GDPR Statement

Background

The General Data Protection Regulation (GDPR) is new legislation safeguarding the rights of individuals where personal data is concerned. It comes into force on 25 May 2018, at which point all companies based in, or doing business in the EU, will have to comply with it. More information about the GDPR and what duties it imposes on companies, as well as what extra rights it gives to individuals, can be found on the Information Commissioner’s Office website.

What we’re doing to protect your data

Three Rings CIC takes the safety of personal data very seriously. Among other measures, we encrypt all traffic to and from the Three Rings application at https://3r.org.uk, log all actions taken by users within the system, and follow a higher standard of encryption than the UK requires for online banking services.

The Three Rings application, and all data stored in it, as well as all offsite backups, are stored exclusively within the European Union and are used only for purposes approved by the controllers and subjects of that data.

How we help our clients comply with the GDPR

Three Rings already provides a range of tools to help our client organisations comply with the requirements of privacy legislation, and we’re releasing Milestone: Blackwater on 5th May 2018 which will expand and enhance those tools, giving our client organisations even more support to comply with data and privacy law in advance of the introduction of the GDPR on 25 May 2018.

Existing Tools in Three Rings

Per-property access control

Client organisations can fine-tune exactly what data they store about their volunteers and who has access to see and/or edit each type of information, via the Admin > Properties panel. This makes it easier for an organisation to collect, maintain, and control volunteer personal data in accordance with their existing data policy and the arrangements and agreements they have with their own volunteers. For further details, see the documentation.

Role-based segregation

If required, an organisation can configure Three Rings so that not just the visibility of properties, but of entire groups of volunteers, can be restricted from other groups, as described in the documentation. This can be used, for example, to allow “applicants” to see nobody else within an organisation, and to be hidden from all of that organisation apart from members of the “recruitment” team.

Data deletion reminders

Three Rings automatically produces reminders if an organisation has closed a volunteer’s account but has not yet chosen to delete that volunteer’s personal information. There may be legitimate reasons for an organisation to retain personal data on former volunteers, but (without the kind of reminders Three Rings provides) there is always a risk that such data is retained for longer than is reasonable. By providing reminders, Three Rings helps ensure that organisations remember to treat the personal data of former volunteers in an appropriate, legally-compliant, manner.

New Tools Included in Milestone: Blackwater

Milestone: Blackwater expands the existing data management tools by introducing the following additional features to make it even easier for client organisations to comply with relevant data protection legislation:

Privacy Policy tool

The new Admin>Privacy function is designed to help streamline the publication of your organisation’s data collection policy, including who to contact in the event of any queries such as subject access requests, for your volunteers to see. Although Three Rings CIC cannot offer legal advice, the Privacy Policy tool provides some basic statements to help your organisation formulate and publish your Privacy Policy to your volunteers: we strongly recommend that you adapt these in line with your organisation’s needs, and the legal advice you receive in respect of data management and privacy law.

The statements you provide here are made available to your volunteers through their My Account page, and are also shared with members of the Three Rings Support Team so they can accurately respond to any questions sent to them directly from your volunteers about the data stored and processed by your organisation.

If your organisation has never completed the Privacy Policy, you’ll get a Maintenance Task to remind you to do so. If you have completed it, but it’s been a long time since you last updated it, you’ll get a Maintenance Task to remind you to revisit it, so you can make sure that it’s still current.

Personal information report

To help organisations streamline the handling of Subject Access Requests, and other personal data/privacy queries by their volunteers, Milestone: Blackwater introduces a new Admin-only report in Stats. This concisely collates all of the machine-readable data the application holds on behalf of an organisation, relating to a specific volunteer. It is only available to volunteers whose Role grants them Admin rights.

For organisations who store all, or most, of their volunteer data on the Three Rings application, this may complete the vast majority of the work involved in that organisation’s processing of a Subject Access Request (although certain information, such as non-machine-readable information stored in Filestore Uploads, may still need manual retrieval).

Individual volunteers at an organisation will be able to view their own Personal Information Report via the My Account page.

Property privacy view

Milestone: Blackwater makes it easier for volunteers to determine who will can see personal data stored on their Directory profile, with a new ‘Privacy Button’ which identifies which Properties are visible to what Roles. This is designed to support individual volunteers in making informed choices when deciding what information to share.

User-driven account deletion

To make it easier for volunteers to exercise their “right to be forgotten”, Milestone: Blackwater introduces a new feature, available via the My Account page, to enable them to delete their own account, and all personal data connected to it. To minimise the risk of disruption to organisations where they volunteer, and the possibility of accidental deletion, volunteers are required to confirm their intention and supply their password, in order to exercise this option.