GDPR

Policies and Procedures

Awareness : Under the new legislation that came into place on May 25, 2018, North Cheshire Cruising Club (NCCC) have been made aware of the change, the date the change took place and the implications of not complying with the law over the GDPR. This document should cover the steps that have been taken and the policies and procedures that have been put in place.

Information we hold : North Cheshire Cruising Club (NCCC) holds a limited amount of personal data about members of the Club. The data we hold on record are members names, addresses, telephone numbers, email addresses. This information is provided via a membership form that the potential new member completes when they wish to join North Cheshire Cruising Club. Data that is processed by North Cheshire Cruising Club is compiled from potential new members of the Club. North Cheshire Cruising Club does NOT share the full membership database outside of the club.

The data that North Cheshire Cruising Club hold is for the sole purpose of

Membership – this information is used to keep an accurate record of the membership of North Cheshire Cruising Club. This enables us to assess the length of time they have been with the Club, and for us to send them emails about what is happening within the club. Upon becoming a member, they are asked to complete a membership form with their details on, and also that they agree for their details (picture, first name and callsign) to be put onto the website.

Our Privacy report has been worded and updated.

Individual rights : Our membership list is available as an xlsx file which is password encrypted. Any member that requests to see their data would be sent their line, on email, either in xlsx format or as a pdf. If a member requests us to remove any of their details that we hold on record, this is actioned within 48 hours of receiving the request and then confirmation is sent to that member on email to confirm the request.

Subject access requests : If you request access to your data, we would action this within 48 hours of receiving the request, unless there were circumstances where the Membership Secretary was unavailable i.e. holidays, sickness etc., in which case the member would be informed accordingly, and the request would be actioned as soon as they returned to their position. If a request is made in writing via the post, then we would action as above, although could be up to two weeks from when it was received at our headquarters due to the dates of our meetings. If you were requesting to see what data we held on file, we would access the mailing list, and send the full line from the spreadsheet for that person or company to see. If they then requested that the information be removed, we would follow the procedure listed in the ‘individual rights’ section of the booklet.  We would not query why this request had taken place.

Lawful basis for processing personal data : All the data that has been provided to North Cheshire Cruising Club by a member, new or existing. We have not knowingly gathered information unlawfully.

Our privacy notice has been updated to comply with the new regulations as specified in the GDPR.

Consent : As stated above in Lawful Basis, all our data has been acquired by a member completing a membership form.

In line with the start of the GDPR we will be informing the membership of the privacy policy which will also be on our website. All our data is recorded on a membership form and then transferred to our membership spreadsheet by the Membership Secretary. Both documents are held by the Membership Secretary and are stored securely

Children : If a person under the age of 16 wishes to join North Cheshire Cruising Club , they are requested to get parental consent (from a parent or guardian) who needs to come to our headquarters with that person and speak to the Membership Secretary. They will be required to complete a membership form and sign in front of one of the above, and then the form will be countersigned in front of the parent or guardian.

Data breach : North Cheshire Cruising Club have taken great care to ensure that we do not breach any aspect of data protection with the membership of the Club. If we receive a notification of a breach of data (i.e. that the company or person did not request to be on our mailing list), we would request that the Membership Secretary contact them as soon as possible to apologise for any inconvenience, and give that person an explanation of how we received their data, and the procedure in place to ensure that this person is unsubscribed from the membership list.

Data protection by design and data protection impact assessment : The data that is held on our membership list is not high risk. The data contains the following information, name, address, telephone number and email address. We use the data we hold to keep the membership informed. We do not use our data for marketing purposes.

Data Protection Officer : North Cheshire Cruising Club has requested that the above position to be allocated to the Membership Secretary. He/She will be responsible for managing the data that we use, and will be solely responsible for the membership file.

As a small voluntary Club, this structure has been agreed between the Board. We do not think we need to designate a Data Protection Officer, but to comply with the GDPR, the Membership Secretary is happy to take this role on.

North Cheshire Cruising Club Board are aware of the policies and procedures in place. These will be reviewed at Board Meetings

International : Should North Cheshire Cruising Club have members outside of the United Kingdom, their data will be stored in a secure format.

IT Security : As part of our policy and procedures, North Cheshire Cruising Club has taken the following steps to ensure that the data we hold is secure.  Assessing the threats and risks to business

As listed above, in order to promote our Club, we hold a very small amount of data as listed in the sections above. None of the data we hold has any financial implications to the person listed on the membership list.

Cyber essentials : To ensure the minimum possible breach of security we only pc’s/mac’s that have all antivirus software downloaded.

System configuration/firewalls and gateways : All the computer systems that we use have business anti-virus software installed which is controlled by an external IT company who monitors the risk of virus’s and trojan attacks, and update the software accordingly.

Access controls : On the PC’s that we use, we have restricted access to the person only that owns that PC. The systems require a password to access the system, which is changed on a monthly basis. All personal broadband accounts have encrypted passwords to secure the systems. Should a Board member resign from North Cheshire Cruising Club or should they be absent for a long period of time, all access rights and password would be cancelled.

Malware protection : On the PC Systems used by the volunteering member of the Club, they have been installed with business anti-virus software and malware protection which is monitored by an external IT Company. All updates for both systems are set to automatic.

Patch management and system software updates : The PC’s that are used by the volunteers of North Cheshire Cruising Club are all running a Windows 10 system, or a later system with all software updates on automatic.

Securing data on the move : We have taken all steps possible to ensure that the data we store is secure. North Cheshire Cruising Club have agreed that the data will only be stored in the cloud for general use and not on the system using the data. No portable hard drive or usb device will be used for transportation of the data.

Securing your data in the cloud : All the data we hold is stored on a spreadsheet in a xlxs format, and is password protected. The file is then zipped and stored in the cloud. The cloud based system we use is a well known national company which has a base in the United Kingdom.

Backup your data : North Cheshire Cruising Club has taken every care to ensure that the data we hold is backed up after every use and restored in the cloud. All antivirus software and malware software are run on a weekly basis to ensure the safety of the data. An external backup of the data will be done on a monthly basis by using the cloud and not transferred data ‘on the move’. This will be done by backing up the data at an external place and storing the data in a secure locked safe at the premises where the backup took place ie the volunteers home.

Training : Members of the board of North Cheshire Cruising Club maybe requested to undertake training from an external IT company on the potential risks of a cyber attack on their systems, or are already trained through their place of work. Ie Do not open an attachment if you are unsure about it. Do not open emails from large Corporate companies such as banks, HMRC, DVLA, HMCS etc. We are regularly informed of any potential risk or threat by our IT company and what steps to take should the threat happen.

Checking for problems : As part of the ‘housekeeping’ North Cheshire Cruising Club regularly check to ensure that all the software installed on the systems is up-to-date and running correctly. Any potential risk or threat that is shown on either the anti-virus or malware software is actioned immediately and either quarantined or destroyed through the various software. The software is then run again to ensure that the risk or threat has been removed.

Know what you are doing : North Cheshire Cruising Club regularly check the data that we hold to ensure that it is safe and virus free. All security software installed on the pc which uses the data is bought from a reputable certified supplier and is legitimate. Software is continuously checked to ensure that it is up to date. As a small Club we regularly check the computers to ensure that they are working correctly and the system software is up to date.

Minimise your data : The data we store is used regularly throughout the year for the promotion of the running of the Club. No data is stored on the computer that is not needed.