Data Protection and GDPR
The General Data Protection Regulations (GDPR) come into force 25th May 2018. The aim of GDPR is to ensure that personal data is kept secure, used for the correct purposes and that it is processed properly (‘personal data’ means any information relating to an identifiable person who can be directly or indirectly identified).
There are some changes from previous regulations but Wheatsheaf Trust remains committed to keeping personal date secure, only using it for legitimate purposes and communicating clearly with people how we store and use information.
For the purposes of personal data Wheatsheaf Trust is both a data processor and a data controller: data processor on some of our projects where we act on behalf of other organisations (eg. DWP) and data controller on projects where we are the lead organisation.
We have 3 lawful bases for processing personal data:
- we are processing with the person's consent - Article 6(1)(a)
- we are complying with a legal obligation - Article 6(1)(c)
- we are undertaking a public task - Article 6(1)(e))
We will inform you which one applies to you when we first process your personal data.
Wheatsheaf Trust processes data for clients, volunteers, employees and trustees - these are all data subjects and all have rights under GDPR:
- Right to be informed - we will inform you about why we collect your data, how long we will keep it and who it will be shared with;
- Right of access - you can ask to see the data we hold about you and we will respond within 1 month;
- Right to rectification - you can ask us to amend any data we hold about you if it is inaccurate and we will respond within 1 month (please inform us as soon as you can if any of your data changes eg. you change address, so that we can update our records)
- Right to erasure - you can ask us to "forget" you and delete your data from our records (we will respond within 1 month) but we may not be able to do this if we have processed the data under a legal obligation or because we are undertaking a public task;
- Right to portability - if we have your data stored electronically you can ask us for that data in an electronic format so that you can use it (we will respond within 1 month) unless we have processed the data becasue we are undertaking a public task;
- Right to restrict processing - you can ask us to stop processing your data for a period if there are concerns over its accuracy We will respond to a request within 1 month);
- Right to object - under certain circumstances you can object to us processing your data (we will respond within 1 month)
Some data is treated as special category data under GDPR. This is classed as sensitive data and is treated differently. Our bases for processing this data are:
- where you have consented;
- where we are exercising rights in employment and social security law.
If you have any questions about this or other aspects of Wheatsheaf's data security please contact us at firstname.lastname@example.org