
  • Privacy Shield / Safe Harbor - framework for exchanges of personal data for commercial purposes between the EU and the USA.  It’s main aim is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect EU citizens.
  • Processing - any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
  • Right to be Forgotten - also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, stop sharing their data, and potentially have third parties stop processing of the data
  • Subject Access Right - also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them