Privacy Policy

Global Action UK

  

Data Processing Documentation

 Organisation Name: Global Action UK

Address: 25 Tate Road, Sutton, Surrey, SM1 2SY

Tel: 03330 147367

Email: globalactionuk@globalaction.com

 

Purposes of Processing Personal Data:

Global Action UK (in association with a wider network of international ministries connected to Global Action in the United States of America) provides a variety of services related to training pastors and church leaders.  Our mission is to transform communities through gospel impact by training, discipling, equipping and supporting the outreach and ministry of the local church and leaders.  For Global Action UK, this includes:

  1. Fundraising

  2. Donor/supporter care

  3. Promotions

  4. Recruitment of trainers

  5. Coordination/sending of mission teams.   

 

In order to carry out these services data is processed for the following reasons:

  1. Donor/Supporter Management

  2. Marketing

  3. Accounting

  4. Service Delivery

 

Categories of Individuals:

Data is processed on the following categories of individuals:

  1. Potential Donors, Supporters and Venders

  2. Existing Donors, Supporters and Venders

  3. Trainers

  4. Mission/Vision team members

 

Categories of Personal Data:

  1. Contact details

  2. Donor/Supporter engagement data

  3. Donor/Supporter IP Addresses (through our data processor)

  4. Website usage information and other technical information regarding your interaction with our services when you visit our website

  5. Pictures

  6. Videos

  7. Bank details and credit card information that you may provide

  8. Trainer education and experience

  9. Pastoral references

  10. Passport details

  11. Email addresses

  12. Text messages

  13. Hard copy correspondence

  14. Information submitted to us through social media

  15. Testimonials

  16. Cookies sent by a website and stored on your hard drive or temporarily in your computer’s memory

 

Categories of Recipients of Personal Data:

  1. Suppliers such as advertisers, with your permission.

  2. Relevant GDPR compliant organisations with whom we work to supply the service that you have requested.

  3. If required by the law, we will disclose your personal information without notice unless such disclosure is prohibited by law.  We may disclose and use personal information in special circumstances where it is necessary to comply with our legal obligations and to enforce our contracts or our terms of use.

 

Name of Third Countries or International Organisations to which data is transferred:

Your personal information may be subject to access requests from governments, courts, or law enforcement agencies in the United Kingdom or those other countries according to laws of the United Kingdom. By using the service or providing us with any information, you consent to this transfer, processing and storage of your information in the United Kingdom or those other countries.

 

Data Retention Periods:

  1. Consent will be sought at the first possible opportunity for personal data kept on file for marketing and customer relationship purposes.  Consent will be re-sought each year or every other year (depending on frequency of communications) and data will be maintained on the system as long as people continue to provide consent.  If people withdraw consent their personal data will be deleted.

  2. Data connected with our Mission/Vision trips will be kept on file only as long as necessary to carry out the service.  Once the service delivery has been completed this data will be deleted. 

 

Data Security Measures:

See data security policy (below)

 

Reviewing Data Processing

We conduct annual reviews to document the type of data that we are collecting and update our documentation accordingly.

 

Data Mapping

Where data is stored and who it is shared with

 

Filing Cabinet (locked office)

  1. Invoices to customers

  2. Receipts from providers

  3. Mission/Vision trip application forms

  4. Sign up forms

  5. Bank correspondence

  6. Donation forms

  7. Board meeting minutes

  8. Donor/supporter meeting notes

  9. Payroll documents

 

Microsoft Online Server – “OneDrive” GDPR compliant

  1. Bank statements

  2. Donor/supporter email addresses, emails and attachments

  3. Vender email addresses, emails and attachments

  4. Potential donor/supporter contact details

  5. Mission team contact details

  6. Mission/vision team pictures

  7. Mission/vision team videos

 

“eTapestry” (Customer Relationship Management System) GDPR compliant

  1. Donor contact details

  2. Supporter contact details

  3. Donation history

  4. Contact journal

  5. Records of Consent for Marketing

 

“Google Calendar” GDPR compliant

  1. Donor/supporter, Vendor and Associate addresses (ahead of a meeting)

  2. Phone numbers for same, ahead of meetings

  3. Some brief notes ahead of meeting (nothing sensitive)

 

“MailChimp” (Email handler) GDPR compliant

  1. Contact details

  2. Records of Consent for Marketing

 

“Squarespace” (Website host) GDPR compliant

  1. Student names

  2. Student pictures

  3. Student videos

  4. Mission/vision team pictures

  5. Mission/vision team videos

 

Legal Basis for Processing Personal Data

Global Action UK will process personal data lawfully, fairly and in a transparent manner in relation to individuals.

Data is collected under four main categories.  These are subject to different legal bases for data processing.

 Prospecting New Donors/Supporters

  1. Legal Basis for Data Processing: Legitimate interest (until consent has been gained).

  2. This information will be gained by identifying potential donors, supporters, venders or associates through websites, cold calling and referrals.

  3. Once contact has been made with prospects, consent for marketing will be sought at first available opportunity and recorded (along with a record of the date and how consent was given) in our Customer Relationship Management (CRM) system.  This will allow us to move prospects into the next stage of information processing: Marketing.

  4. Consent will be gained through the provision of a clear privacy notice (see appendix 2) and an “opt-in” on behalf of the prospect.  

  5. Where consent has not been gained personal data will be deleted.  However, the data subject’s name will remain on record to ensure they are not contacted again.

 

Marketing

  1. Legal Basis for Data Processing: Consent

  2. Once prospects (see above) have provided their consent, their contact details will be stored in our CRM and a variety of other systems (see data security, below) for ongoing relationship management and marketing.

  3. Consent will be re-sought during each verbal conversation with prospects.  

  4. Marketing emails will provide clear opportunities for people to withdraw consent.

 

Donor/Supporter Service Delivery

  1. Legal Basis for Data Processing: Contract and Explicit Consent

  2. When prospects want to enter into a contract for service delivery, Global Action UK will keep their details on file in order to fulfil the contracted services.

 

Transparency

  1. See Privacy Notice.

Purpose of Processing Personal Data

Global Action UK will ensure personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

 

Prospecting New Donors/Supporters

  1. Personal data processed will not be used in any other ways than those necessary to initiate contact with prospects and seek consent to develop them into potential donors.

 

Marketing

  1. Personal data processed will not be used in any other ways than those outlined in the privacy notices displayed when consent was gained.

  2. This will involve maintaining an updated address book, managing relationships with potential and existing donors/supporter and developing new donors/supporters. 

 

Donor/Supporter Service Delivery

  1. Personal Data processed while delivering services will only be used in order to carry out the services agreed with the donor/supporter.

  2. The exception to this will be if there are legal concerns about the donor/supporter, in which cases personal data will be used to inform the appropriate authorities.

 

Relevance

Global Action UK will only collect personal data which is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

 

Prospecting New Donors/Supporters

  1. Only information deemed to meet the above criteria will be collected in order to carry out the requirements necessary for donor/supporter prospecting.  This may include:

  2. Names, Phone numbers, Email address, Website info, Linked In info, Facebook contact details

  

Marketing

  1. Once consent for marketing has been gained, and in order to keep potential and existing donors/supporters informed about our work, additional information may then be taken.  This may include:

  2. Home and/or Work address, personal preferences and interests (to aid in client relationship management), and IP addresses (where people subscribe to HTML newsletters).

 

Donor/Supporter Service Delivery

  1. It is likely that a wide range of personal data will be necessarily processed in order to carry out services for the donor/supporter.  However, data processing will be restricted to only that deemed relevant for service delivery.

 

Third Party Service Delivery

  1. It is likely that a wide range of personal data will be necessarily processed in order to carry out services for the third-party client.  However, data processing will be restricted to only that deemed relevant for service delivery.

 

Accuracy of Personal Data

Global Action UK will ensure that personal data is accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

  1.  If Global Action UK is made aware of data inaccuracies these will be rectified immediately.

  2. Data storage points will be checked at the same time to ensure that changes are carried across all relevant documents

Data Retention Periods

Global Acton UK will ensure that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

 

Prospecting New Donors/Supporters

  1. Information will only be kept on record as long as is necessary to make contact with potential donors/supporters and request consent for future marketing.

  2. Three attempts at contact with the prospect will be made.  If these are unsuccessful, or if consent is denied, then their personal data on all platforms will be deleted.  However, the data subject’s name will remain on record on our CRM to ensure they are not contacted again.

  

Marketing

  1. Information will be kept on record as long as long as the data subject provides consent.

  2. Consent will be re-sought each year or every other year (depending on frequency of communications) and data will be maintained on the system as long as people continue to provide consent. 

  3. If a data subject withdraws consent at any point, their personal data will be deleted on all platforms.  However, the data subject’s name will remain on record on our CRM to ensure they are not contacted again.

  4. Email and written marketing communications will include clear messages outlining how recipients can revoke consent.

 

Donor/Supporter Service Delivery

  1. Information processed during service delivery will be retained only as long as is necessary for service delivery.

  2. Records of financial transactions [ew9] [CW10] and gift aid forms will be kept on record for six years, then destroyed.

  3. Explicit consent forms will remain on record indefinitely.

  4. Donor/supporter contact details will be retained on record for marketing purposes.  If donor/supporters withdraw their consent at any point, their contact details will be deleted.  However, their name will remain on record to ensure they are not contacted again.

 

Third Party Service Delivery

  1. Information processed during service delivery will be retained only as long as is necessary for service delivery.

 

Data Security Policy

Global Action UK will ensure personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

 

Data Storage

Non-Sensitive Personal Data

  1. Contact details and non-sensitive personal data will be stored securely in the following places:

    • Our Customer Relationship Management system “eTapestry” (contact details and engagement tracking information), 

    • Microsoft Outlook (email addresses and non-sensitive email records), 

    • Google Calendar (addresses and phone numbers ahead of attending meetings), 

    • MailChimp (for marketing emails).

  2. These systems are all password protected and GDPR compliant.

  3. Global Action UK will ensure that all systems are logged out of when not in use and that passwords are appropriately strong 

  4. Global Action UK will ensure that the computers with access to these systems are themselves password protected, running the latest virus software and have the latest software updates installed.

 

Data Transmission

  1. Where sensitive personal data is sent by email attachments will be password protected and encrypted.

  2. Passwords will be sent via a separate email.

  3. Emails will then be deleted from the sent box.

  4. If attachments are too large to send via email an alternative system will be found which guarantees an appropriate level of security.

  5. Where sensitive personal data is received by email, information will be saved in a secure location and the email will be deleted.

 

Use of Data Processors

  1. When selecting new data processors (e.g. suppliers), only those who are GDPR compliant will be selected.

 

Data Breaches

  1. If Global Action UK becomes aware of a data breach it will inform the Information Commissioners Office (ICO) within a 72-hour period.

  2. Data subjects will be informed immediately if the breach is likely to result in a high risk of adversely affecting their rights and freedoms.

 

Evidence of Compliance

Global Action UK shall be responsible for, and be able to demonstrate, compliance with the principles

 

  1. Global Action UK commits to compliance with the principles of GDPR and will demonstrate compliance to the ICO in the following ways:

  • By showing evidence of our data mapping process (see chart)

  • By showing records of consent gained, how this was gained and when it was gained

  • By keeping copies of our privacy notices which were used to gain consent

 

Your Rights as a Data Subject

  1. You have the right to access the information we hold on you, including how we gained this information on you.  Following a subject access request, we will provide this information within a period of one calendar month, and without cost.

    • When receiving data subject requests, we will carry out due diligence to check that you are the data subject.

  2. You have the right to any inaccuracies in the data we hold on you being rectified within a period of one calendar month.

  3. You have the right to your data being erased (unless this is necessary to keep on file in order to fulfil a contract or due to a legal right on behalf of the data controller).  Again, this will be carried out within a period of one calendar month.

  4. You have the right to restrict processing.  I.e. data can be maintained on a system, but cannot be used to contact you.

  5. You have the right to data portability.  I.e. data subjects can request for a copy of the data we hold on you in a structured, commonly used and machine readable form, e.g. CSV file or similar.  Again, this will be carried out within a period of one calendar month.

    • When receiving requests for data portability, we will carry out due diligence to check that you are the data subject.

  6. You have the right to object to data processing at any point.  This will be responded to at the point at which we receive the objection.

  7. You have rights relating to automated decision making, including profiling.  When automated decision making and profiling is carried out, data subjects will be informed about these processes and explicit consent will be gained.

 

Privacy by Design

Deciding whether to conduct a Data Protection Impact Assessment (DPIA)

  1. All new projects will take principles of GDPR into consideration in order to ensure compliance.

  2. Staff and volunteers initiating new projects will be aware of the conditions when they are required to carry out a Data Protection Impact Assessment (DPIA).  As required by the ICO, a DPIA will be carried out on new projects if we plan to:

    • use systematic and extensive profiling with significant effects;

    • process special category or criminal offence data on a large scale; or

    • systematically monitor publicly accessible places on a large scale.

    • use new technologies;

    • use profiling or special category data to decide on access to services;

    • profile individuals on a large scale;

    • process biometric data;

    • process genetic data;

    • match data or combine datasets from different sources;

    • collect personal data from a source other than the individual without providing them with a privacy notice ('invisible processing');

    • track individuals' location or behaviour;

    • profile children or target services at them; or

    • process data that might endanger the individual's physical health or safety in the event of a security breach.

  3. Staff and volunteers will also think carefully about doing a DPIA for any other processing which is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals

  4. If we decide not to carry out a DPIA we will document our reasons

 

Carrying out a Data Protection Impact Assessment

The following procedure will be followed when carrying out a DPIA:

  1. We describe the nature, scope, context and purposes of the processing.

  2. We ask our data processors to help us understand and document their processing activities and identify any associated risks.

  3. We consider how best to consult individuals (or their representatives) and other relevant stakeholders.

  4. We ask for the advice of our data protection officer.

  5. We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance.

  6. We do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests. 

  7. We identify measures we can put in place to eliminate or reduce high risks.

  8. We record the outcome of the DPIA, including any difference of opinion with our DPO or individuals consulted.

  9. We implement the measures identified, and integrate them into our project plan.

  10. We consult the ICO before processing if we cannot mitigate high risks.

  11. We keep our DPIAs under review and revisit them if necessary.