Data Protection Registration

Memnet Limited is registered with the Information Commissioner’s Office under registration reference:

ZA139475

How we use your information

This privacy notice tells you what to expect when the we collect personal information. It applies to information we collect about:

• visitors to our websites;
• people who use our services, eg who subscribe to our newsletter or attend our events;
• people who join as a Member or subscribe to our services;
• people who buy our products;
• job applicants and our current and former employees; and
• complainants and other individuals making an enquiry.

Visitors to our websites

When someone visits our website we may use a third party service e.g. Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow our third party service to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Use of Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. We use cookies to remember a user’s choice when visiting our websites.

Security and performance

We use a third party service to help maintain the security and performance of our website. To deliver this service it processes the IP addresses of visitors to our website.

People who contact us via social media

If you send us a private or direct message via social media the message will be stored by the social media provider for three months. It will not be shared with any other organisations.

People who email us

We use Microsoft Exchange to encrypt and protect email traffic. We monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

People who use our LiveChat service

We have a LiveChat service, which we use to handle customer enquiries in real time.

If you use the LiveChat service we will collect your name, email address (optional) and the contents of your LiveChat session. This information will be retained for two years and will not be shared with any other organisations.

You can request a transcript of your LiveChat session if you provide your email address at the start of your session or when prompted at the end.

People who make a complaint to us

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide.

Job applicants, current and former employees

We are a data controller for the information you provide during the process unless otherwise stated. If you have any queries about the process or how we handle your information please contact us via this website.

Your rights

Under the Data Protection Act 1998, you have rights as an individual which you can exercise in relation to the information we hold about you.

The GDPR provides the following rights for individuals:

Withdraw consent – Where we are using your personal information on the basis of your consent, you have the right to withdraw that consent at any time.

Right to be informed – You have the right to be told how your personal information will be used. This policy document, and shorter summary statements used on our communications, are intended to be a clear and transparent description of how your data may be used.

Right of access – You can write to us asking what information we hold on you and to request a copy of that information.  This is called a Subject Access Request. From 25 May 2018 we will have 30 days to respond to you once we are satisfied you have rights to see the requested records and we have successfully confirmed your identity.

Right of erasure – From 25 May 2018, you have the right to be forgotten (i.e. to have your personally identifiable data deleted). However, we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you.  Our team will be happy to advise you.

Right of rectification – If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. This enables you to have any incomplete or inaccurate data we hold about you corrected.  We may need to verify the accuracy of the new data provided to us.

Right to restrict processing – In certain situations you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.

Right to data portability – Where we are processing your personal data under your consent, the law allows you to request data portability from us to another service provider. This right is largely seen as a way for people to transfer their personal data from one service provider to another. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Right to object – You have an absolute right to stop the processing of your personal data for direct marketing purposes. Simply contact our office and they will amend your contact preferences or alternatively you can update your details.

Right to object to automated decisions – In a situation where a data controller is using your personal data in a computerised model or algorithm to make decisions “that have a legal effect on you”, you have the right to object. This right is more applicable to mortgage or finance situations. We do not undertake complex computerised decision making that produce legal effects.

Complaints or queries

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

If you want to make a complaint about the way we have processed your personal information, you can contact ICO in their capacity as the statutory body which oversees data protection law:

www.ico.org.uk/concerns.

Access to personal information

We try to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you, we will:

• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form.

To make a request to the us for any personal information we may hold you need to put the request in writing to the address provided below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting us via our website.

Disclosure of personal information

In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 12 February 2018.

How to contact us

If you want to request information about our privacy policy, you can email us or write to:

MemNet
15 Kentmere Drive
DONCASTER
DN45 FL

General Data Protection Regulation (GDPR)

Introduction

The new EU General Data Protection Regulation (GDPR) will come in to force on 25 May 2018 (including in the UK regardless of its decision to leave the EU) and will impact every organisation which holds or processes personal data of EU citizens. It will introduce new responsibilities, including the need to demonstrate compliance, more stringent enforcement and substantially increased penalties than the current Data Protection Act (DPA) which it will supersede.

MemNet is committed to high standards of information security, privacy and transparency. We place a high priority on protecting and managing data in accordance with accepted standards. The company will comply with applicable GDPR regulations when they take effect, including as a data processor, while also working closely with our Members and partners to meet contractual obligations for our procedures, products and services. Our team of experienced consultants and specialists will also help to support customers in meeting their obligations through the provision of expert services and value-adding solutions.

The company has three main areas of focus in preparing for GDPR overseen by an internal team:

– Building on existing security and business continuity management systems, to ensure our own compliance
– Provision of services and solutions which help customers to understand and prepare for GDPR, develop compliance plans and build a stronger platform for the future by taking control of their data

It is important to recognise that compliance is a shared responsibility and all organisations will need to adapt business processes and data management practices.

1. Compliance

MemNet has a robust internal structure and in order to ensure compliance will implement additional or augmented company-wide controls to meet GDPR requirements. Led by our Chief Executive, updated information security policies and procedures will build on existing management systems and the foundation of our policies and procedures, informed by gap analysis and data protection assessments and supported by communication and training programmes.

Compliance will be supported by a review of existing contracts with data controllers, the use of sub-contractors and any data export arrangements.

MemNet’s Data Protection Contact will inform, advise and monitor compliance. The company will implement tools as appropriate that support the process, provide necessary security and ongoing delivery of objectives.

In many areas the services provided by MemNet already conform. As a data processor, the company is undertaking risk assessments to include more detailed consideration of the data types we hold and a data protection impact analysis of personal information stored and processed. Policies such as incident response plans and backup data retention will be reviewed and updated.

Where we hold financial data our retention policy is 7 years, which adheres to recommended best practice.

Our customer data is held securely at Mailchimp who are a trusted service partner, their data security and privacy policies can be found by CLICKING HERE.

The MemNet Privacy Policy can be found by CLICKING HERE.

We are undertaking a review of our contracts and data sharing agreements and if any changes are to be made, they will be communicated to our customers.

2. Helping Members adapt to change

The volume of data handled by organisations is growing and is captured, processed and stored on an increasing number of devices and networks. Requirements such as data protection impact assessments, active mitigation of risks and evidence of risk management measures will require organisations to develop a more disciplined approach to customer data, especially those with personal data spread across many locations and/or systems with varying levels of personal data quality and ownership. Furthermore, investing in the management of consent presents an opportunity to build trust and provide increasingly useful services.

MemNet’s team of experienced consultants can support customers in their journey to compliance and beyond, supported by our experts. These in-house experts bring deep expertise in information and data management as part of a complete capability to deliver a new generation of digital services from concept to implementation. Services offered include:

– Training workshops to help organisations to fully understand the GDPR
– Health checks, to assess how organisations are doing in relation to the GPDR, including identification of gaps, risks and formulation of roadmaps to achieve compliance now and in the future
– GDPR Audits which are a three day in-depth analysis of your compliance
– Provision of contracted Data Protection Officer services

If you need support on GDPR please feel free to contact us by emailing james@memnet.org.uk