OPUS ANGLICANUM - GDPR STATEMENT OF COMPLIANCE
We have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how we comply. If you have given us your email address (by emailing us, purchasing something something from this website, buying a ticket for a performance or subscribing to the newsletter, for example) you should read this to reassure yourself that we are looking after your data extremely responsibly.
If any of you understand this even better than us and believe there’s something else we should be doing, do let us know. We value the security of your information extremely highly and will never intentionally breach the rules. However, the rules are designed for organisations and we are a small group of freelance performers.
To create this document, we used the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.” Here are our 12 answers:
Awareness
We are a small performing group, who collaborate, so there is no one else in an organisation to make aware.
The information we hold:
Email addresses of people who have emailed us and to whom we have replied – automatically saved in gmail.
Email addresses, names and self-identified descriptors of people who have signed up to our mailing list via the opt-in link on this website– held in Mailchimp
Email addresses, postal addresses (for physical items) and names of people who have obtained something from this website. Orders are saved by default in the background of the website, which is securely password-protected.
Email addresses and self identified names of people who have purchased tickets to our events via Eventbright.
We do not share this information with anyone. Ever.
If someone randomly asks for another person’s email address, unless both are known closely to us, we always check with the other person first.
Communicating privacy information
We are taking the following steps:
We have put this document on this website.
We have added a link to the newsletter sign-up boxes.
Individuals’ rights
On request, we will delete data.
If someone asked to see their data, we would take a screenshot of their entry/entries.
If they unsubscribe themselves from the Mailchimp list, their data is automatically deleted.
Subject access requests
We aim to respond to all requests within 24 hours.
Lawful basis for processing data
If people have emailed us, they have given us their email address. We do not actively add it to a list but gmail will save it. We will not add it to any database or spreadsheet unless someone asks us to or gives explicit and detailed permission.
If people have opted into the newsletter Mailchimp list, they have actively opted in, in the knowledge that their details will be held for the sole purpose of receiving updates about our activities and products until such time they choose to unsubscribe.
If people have won or obtained something from this website, we do not use their data for anything other than contacting them to arrange delivery, request permission to display their entry (e.g. a drawing or photo) or about a problem with the order. We will delete any email and postal addresses after one year.
Consent
We regard this information as consent for a year, or until the person asks us to remove the data. We have never harvested email addresses, nor would we. Anyone on our lists has contacted us in the first instance.
Consent is not indefinite, so we will make sure that we remind subscribers that they can unsubscribe or ask for their data to be removed.
Children
Young people would seldom if ever email us but we wouldn’t know their age unless they told us – and we would only have their word for that. We would not deliberately keep their email address (but gmail would save it in our account.) Since we are not “processing” their data, we are not required to ask for parental consent. We would reply to the email and don’t contact them again.
Data breaches
We have done everything we can to prevent this, by strongly password-protecting our computers, Mailchimp, Eventbright and Google accounts. If any of those organisations were compromised we would take steps to follow their advice immediately.
Data Protection by Design and Data Protection Impact Assessments
We have familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that we are using best practice.
Data Protection Officers
We have appointed our trustee Jenny Slater as the Data protection Officer.
International
Our lead data protection supervisory authority is the UK’s ICO.
