New data protection law: your questions answered
The General Data Protection Regulation (GDPR) is the new data law that comes into force on 25th May 2018. It affects how every organisation, including Cardiac Risk in the Young, can communicate with you.
We have prepared a Q&A section, which we hope answers your questions. If you have a query that we have not answered, please contact us and we will respond and add it to the information below.
What is the GDPR? How does it affect us?
The General Data Protection Regulation (GDPR) is a new law coming into effect on the 25th May 2018 that changes the way personal data is collected, kept and used. It will replace the current Data Protection Act.
All organisations (known as data controllers), including charities such as CRY, have to demonstrate how they meet these regulations. An organisation must now specifically receive an ‘opt-in’ from an individual (known as a data subject) to make sure that the individual wants to hear from that organisation.
The main change that will come into effect is that CRY now needs to ask you if you still want to hear from us; and, if so, how you want to hear from us. So, CRY is asking all new and existing supporters if they wish to start/continue receiving emails and/or post from us. You also have the option of opting-out of all communications from us.
If CRY does not hear from you to confirm that you still wish to receive information, CRY can no longer stay in touch with you.
What does the new regulation include?
The new regulation has seven main points telling CRY how it can collect, keep and use your personal data. CRY is responsible for the personal data it holds about you. Your personal data must be:
- Processed lawfully, fairly and in a transparent manner,
- Collected for specified, explicit and legitimate purposes and processed accordingly,
- Adequate, relevant and limited to the purpose it was collected for,
- Accurate and kept up-to-date,
- Corrected or removed without delay if incorrect,
- Not kept for longer than required for the intended purposes,
- Processed so that it is kept securely.
The regulation also allows you to check on the data held by CRY and for you to tell CRY to stop using your data.
What do you mean by ‘personal data’?
Under the GDPR personal data is about a living identifiable person and the data can be used to distinguish between people. It applies to personal data in the public domain and ‘sensitive’ data (such as genetic, health, ethnicity, etc.). It applies to data held in electronic and manual filing systems. It does not apply to anonymised data – that is, data where it is not possible to determine to whom it applies.
The GDPR does not apply to deceased people, who are covered by different rules. However, CRY has taken the view that the personal data of deceased people should be protected and treated in the same way as that of living people.
What were the rules previously?
Under the earlier rules, when you gave CRY your address or other contact details we were allowed to send you our Update magazine, together with other information which we thought may be of interest. The new regulation makes it a requirement for CRY to check that you still want to receive information from us. Thus, CRY has to ask if you want to receive anything from us by post or email, even if you have been receiving information from us for a long time. You have to opt-in to tell us how you would like to keep receiving information.
Can I choose how I receive information from CRY?
You can choose to receive post or emails, or both, from us – the choice is yours.
What information will you be sending me?
By post – CRY sends its magazine, the CRY Update, three times a year (in April, August and December). The CRY Update focuses on acknowledging and thanking the fundraising activities of our supporters. It also includes information about our screening and research programmes, plus the latest news about CRY’s various other events and initiatives. Miscellaneous flyers about forthcoming activities and events may also be included with the magazine.
By email – CRY sends an electronic version of the Update three times a year (in April, August and December). Each month we also send a monthly enewsletter; plus occasional emails about forthcoming initiatives, activities and events. In total, we send out about 25 emails a year.
What are you doing with my information?
All of your information is securely stored on CRY’s customer information database within CRY’s Cloud storage system. CRY will never share your details with other organisations, with the exception of those mailing organisations we use to send post and email communications. The information is held by them on a temporary basis and destroyed after each mailing. CRY will only send you the information that you have asked to receive. If you inform us of any change to your details or preferences, then our systems are updated within 24 hours.
What happens if I don’t do anything?
If you don’t do anything, under the new regulations CRY must assume that you have chosen to ‘opt out – i.e., to stop receive communications from CRY. Therefore, we will stop sending you any communications. If you want to keep hearing from us you will need to either complete our online form on the CRY website at: www.c-r-y.org.uk/subscribe or send us a letter or email clearly confirming what CRY information you would like to start/continue receiving.
Will you start telephoning me?
No. CRY does not telephone people for appeals or requests to sign up to communications. CRY does not work that way. CRY will only contact supporters by phone in response to a request by them or as part of an ongoing set of communications with them about a particular fundraising, screening or awareness event in which they are involved.
Who is responsible for this change in the data protection rules?
Since 1998, all UK organisations have had to comply with the Data Protection Act of that year. Compliance has been monitored by the Information Commissioner’s Office (ICO). As all the EU countries had different data protection rules it was decided to produce a single set of data protection rules for the EU. This new General Data Protection Regulation will become law on 25th May 2018. Compliance to the new regulation will continue to be the remit of the ICO. It will continue to apply after Brexit.
Who has to ask me?
Any company, business or organisation, including charities, that holds personal data about you, has to obtain your consent to remain in contact with you in the future (after 25th May 2018). It includes all EU companies and all non-EU companies that trade within the EU.
I support other charities as well, will they be doing this?
Yes. As the rule applies to all companies, including charities, all the causes you support will be contacting you over the coming months to obtain your permission to send you information.
When will this be happening?
The new rules will come into force on 25th May 2018, after which CRY will not be allowed to contact you at all unless you’ve told us you want to hear from us. This is why CRY is contacting you before this date.
Is this different from the Fundraising Preference Service (FPS)?
Yes, it is. The Fundraising Preference Service (FPS) is a new complaints service that allows the public to opt-out of any communications from specific charities by contacting the FPS instead of the charity. The FPS will then tell the specified charity to remove that person from their mailing lists.
Can I obtain more information?
For further information, please read CRY’s Privacy Policy. Any questions regarding this policy and our privacy practices should be sent by email to cry@c-r-y.org.uk or by writing to CRY, Unit 1140B, The Axis Centre, Cleeve Road, Leatherhead, Surrey, KT22 7RD. Alternatively, you can telephone 01737 363222.
