GDPR Compliance Statement
What is GDPR?
Since the UK left the EU, General Data Protection Regulation (GDPR) is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the Data Protection Act (DPA) 2018.
The key principles, rights and obligations remain the same (the exceptions are implications for the rules on transfers of personal data between the UK and the EEA).
We continue to follow the Information Commissioners’ Office’s (ICO) existing guidance on general data protection obligations.
You can find out more about the 2018 DPA here and about UK GDPR here.
Who we are
The CDI are:
Controllers of our member data and supplier contact information, required to; manage and deliver services as a professional body under membership contract; manage customer requests and incidents; provide training and qualifications within the careers sector.
Controllers for personnel information in relation to the CDI’s company employees, associates, and partners.
Contact Details
If you have any questions about our compliance activity, please contact
Dan Hope, CDI Digital Project Manager and Data Officer: [email protected]
The CDI, Copthall House, 1 New Road, Stourbridge, West Midlands, DY8 1PH
The CDI’s Commitment
The CDI are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place, which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the demands of UK GDPR and the Data Protection Act.
The CDI are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for UK GDPR.
We are currently working on the development and implementation of a Digital Transformation Project, which includes new, robust and effective CRM and CMS systems (expected to go live in March 2023). These systems will ensure greater security and protection for the personal information that we hold.
This project will be carried out by the CDI Digital Project team, which reports to a Digital Project Board consisting of four Board Executives and the Chief Executive (contact details are available on request).
Our work to date and objectives for GDPR compliance are summarised in this statement.
Data Officer – the CDI have appointed a Data Officer and will provide them with support and training where available.
Information Audit – as part of the Digital Project and transition to a new CRM, we will carry out a company-wide information audit to identify and assess what personal information we hold, where it comes from, how and why it is processed and if and to whom it is disclosed. (To be completed by Q2 2023)
Policies & Procedures - revising data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:7
Data Protection – our main policy and procedure document for data protection has been revised to meet the standards and requirements of GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities.
Data Retention & Erasure – we are reviewing our retention policy and schedule to ensure that we meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. (Review to be completed by Q4 2023). We have dedicated erasure procedures in place and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time in line with ICO guidance.
International Data Transfers & Third-Party Disclosures – the CDI does not store or transfer personal information outside of the UK. We do not share our data with third parties with the exception of partnering event organisers, where there is a data sharing agreement in place.
Information Security - Any data stored by the CDI undergoes a rigorous security process, both physical and digital, to ensure maximum safety and protection. The data is split between three primary sources; a physical server based within the CDI Head Office, and two secure data servers based in Nottingham and London operated by our website partner Senior. Our data is backed up daily for 30 days both onsite and offsite.
- Physical Security for the CDI data server
- Dual coded building security - Passcode protected access system for the office, and restricted hardware token access to the building.
Digital CCTV camera surveillance.
Password protected server with purpose authentication for select members of CDI staff only.
Strict security processes are in place to ensure the delivery and loading of goods is secure.
Physical Security for the Senior data servers
Independent client card identification access system.
Secure and monitored single-person point of entry, physically guarded 24/7 and integrated digital video camera surveillance.
Proximity card access is provided from the main data centre building and is issued to provide access only to authorised facilities management suites.
Strict security processes are in place to ensure the delivery and loading of goods is secure.
CCTV coverage for the perimeter, common areas and facilities management suites.
IT Security
Physical Firewalls
Intrusion prevention
VLAN network segregation
Individual databases per client
Anti-virus
IPSec VPN for management
Subject Access Request (SAR) – A user has the right to access information kept about them by the CDI, including but not limited to personal and organisation details, organisation connections, training and event records, financial transactions with the CDI, marketing preferences and history and website activity history.
The Membership and Marketing department is responsible for dealing with data subject access requests. We promise to accommodate the revised 30-day timeframe for providing the requested information, subject to the correct circumstances and are aware of the circumstances when we can extend the time limit to respond to a request. We also understand when to consider if a request includes information regarding others and any implications this may have.
Legal Basis for Processing - we are reviewing all processing activities to identify the legal basis for processing and ensuring that each basis is appropriate for the activity it relates to. The deadline for this review is Q2 2023. Where applicable, we also maintain records of our processing activities, ensuring that our obligations under Article 30 of the GDPR and Schedule 1 of the Data Protection Act are met. See below for a summary of processing activities:
Department | Purpose | Category of personal data |
Membership | Contractual agreements | Name, address, organisation , contact details, invoice information, qualification details, demographic information |
Marketing | Compliance with marketing agreements | Name, organisation connections, contact details, marketing preferences |
Events & Training | Training records, site licensing, training attendance evidence | Name, address, organisation connections, contact details, invoice information, training records, |
CDI Academy | Training records, contractual agreements | Name, address, organisation connections, contact details, invoice information, qualification details, evidence portfolios for assessment and moderation |
Professional Development | Contractual agreements, CPD records | Name, address, organisation connections, contact details, invoice information, qualification details, CPD records |
Finance | Transaction activities | Name, address, organisation connections, contact details, invoice information, NI number, Registration information, Tax codes |
Privacy Notice/Policy – we are revising our Privacy Notice(s) to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information. The deadline for this revision is Q2 2023.
Obtaining Consent – we are revising our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We are developing stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time. The deadline for this revision is Q2 2023.
Direct Marketing – The CDI performs direct marketing by the Section 11(3) DPA definition “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. This includes but is not limited to; promotional material, sector updates, offers on CDI products and events, updates on training courses and qualifications, and related career-sector information. This marketing is delivered primarily through email content, but can also include blanket social media coverage where appropriate.
Data Processing - The CDI processes personal data fairly and lawfully with content mechanisms to ensure marketing emails are categorised correctly and authorised by the user.
Reasonable Expectations - Any personal marketing data collected by the CDI will only be used to send relevant information within reasonable expectations of the sector and will not be used for incompatible purposes.
Third-party Marketing - The CDI does not perform third-party marketing and will not share your data with other organisations. However, third-party organisations can provide content to be included in CDI mailings or the CDI can send out a dedicated email to our database on the organisation’s behalf, both at a cost to the organisation.
Accurate Data – The CDI makes every effort to maintain the accuracy of the marketing data, and allows members to access and update their data through a robust and accessible Members Area portal. Undeliverable and bounce-back emails are actioned within 14 days of receipt, removing the members data from the mailing portal, attempting alternate contact, and if further contact isn’t possible, closing the members account where appropriate.
Withdrawal of Consent – The CDI gives the individual the right to prevent their personal data being processed for marketing. Withdrawal of consent is an accessible process that is actioned within 14 days of receipt of the withdrawal, and will make every attempt to acknowledge the cessation of marketing. Withdrawal of marketing consent does not cease emails relevant to the application, renewal orf invoicing of CDI membership.
Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, includes disciplinary procedures or complaints, or involves large scale processing or includes special category/criminal conviction data; we are revising our documentation processes that record each assessment, this will allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).
Processor Agreements – where we use any third-party to process personal information on our behalf (i.e., Payroll, Recruitment, hosting etc.), every care has been taken to ensure all parties are compliant with the GDPR and are aligned to the CDIs ongoing commitment. These measures have included initial and ongoing reviews of the service provided, the necessity of the processing activity, the technical and organisational measures in place and compliance with the GDPR.
Special Categories Data - Special category data is only processed where necessary and is only processed where we have first identified the appropriate Article 9(2) basis or the Data Protection Bill Schedule 1 condition. Where we rely on consent for processing, this is explicit and is verified by a signature, or is provided directly by an employee with the right to modify or remove consent being clearly signposted. The only Special Category data we collect falls under Demographic Data which we use to inform research and effectively monitor the sector as a Professional Body, and all Demographic Data is considered optional.
Data Subject Rights
In addition to the policies and procedures mentioned within this statement, the CDI acknowledges the user's data rights and supports the following;
The Right to Be Informed
The Right of Access
The Right to Rectification
The Right to Erasure
The Right to Restrict Processing
The Right to Data Portability
The Right to Object
The Right to Avoid Automated Decision-Making
The Right to be Forgotten
Detailed information can be found through the ICO website.
Correction of Data
The CDI has a system in place that enables users to check their personal information regularly so they can correct, delete or update any data. If a member becomes aware that the CDI holds any inaccurate, irrelevant or out-of-date information about them, we ask that users make any corrections or updates by logging into the Members’ Area. Alternative support is provided through contact with the Membership department by email, telephone, or physical mail (where secure), where they can provide the necessary information. We remind all members at the time of their membership renewal to perform a thorough check of their data.
Monitoring
The CDI may record users’ interactions with the CDI by various means including, but not limited to, a record of their event bookings, a record of their CDI Academy qualifications, usage tracking through certain areas of the CDI website, and activity logs on a user’s account to track direct interactions. If this is the case, the CDI will make every attempt to inform the user that monitoring is taking place, how data is being collected, how the data will be securely processed and the purpose for which the data will be used. The member will be entitled to be provided with any data that has been collected about him/her. All monitoring will be non-intrusive, and the CDI will not retain such data for any longer than is necessary.
The CDI will never perform any covert monitoring.
Employees' Obligations Regarding Personal Information
CDI employees who handle personal data must ensure that:
The information is accurate and up to date, insofar as it is practicable to do so;
The use of the information is necessary for a relevant purpose and it is not kept longer than necessary; and
The information is secure.
Uses password-protected and encrypted software for the transmission and receipt of emails; and
Any physical files are locked in a secure cabinet after use
Where information is disposed of, employees should ensure that it is destroyed. This may involve the permanent removal of the information from the server, so that it does not remain in an employee's inbox or trash folder. Hard copies of information may need to be confidentially shredded.
An employee must not take any personal information away from The CDI's premises without the prior consent of the Chief Executive.
If an employee is in any doubt about what they may or may not do with personal information, they should seek advice from the Data Officer.
Consequences of Non-Compliance
All users and employees are under an obligation to ensure that they comply with the data protection principles when accessing, using, or disposing of personal information. Failure to observe the data protection principles within this document may result in an employee incurring personal criminal liability. It may also result in disciplinary action up to and including dismissal.
Accessing Records Off-Site
The CDI employs a range of employees working both on-site and off-site, and company-provided laptops allow employees to work from an office environment, in-transit, and at home where appropriate. As such, member records may be accessed by CDI employees outside of the office environment. All efforts are taken to secure employee laptops, including but not limited to; tracking of laptops, password protected laptops with a complex password and enhanced security features, remote access to laptops by IT personnel to ensure security, the ability to lockdown and erase a laptop if it becomes misplaced. All employees take the utmost care to ensure that such information is not viewed by anyone who is not legitimately privy to that information.
No hard copies of records are authorised to leave the CDI office unless being transferred to our secure shredding facility or our external site storage location, and then only in the company of at least two CDI employees with authorisation from senior management.
Loss of Data
The CDI takes the privacy and security of individuals and their personal information very seriously and takes every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures, including:
Restricted access to files and folders, with a view of all personal data is accessed on a ‘need to know’ basis.
Encryption software for sending personal data/special personal data.
An appointed Data Officer to review CDI compliance and best practice surrounding all aspects of cyber security.
Accountable for reporting any breaches to the Chief Executive and the ICO accordingly.
However, should there be any incident occur where there is loss or potential loss of personal or special personal data, it should be reported to the CDI Data Officer immediately. If the Data Officer is unavailable, then the Chief Executive should be sought.
Compliance
General Data Protection Regulation 2018
Data Protection Act 1998
Definitions/Abbreviations
GDPR General Data Protection Regulation
DPA Data Protection Act
ICO Information Commissioners Office
CDI Career Development Institute