Information we hold
We hold the name, postal address and e-mail address, and phone number (optional), of each member, all of which come from the individuals themselves. We will share their data with other members of the Braid Society only if they give us permission to do so. We will not share it outside of the Society.
The Society also holds similar personal data of individuals or companies who advertise in its annual journal Strands, and of those who ask to be included in the Society’s ‘List of Tutors’. Such data will be treated with the same care as that of members.
Maintain records of processing activities.
The Society stores its members' personal data in a secure database managed by Wild Apricot Inc. Renewals and newsletters are generated from the data in this database.
This membership management software provides traffic encryption (https) capability and has security features built into it that conforms with GDPR. For more information see https://www.wildapricot.com/gdpr
Communicating privacy information
- that the lawful basis for processing the data is that of a contract (see below)
- our data retention periods
- an individual's rights to complain if there is a problem with the way we handle their data.
We have checked our procedures to make sure they cover all the rights that individuals have:
- the right to be informed about collection and use of their data
- the right of access to own data and confirmation of processing
- right of individuals to have incorrect information rectified within 1 month of request
- right to data erasure
- the right to restrict the sharing of personal data with others in the Society
- the right to allow individuals to move their own personal data.
Lawful basis for processing personal data
There are six available lawful bases for processing. Of these, the Braid Society's lawful basis on which we process the person data of members is that of a contract because we need certain parts of their personal data in order to deliver the benefits of membership of the Society.
We have reviewed how we seek, record and manage consent and made the appropriate changes so that consent is freely given, specific, informed and unambiguous. As part of this we have introduced a positive opt-in for all choices. There is a simple way for people to subsequently withdraw consent.
The infrastructure provided through the use of the Wild Apricot software puts strong safeguards in place to protect customer privacy. It has its own backup and testing procedures.
For further information please see https://www.wildapricot.com/security-policy-overview#secure
In the event that Wild Apricot informs us of a breach, the Braid Society Council would:
- work with Wild Apricot to establish the nature and extent of the breach
- notify affected members
- review policies and procedures and amend if necessary.
We understand that we only have to notify the Information Commissioners Office of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify those concerned directly in most cases.
Data Protection by Design and Data Protection Impact Assessments
The GDPR makes privacy by design an express legal requirement, under the term 'data protection by design and by default'
The Society has put in place the following recommendations:
- that all Council members have up to date antivirus software
- that Council members will minimise the electronic transmission of members' personal details between them
- that sharing of such data will only be on a 'need to know' basis
- that an individual member's details will only be shared with other members not on the Council if she/he has agreed to it.
The Society has made it a condition of membership that:
- a member must not share another's personal data with anyone without that individual's express permission, and
- should they leave the Society, they must destroy any personal data of other members that they have gained in the course of their membership, unless those individuals have given their express consent to such retention, and
- that where they have a password that enables them to access certain parts of the website, they are responsible for keeping this password confidential. We ask them not to share the password with anyone.
The GDPR also makes PIAs - referred to as 'Data Protection Impact Assessments' or DPIAs - mandatory in certain circumstances where data processing is likely to result in high risk to individuals. This is unlikely to be the case for the Braid Society so PIAs have not been considered.
Data Protection Officers
The Society has designated someone (currently the Membership Secretary) to take responsibility for data protection compliance. It has not formally appointed a Data Protection Officer (DPO).
The Braid Society is based in the UK but has an international membership, including other EU member states. The UK is therefore the lead authority.