Periodically we review and update our operating terms and conditions that form the basis of our relationship with our customers. This time around we are proposing two changes that we wanted to clarify with our customers.
Since the introduction of GDPR we have been reviewing our approach to data processing and we need to make changes on how we manage your data. The second change is relating to our licencing and pricing model.
Data processing
Please don’t worry, this change to our data processing policies will result in no changes to your current processes, we are merely bringing responsibilities and definitions in line with the reality of using TeamKinetic. As always, if you have any questions or concerns, we always like to hear from you, so please do get in touch and I would be happy to talk through how these changes might affect you.
A data controller in responsible for what happens to the data they collect. They define and control what they and their agents can do with the data. Agents processing the data on behalf of the data controller are called data processors.
Our original contract stated that TeamKinetic acted as the data controller and our customers acted as the data processors. This was based on advice we had revived from our legal council during our work to become GDPR compliant, but over the last 18 months it is clear that this definition does not serve the needs of our customers, or reflect reality.
We have now recognised that TeamKinetic would better serve you as the data processor. So what does that actually mean for you, your volunteers and your data?
In short, very little will change for your volunteers, or the way you are able to use TeamKinetic, but some of yours and our responsibilities will change and we want to make sure you are fully cognizant of these changes.
As the data controller, you are responsible for your volunteers data in accordance with your owns policies and procedures and your use of TeamKinetic must fall with in those same constraints. This reflects how our customers already operate in most cases. The data controller then instruct us as the data processors in how we can use your data; you are in effect giving us permission to process your data to enable TeamKinetic to provide you with a usable and effective service.
Now please don’t worry, TeamKinetic’s use of data is wholly appropriate and still compliant with even the most stringent interpretation of GDPR and data protection legislation, so there will be no practical changes required.
We have prepared a data processor document that outlines how TeamKinetic will process your data. This policy document will serve as a our data processing agreement between you the customer (data controller) and TeamKinetic (data processor).
This agreement will be reflected in the customer defined terms and conditions that volunteers agree to when registering. You are able to adjust and edit these terms and conditions from your dashboard, we have created a short tutorial video if you are unfamiliar with where to find this feature.
Licensing and Pricing Model Changes
Don’t worry, we are not about to drop a big bill on you! In fact we are making these changes to make sure you are never surprised by a big bill.
TeamKinetic do not limit the number of volunteers, providers or opportunities, unlike many of our competitors. This means you don’t need to worry if your volunteer numbers suddenly jump up or change. This all forms part of our promise of no surprises in our pricing. However over the years we have made changes to how we price our product and this has resulted in customers being billed in different ways, which is now proving hard to justify and manage.
From this quarter we will be charging for each extra admin you wish to add beyond that set in your contract. For our existing customers their contract will reflect their current admin usage so no current customer will be paying more after this change; guaranteed!
You will be able to purchase additional admin capacity as a monthly subscription, paid in advance, right in your dashboard. Subscriptions can be altered and cancelled at anytime so there is no long term commitment. We are putting the final touches to this admin interface to release shortly.
We will be offering a buffer of extra admin capacity for our existing customers based on their length of custom.
If you have any concerns or questions, then please don’t hesitate to get in touch chris@teamkinetic.co.uk.
TeamKinetic have added an entirely new set of roles and functions we call COMMUNITY TASKS to help our customers get volunteers to those people that need it most in the community. There is also an associated app for mobile!
Communities across the country are already starting to rally in support of each other during this pandemic.
We’ve put together a video and step-by-step instructions below showing how to promote your COVID-19 related opportunities.
1 – Add tags and descriptions to your COVID-19 related opportunities.
In order for volunteers to find COVID-19 related opportunities you will need to have a way of identifying those opportunities in the system. You can do this by either making sure the opportunity title includes a key words like; covid, virus, corona, or pandemic, or add the words as TAGS to the opportunity.
Either of these solutions will allow the system and volunteers to be able to search and find the related opportunities via the normal search bar.
When you login you’ll find your custom search link in the COVID-19 notification bar. You can distribute this link via email and on your social media posts and when clicked will go straight to the COVID-19 search results.
2 – Add An Event Called COVID-19
An event is just a group of opportunities which have something in common. By adding a specific event name, that event will show at the top of the volunteers search results.
To use this method you will need to create an event called ‘COVID-19’ and EDIT your opportunities and mark them as PART OF A LARGER EVENT
3 – Email all volunteers about COVID-19 related opportunities
We have added a button at the top the dashboard when you login as admin:
This button will automatically email your volunteers a list of all virus related opportunities (email shown below).
If you would like to only email specific volunteers then you can email the special link shown when you login as administrator.
When clicked this link will go to the COVID-19 search results.
Further help
If you have trouble setting any of this up, please open a support ticket and we’ll try to help.
It is with some sadness that TeamKinetic and Do-it.org will no longer be working together. Users who take advantage of the link between the two applications will no longer be able to share opportunities to Do-it after Friday 27th September.
For those who do use this feature, you may have noticed over the last few months it had become a little unstable and prone to misbehaving. Do-it has decided that they no longer wanted to support this feature and it will be removed on Friday the 27th September. It would be safe to assume all existing opportunities will be removed though we strongly suggest you check if this could affect you after the 27th.
Do-it.org did not provide detail as to why they no longer wanted to support the TeamKinetic link, but we know they continue to review their platform and develop their technology and sometimes these types of features are no longer a priority for an organisation to support. We thank Do-it for their support over the last 3 years and wish them all the very best, moving forward.
All our customers will still be able to link their opportunities to our own free national platform at TryVolunteering.com, which will continue to give you extra reach and exposure. We recommend always sharing with TryVolunteering if you can.
TeamKinetic customers in Wales and Scotland can also continue to link with Volunteering-wales.net and VolunteerScotland.
TeamKinetic continues to look at how we can use our data to benefit the volunteer sector and stand by our ‘open data’ principals. We will continue to explore opportunities to work with partners to grow volunteer participation and we hope those customers who used this feature are able to work with us as we look at new partners for them to share their opportunities with.
If you have any questions as to how this might impact you, please don’t hesitate to get in touch via email, twitter, facebook or give us a call here in the office.
This post provides a summary of TeamKinetic’s information governance policy. Full copies of all documents that make up our security policy are available on request. We utilise the Information Governance Toolkit to continually assess our adherence to governance standards and requirements.
Scope
The Information Governance framework covers all staff that create, store, share and dispose of information. It sets out the procedures for sharing information with stakeholders, partners and suppliers. It concerns the management of all paper and electronic information and its associated systems within the organisation, as well as information held outside the organisation that affects its regulatory and legal obligations.
Steven Hall – Information Governance Manager
Rolf Herbert – Information Asset Manager
Roles and Responsibilities
Directors
Coordination and operational management of Information Governance projects
Review of Information Governance compliance and ensure alignment with related policies and procedures
The monitoring and enforcement of records management, retention and disposal policies
Enforcement of information security policies and management of security breach incidents
Establishing and understanding of risk for each part of the business operations
Chief Technical Officer
Define all information assets
Establish an information asset register
Define the executive information asset manager
Define information asset owners
Define policies and procedures for handling information assets
Define security strategy and policies for information assets
Managers
Implementing and enforcing Information Governance practices and policies
Mitigating information risk
Implementing the security and authorisation of information
Ensuring that all employees understand and are equipped to comply with Information Governance processes and procedures
Employees
Implementing Information Governance practices and policies
Implementing the security and authorisation of information
Determining the Employee’s training requirement
All members of staff must understand the need to properly manage the information they create and access.
All members of staff must be made aware of the information governance framework and must ensure they are familiar with its contents.
Training and information will be provided to all new staff members and all staff during regular re-training.
Information Policies
Information security policy
Records management policy
Retention and disposal schedules
Archiving policy
Data privacy policy
Information and communication technology (ICT) policy
Information sharing policy
Remote working policy
Information Procedures
Legal and regulatory compliance
Creating and receiving information
Acceptable content types
Managing the volume of information
Managing personal information
Storing and archiving information
Collaboration and sharing information
Disposing of information
Working with Third Parties
Policies for sharing information information with third parties
Managing how third parties handle personal and confidential information
How Information Governance fits within supplier relationships and contractual obligations
Measurement and metrics for third parties meeting the organisation’s Information Governance goals
Disaster Recovery, Contingency and Business Continuity
Reporting information losses
Reporting information security breaches
Incident management and escalation
Back up and disaster recovery
Business continuity management
Auditing, Measurement and Review
Monitoring information access and use
Monitoring effectiveness of regulatory compliance
Monitoring the effectiveness of information security policy and procedure
Monitoring of ICT and storage infrastructure performance
When working in the third sector keeping on top of the law is important but it doesn’t have to be scary. Accessibility legislation that effects the sector is changing and here is a summary of what you need to know.
What Is The Law On Accessibility?
Accessibility law is changing and we think this is a great thing. Websites and apps are being used by more people, and being accessed in more varied ways and on more platforms than ever. It’s important that we can give the best experience possible on all platforms.
The law on accessibility states that resources must now be usable for:
Impaired vision
Motor difficulties
Cognitive impairments or learning disabilities
Deafness or impaired hearing
In the UK 1 in 5 people have a disability. Inclusivity is integral to modern society and particularly so in the third sector. Allowing the most amount of people to get involved is great for everyone and this is something that we aspire to.
What Do You Have To Do?
Officially what you have to do is make websites and apps ‘perceivable, operable, understandable and robust’. Which is not as daunting as it sounds!
You must also publish an accessibility statement this must include details of content that doesnt meet accessibility standards. If someone does request this document you must also provide details of why certain aspects of the website do not meet the criteria.
When Do The Changes Happen?
Don’t worry, you will not have to make changes straight away. New websites must be compliant by the 23rd September 2019 which gives us all considerable time to improve our accessibility.
Websites made before 2019 have a years grace period and do not have to be accessible till 23rd September 2020. Native applications must be made accessible by the 23rd June 2021.
Is Anyone Exempt From These Changes?
The changes do not effect everyone;
non-government organisations like charities (unless they provide services that are essential to the public or aimed at disabled people).
schools or nurseries – except for the content the public need to use their services.
public sector broadcasters and their subsidiaries.
Help Understanding Accessibility Law
Depending on the nature of your business/organisation there is a number avenues you can take to get advice about the upcoming changes.
The Government Digital Service is researching what guidance and support that public sector organisations need to meet accessibility standards. If you’re interested in taking part in this research, contact accessibility-research@digital.cabinet-office.gov.uk.
How TeamKinetic Can Help?
If you require any further information please click here for the full government regulations of what exactly the accessibility laws entail.
If you are looking for a volunteer management system that will be fully compliant with the accessibility law changes look no further than TeamKinetic. We have been working hard on our 1.3 release to improve the accessibility for our volunteers.
Visit Our website here https://teamkinetic.co.uk/ Or give us a call on 0161 914 5757 to find out more about how we can help you. You can also reach out to us on our social media channels:
TeamKinetic believes that the internet has the potential for transformation in our world comparable to the Gutenberg’s printing press , but if the last few years have taught us anything, it’s that the internet reflects both the very best and very worst of human nature. What do volunteer managers need to know about the internet to keep their volunteers safe?
I’ll provide some useful resources to give some context and understanding of the darker side of the internet and how we have used this to try and inform our policies and procedures as an organisation and what we think you should consider as an organisation as you become more reliant on digital platforms.
The internet provides almost limitless opportunity for grassroots social action, citizen journalism, voluntary engagement and so many other potentially positive outcomes, but we are naive if we do not recognise and consider the risks.
Jon Ronson, journalist and author recently wrote “So you’ve been publicly shamed” on how the networked effect of the internet can lead to individuals being ostracised. His entertaining and occasionally dark work examined some of the difficult issues around user-generated content and how people’s mistakes are amplified and stored for eternity in the memory of cyber-space. Ronson’s storytelling introduces the reader to the inherent risk for normal people to get caught up in exceptional events and how little control they have over these events once a post goes viral.
Sarah Jeong, now of the New York Times Editorial Board, Vice and The Verge has written extensively on the internet’s inherent problems and her book, “The Internet of Garbage” gives informed insights on the risks and unintended consequences of poor policy and practice and how that can impact organisations and their users. Jeong discusses at length some of the nuanced problems the modern internet has created for itself and how copyright law is being misused as a method of content suppression and removal, due in part to lack of other recourse to individuals who find themselves at the centre of a viral internet storm.
I mention these two texts as they are accessible and informed, and for those who are looking to understand the internet, they will help non-technology people appreciate the inherent risks of a highly networked world, the very real risks that can affect everyday users and voluntry organisations alike.
TeamKinetic is aware that our volunteer management platform has the potential to recruit volunteers in almost any situation. It is effective and easy to use and can be administered remotely with high efficiency to deploy individuals or teams of volunteers at short notice. These characteristics are great if you run a charity, an event or a university internship program, but they are equally great if you are recruiting individuals to partake in less positive endeavours. The creators of any platform which allows users to create content and communicate with each other must be aware of the risks as well as the benefits.
Recent legislation such as GDPR, goes some way to help individuals protect their privacy and increase their control over websites and platforms they engage with. It also gives businesses and organisations the chance to audit exactly what information they collect, why they collect it, and what they are going to do with it. This was a revealing process for us and was very worthwhile. All legislation, however well intentioned, runs the risk of “unintended consequence“. As responsible curators of TeamKinetic we have to embrace some basic values by which to manage our site.
What are our ideals and values?
As an organisation, we have put honesty at the centre of our company values. This is a type of statement that is easy to say, but much harder to live by. We aspire to offer honesty in our pricing, in our customer service and our product.
Our role in supporting the organisations that use TeamKinetic to manage their volunteers goes beyond the provision of software. We want to build a community of volunteers and volunteer managers that can share practice and policy, develop professional connections and work to strengthen the sector as a whole through the development of consistent standards in the wider information technology infrastructure of volunteering.
We want to be able to share expert knowledge and insight based on our user data and experience to help the sector become better at recruiting, deploying and recognising their volunteer’s hard work. We commit to making our data available to researchers, and the resulting insights and findings will be freely available to all who have a valid interest in the voluntary sector.
Finally, we want to create an amazing experience for all our users, that means the best technology, built in a way that is easy to use and importantly every user is protected by good policies and excellent support. Our volunteer-centric approach to development will remain the centre of our business operation.
We hope you will join us on our continued mission to be part of the ‘good’ internet and we look forward to your thoughts on how we can do this.
I thought it was time to codify our release protocol, it has changed a bit over the years but is now pretty consistent so I thought I would share it.
We have a target of two major releases a year and two more interim releases between those. We aim to have a major release point in Q1 and then a further major release point in Q3 with an interim release point in Q2 and Q4.
Interim Releases
Interim releases usually consist of non-urgent bug fixes, small interface upgrades and corrections and not new functionality. Major release points will potentially have new functionality and new UI/UX layouts, and perhaps entirely new sections and methodology.
Interim releases will have a cut-off date for new tasks approximately 4 weeks before release date. This gives us four weeks to complete all the outstanding tasks then enter the testing phase and the subsequent iterations. A week before release we will produce some communications if we think there are changes that will impact our users or alter their workflows. We will offer all our users a chance to try out the release via our beta application. We will attempt to incorporate any minor feedback before the release date, or push back the release date by a maximum of 14 days in order to address the feedback correctly. If any major issues or feedback is received we may decide to draw back from the release, work on the new changes and rollup the interim release into the next major release.
Interim Release Schedule
Weeks 0-8
During this period we will collect and collate all bug reports and new feature requests and decide which are to be included in the interim release.
Work will begin immediately on making the required changes and updates to the beta version.
Week 8
No more new bug fixes or changes are accepted for this release (emergency bugs are handled differently and fall outside the scope of planned upgrades).
Weeks 8-10
Work continues on completing tasks and testing
Week 10
Comms are sent and customers are invited to use the beta site and feedback with their experience and questions.
Week 11
Any feedback is incorporated and tested it possible
Week 12
Any tasks that have not been possible to complete are moved to the next release
Final comms are produced if necessary and the release is scheduled for the end of the 12th week.
Major Releases
Major releases are similar but the cut off date for new functionality is quicker as it will take longer to design, build and test fully. The cut off date is increased from 4 weeks before release to 8 weeks before release. This to allow for a longer period of testing by ourselves and the customers in order to enable us to capture and act on more feedback on potentially large changes.
Major Release Schedule
Weeks 0-8
During this period we will collect and collate all bug reports and new feature requests and decide which are to be included in this release. This will usually entail at least one major change.
Week 8
No more new bug fixes or changes are accepted for this release (emergency bugs are handled differently and fall outside the scope of planned upgrades).
Weeks 8-16
Work continues on completing tasks and testing
Week 16
Comms are sent and customers are invited to use the beta site and feedback with their experience and questions.
Weeks 16-20
Any feedback is incorporated and tested it possible
Weeks 20-24
Any tasks that have not been possible to complete are moved to the next release
Final comms and support material is completed and distributed and the release is scheduled for the end of the 24th week.
Normally we would expect to add a higher volume of small changes to the interim releases and less, but more impactful changes to the major release.
This schedule can not always be followed and it may be necessary to only have one major release in a year and on occassion there are only interim releases as no major new functionality has been added.
Releases are numbered using the regular convention;
1.2.3
^ ^ ^
| | |————— Minor revisions, spelling corrections etc
| |—————– Minor function changes or additions etc
|——————- Major function changes, UX/UI changes etc
An interim release would increment the last or second digit, a major release would increment the second or first digit. At the time of writing we were on TK v1.0.1 (after a major change from our old releases it was decided to reset the version numbers to 1.0.0). Our next release is scheduled for August and will be v1.1.0.
This document will continue to develop over time as we respond to more questions from our customer and users. Please feel free to subscribe to stay up to date.
1. Do we need to get renewed consent from every volunteer and provider?
We will be asking all volunteers and providers to review their consent settings for communications and the sharing of their data with volunteer opportunities. You can see this email here
Renewed consent and acceptance of the new EULA will be required when logging in.
We think the consent we have already obtained from volunteers and providers provides us sufficient cover under the ‘legitimate use’ to ensure we do not need to delete users accounts.
2. How long do you keep data after someone has unsubscribed or withdrawn consent?
Unsubscribed relates to email/SMS correspondence, and users are removed immediately from all mass communication and newsletter emails. They will still receive transactional emails specifically related to them and their volunteering. If a user withdraws consent or asks to be removed their volunteer data is immediately anonymised and their personal data is moved to a table only accessible by a system administrator. This moved data is stored for a further 7 days before being permanently removed. We do this to enable us to restore a volunteer profile deleted in error. Data in backups will disappear after our 30 day retention period. Data from backups is restorable but an hourly charge is levied.
3. What is your process if anyone exercises their right to be forgotten.
We will immediately start the removal process for any volunteer requesting to be forgotten or who asks to be removed. The data removal follows the same pattern as above in point 2.
4. How long would it take to delete their data entirely?
Volunteer data is made anonymous immediately. Personal data is immediately unavailable to volunteer administrators and providers. Data in backups will be removed after our 30 day retention period.
Data in backups is only accessible by our network administrators and not by any users at any level of our applications.
5. Do you have an archive of all the data we hold in the database?
All data is transactionally backed up daily and stored encrypted. Backups are maintained for 30 days.
6. Is the data anonymised at any point?
If a request for removal is received then volunteer data is immediately anonymised.
7. Is your data encrypted?
Password data is stored using a one-way hash using a randomised SALT with a length sufficient to prevent practical brute force or collision attacks.
All data at rest in backup or in transit is encrypted using a minimum 30 character length password.
8. Can the TeamKinetic privacy policy be found on the database by volunteers?
Registration number: ZA036104
Date registered: 14 January 2014
Registration expires: 13 January 2021
Data controller: TeamKinetic Ltd
Address:
Office 14 Parkway 2
Parkway Business Centre
Princess Road
Manchester
M14 7HR
12. Where do you explain to the volunteer that data is shared with other parties
Our email to all volunteers will reiterate that data is shared with providers and potentially external administrators where a volunteer opts to volunteer on an opportunity outside their application.
For all new volunteers, this consent is explicitly captured during the initial sign up process.
13. What fields can a provider see on a volunteer
Providers can see (but not edit);
Age
Contact phone number
Email address
Gender
Special requirements and disabilities (if the volunteer has chosen to share)
Criminal record check status
Unlocked custom registration fields
14. Can “Admin” users set some “Custom Fields” to be visible to “Providers” or not visible?
Our next release in June 2018 has enabled custom fields to be locked to admins only.
15. Can you make custom registration fields compulsory?
Yes, custom fields can be made compulsory.
16. How long do we store data on volunteer and providers?
TeamKinetic believe volunteering is a lifetime pursuit and as such see no reason to remove a volunteer profile on behalf of a volunteer due to inactivity.
We do believe it is important for a volunteer or provider to have the ability to remove themselves as and when they see fit
We appreciate that some organisations will not share our view, so we will provide a tool that will allow Admin users to search the database for inactive users based on Admin set criteria of time. This will provide a list of inactive volunteers the admin user will be able to remove from the system on mass.
17. Is there any further information of TeamKinetic and GDPR
Yes. We have a record of all Data Processors details and access to the data is maintain under strict regulation. We have detail records for the purpose of processing, descriptions of categories, detail data flow diagrams and full documentation of all third party data processors we work with. This is complemented by our policies on security, continuity and privacy.
19. Does TeamKinetic have a Sub-processor or level 2 processor change request process?
TeamKinetic shares very limited data with sub-processors and that data is anonymised. All sub-processes are legally bound by TeamKinetic to meet our data standard as outlined in schedule 6.
All customers are asked to review the schedule below. This will be sent in a separate email to all existing customers as an addendum to our current agreement and will require signing as soon as possible.
Schedule 6 Data Protection
1. Data Protection
1.1 For the purposes of this clause, the following definitions apply;
(i) ‘Data Controller’, ‘Data Processor’ and ‘process’ have the meanings given to them in the Data Protection Act 1998 and from May 2018 the General Data Protection Regulation 2016/679;
(ii) Service Users shall mean those who sign up to use the Services.
(iii) ‘Personal data breach’ has the meaning given to it in article 4(12) of the General Data Protection Regulation 2016/679;
(iv) ‘ Personal Data’ shall mean the personal data of the Service Users including their name, contact details, email, address, disability information, gender and employment or education experience.
(v) ‘Privacy Laws’ means the Data Protection Act 1998, Directive 95/46/EC, the General Data Protection Regulation 2016/679 qne the Privacy and Electronic Communications Regulations 2003; and
(vi) ‘Privacy notice’ means a notice providing individuals with information about the purpose for which and manner in which their personal data will be processed and the organisations that will be undertaking that processing.
1.2 With respect to the parties’ rights and obligations under this Contract, it is acknowledged and agreed that the Customer is the Data Controller and the Supplier is the Data Processor in relation to the Personal Data.
1.3 Where processing Personal Data on behalf of the Customer the Supplier agrees to;
(i) provide the Services in compliance with all relevant Privacy Laws;
(ii) not do anything (or permit anything to be done) which would put the Customer in breach of its obligations under Privacy Laws;
(iii) only process the Personal Data in accordance with the Customer’s instructions and only for the purpose of delivering the Services and not for any other purpose;
(iv) only process the Personal Data in such manner as is described in the Contract and, in any event, only process the Personal Data to the extent that is necessary to deliver the Services;
(v) implement and maintain the technological and organisational measures to protect the Personal Data against accidental or unlawful loss, alteration, destruction, or unauthorised disclosure, dissemination or access, or alteration;
(vi) not disclose or transfer the Personal Data to any third party (save where disclosure has been specifically authorised by the Customer under this Contract) and only provide access to the Personal Data to your personnel where such access is necessary for the provision of the Services
(vii) take reasonable steps to ensure the reliability of any of your personnel who have access to the Personal Data, ensure that those personnel are aware of their obligations set out in this clause 1 and have undergone adequate training in the care, use and protection of personal data in compliance with the Privacy Laws.
1.4 Upon the Customer’s request, the Supplier agrees to permit the Customer or its authorised agents to inspect the Supplier’s premises, data processing activities and systems, and/or have access to, and be provided with copies of any information (including without limitation the Personal Data) to enable the Customer to be satisfied the Supplier are complying with the obligations under this Schedule 6.
1.5 The Supplier must not sub-contract or assign any of its right or obligations under this Contract without the Customer’s prior written consent.
1.6 Where the Customer provides written consent to sub-contracting of the Services under clause 1.6, then the Supplier agrees to impose a binding legal obligation on their sub-contractor to comply with the obligations in this Schedule 6 where that subcontractor has access to, or will be otherwise processing, the Personal Data. For the avoidance of doubt, any such subcontract shall not relieve the Supplier of its obligation to comply fully with this Schedule 6 and the Supplier shall remain fully responsible and liable for ensuring full compliance with this Schedule 6 in all respects.
1.7 The Supplier will not transfer any Personal Data processed under or pursuant to this Agreement outside of the European Union without the Customer’s prior written authorisation. Where the Customer authorises the transfer of Personal Data outside of the European Union, the Supplier agrees to comply with any instructions the Customer may issue which are necessary to achieve compliance with the Privacy Laws.
1.8 The Supplier agrees to notify the Customer as soon as practical, and in any event within five working days, if the Supplier receives;
i. a request from an individual to access their Personal Data or to exercise the rights of individuals under Privacy Laws including the rights of rectification, restriction, blocking, data portability and/or erasure;
ii. a complaint relating to the processing of Personal Data under this Agreement;
iii. notification that an individual wishes to withdraw their consent, or otherwise objects, to the processing of their Personal Data under this Agreement; or
iv. any communication from the Information Commissioner or any regulatory authority in connection with the Personal Data.
1.9 The Supplier agrees to comply with our instruction regarding the response to and handling of a complaint, request, notification or communication described in clause 1.9 and provide such reasonable assistance to the Customer as is required to ensure that the Customer can comply with its obligations under the Privacy Laws.
1.10 The Supplier agrees to notify the Customer promptly, and within 24 hours, in the event of an actual or suspected personal data breach involving the Personal Data processed under this Agreement. The Supplier agrees to co-operate with the Customer fully to investigate such a breach by furnishing the Customer with information as may be reasonably required about the breach and the Supplier’s processing activities. The Supplier also agrees to comply with the Customer’s reasonable instructions regarding the management of and response to the breach and any steps necessary to prevent an equivalent breach in the future.
1.11 The Supplier agrees to comply with the Customer’s instructions as to the period for which the Personal Data shall be retained and regarding secure destruction or return of the data to the Customer following expiry of the Term.
1.12 The Supplier agree to indemnify and keep indemnified the Customer against all claims, demands, actions, proceedings, charges, costs and expenses (including legal costs and expenses) which may be brought against us in respect of or in any way arising out of or in connection with;
i. your breach of the obligations in this Schedule 6; or
ii. a claim that we are in breach of our obligations under the Privacy Laws as a result of any of your actions.
If you haven’t started preparing your organisation for compliance then the next 3 months are crucial. If you have started getting ready for the GDPR deadline, keep going.
Make sure your board is bought in to the importance of the project. Having the support you need from the top is vital to the GDPR compliance process.
ONCE THE GDPR COMES INTO FORCE, YOUR BUSINESS MUST:*
Keep a record of data operations and activities and consider if you have the required data processing agreements in place
Carry out privacy impact assessments (PIAs) on products and systems
If applicable to your organisation, designate a data protection officer (DPO)
Review processes for the collection of personal data
Be aware of your duty to notify the relevant supervisory authority of a data breach
Implement “privacy by design” and “privacy by default” in the design of new products and assess whether existing products meet GDPR standards
What are TeamKinetic doing right now
See what we have already put in place, to be ready for 25th May 2018.
Are the rules different for electronic communications?
What is TeamKinetic doing right now?
Disclaimer: The information in this whitepaper is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor.
Let’s refresh…
What is the GDPR? The General Data Protection Regulation (GDPR) is a binding legislative act from the European Union for the protection of personal data. The Regulation tackles the inconsistent data protection laws currently existing throughout the EU’s member states and facilitates the secure, free-flow of data.
Why do you need to know about it?
As of April 2016, businesses have been preparing for the legislation coming into effect on 25th May 2018. Although we are in the process of leaving the EU, working towards GDPR compliance remains crucial.
If you fail to comply with the Regulation you could find yourself being fined up to 4% of your company’s global annual turnover and your reputation damaged beyond repair.
That is 4500% increase on current fines that can be issued by the ICO!!
Now that the deadline is just 3 months away, is your organisation ready?
Why has the GDPR come about?
There is a need in Europe and beyond for a standardised data protection framework that addresses the rapid technological advancements that have taken place in recent years, putting the personal data of the masses at risk.
Where do vulnerabilities lie?
Everywhere. All organisations are at risk of a cyber-attack, despite common misconceptions that some industries are more secure than others.
The results of a survey carried out by the Information Commissioner’s Office (ICO) of 173 councils at the end of 2016 reveals that more than 15% of councils do not have data protection training for employees processing personal data and a third do not carry out privacy impact assessments (PIAs) as required by the GDPR.
The survey’s release coincided with the news that the ICO had fined Norfolk Council £60,000 for a data breach in which social work files were discovered in a cabinet bought in a second-hand shop by a member of the public.
Capgemini: The Currency of Trust, February 2017
74% of UK SMEs had a security breach in 2016.
While leaving vulnerable information in a cabinet or on a train may seem like a problem from 1997 rather than 2017 – when cloud technology means physical files never need to leave the office – the overarching security challenge remains.
Professionals across the public and private sectors must be aware of the nature of the data they are accessing from their home networks and ensure they are doing so securely.
Computer Weekly: Many Councils Still Unprepared for GDPR, March 2017
What about Brexit?
Despite the vote to leave the EU, UK businesses must continue to work towards GDPR compliance. Not only has the UK government stated that it is good business practice to do so, but the legislation applies to all businesses working within the EU and with EU data. A failure to comply can lead to significant fines and irreparable damage to a company’s reputation.
The latest thinking is that the UK could replace the 1998 Data Protection Act (DPA) with legislation that mirrors the GDPR, enabling the UK to achieve free data flow with the EU post-Brexit. The government has warned that it may take two to three years for the European Council (EC) to decide that the UK has an adequate data protection regime.
While the impact of the Investigatory Powers Act on the UK’s GDPR compliance has yet to be fully understood, it is possible that the mass surveillance and data retention practices carried out under the Act could cause issues when the EC comes to decide whether the UK’s practices are adequate. The existence of these two extraordinarily contradictory legislations could result in a UK equivalent of the Privacy Shield agreement held between the US and the EU to facilitate secure transatlantic data flow.
If your business activities are contained within the UK or elsewhere within Europe, you will have to observe the protections afforded by the GDPR for citizens.
What happens if my business is not complaint?
The GDPR introduces a two-tier fine system that emphasises just how small a financial deterrent existed under the Data Protection Act (DPA).
As of the 2018 deadline, any data controller or processor that fails to comply with the Regulation will face the following fines:
Tier 1
If a data breach occurs that puts highly important data at risj, the data controller/processor will be fined upto €20M (£17.25M) or 4% of the previous year’s global annual turnover, whichever is greater.
Tier 2
Any other data breach could lead to fines of up to €10M (£8.6M) or 2% of the previous year’s global annual turnover, whichever is greater.
It is estimated that if breaches remain at the same level as in 2015, the fines given will raise 90 fold from €1.4 billion to €122 billion
Key changes to consent
Do you ask your customers for permission before you use their data? Do you go a step further and tell them what it will be used for? If the answer to either – or both – of these questions is no, you could be in trouble if you don’t start changing your ways before the GDPR deadline.
Why is consent important?
Consent enables your business to lawfully process data.
Organisations applying the GDPR’s standards are giving individuals greater control over their information and, in turn, building trusting relationships that ultimately keep customers coming back for more.
Any business found to be misusing personal data will be fined according to the highest level of the two-tier system and – most poignantly – is at serious risk of damaging its own reputation. When is consent required? You must have the data subject’s consent to lawfully process their data. However, just to confuse things, there are instances that will call for consent to be acquired via alternative methods; we’ll clarify this shortly. Consent is also needed under ePrivacy laws if you’re in the business of tracking communications and installing software and apps on devices.
If you want to use someone’s personal data they must give you explicit consent to do so. This means in practise no pre-ticked boxes, a user must always choose to tick the box.
If you want to use an individual’s personal data for multiple purposes, they must give consent for each purpose, separately
Who might need an alternative method of gaining consent?
Most commonly, data controllers in a position of power such as public authorities and employers who are likely to find getting valid consent challenging and so must consider the alternative options.
For example, if you are a highly successful eCommerce business is bringing on board a new supplier of garden furniture, you will need a contract with them that clarifies the role of each party and enables you to lawfully process their data.
Whether you are the data controller or processor, you must always record how consent was given, who from, when, how, and what the interested parties were told.
You must not bundle your consent request with your standard terms and conditions.
Does your consent process meet GDPR standards?
Carry out a thorough review of existing consent processes and asses whether they meet the Regulation’s requirements. if they do, there is no need to request consent from the subject again.
Key changes to breach notifications
Europe had a phenomenally inconsistent data protection landscape. It meant that when a Switzerland-based business suffered a data breach affecting people in Greece, Italy and Spain, the organisation would need to comply with the breach notification standards of each of the three member states.
This lack of uniformity throughout Europe means that while some member states, such as Spain and Germany, are recognised for their rigorous data breach privacy laws, there are also member states with minimal to no regulations in place.
In this environment, organisations in lax member states have not needed to notify an authority of a breach.
The GDPR smooths all this out with the introduction of a single breach notification requirement.
What is a personal data breach?
A personal data breach is not simply the loss of data but a breach of security, resulting in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
When must the relevant supervisory authority be notified?
The relevant supervisory authority must be informed of any data breach that puts an individual’s rights and freedoms at risk. This includes a loss of confidentiality and financial loss.
Data controllers must inform the supervisory authority without undue delay and within 72 hours of learning of a personal data breach. They must state:
Its nature
The approximate number of people affected
The contact information for the organisation’s DPO (if one has been appointed)
The controller must also pin-point the likely consequences of the breach and the measures taken to reduce further risk to those affected.
Data processors must tell the data controller about a data breach without undue delay after having become aware of it.
If a breach is significant enough that it is in the public interest, those responsible – be that the controller or processor – must do so without undue delay.
The impact of data breaches If we hark back to our real world TalkTalk and Yahoo examples, we can see that the severe consequences each company experienced following their respective breaches were related to how they handled the aftermath of the breach and not simply because the breach happened in the first place.
What should you be doing now?
A personal data breach is not just the loss of that data but a breach of security, resulting in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
Educate your employees about personal data breaches and how to spot when one has occurred.
Set-up an internal process for reporting a personal data breach.
Make sure you have the internal resources and processes in place to detect and investigate breaches. Speak to any third-party data processers if they are storing your data.
Put an incident response plan in place.
Are the rules different for electronic communications?
No, not really. The EU has introduced a complementary legal framework to the GDPR to clarify exactly what data controllers and processors must be doing to protect individuals’ communications; electronic or otherwise.
New cookies responsibilities for browser providers Users must be given the choice to consent to cookies as part of the browser software set-up. This should reduce or eliminate cookie banners on websites entirely.
Extra-territoriality and 4% fines The Regulation no longer applies solely to the EU. It applies to anyone in the world that provides publicly-available “electronic communications services” to acquire data from the devices of EU citizens. Any organisation that breaches the Regulation will be subject to the GDPR’s two-tier fine system. That means you should be paying attention even if your business is contained within the UK.
The Regulation application is expanded Unlike its predecessor, the ePrivacy Directive, the ePrivacy Regulation goes beyond the traditional telecommunications organisations and internet service providers. It incorporates messaging apps like WhatsApp, and email providers, amongst other communications suppliers such as Facebook and Snapchat.
New rules for processing communications data The Regulation introduces new rules for handling: what was said, who said it, where and when. This data is confidential; interfering with it could result in a Tier 1 fine.
Exemption analytics cookies Businesses are exempt from the cookie consent requirement when using firstparty analytics. However, using third-party analytics platforms such as Google Analytics requires user consent.
For the non-techy amongst you, ‘party’ refers to the website that places the cookie. So when you visit www.ukfast.co.uk, and you find the domain of the cookie placed on your computer is www.ukfast.co.uk, this is a first-party cookie. If you visit www.ukfast. co.uk and a cookie by a suspiciously dissimilar name appears, this cookie has been placed by a third party.
Like the GDPR, the ePrivacy Regulation will come in to effect on the 25th May 2018.
TeamKinetic is now a mature and fully featured volunteer management solution. As it has matured we have been able to more rigorously enforce a design principle for better impact across all user interfaces that we call Focus.
Focus is a collection of typography, grids, spacing, colour, layout and sizing rules that aim to achieve consistency of design, fluid layout for smaller screens and help to retain user focus on important tasks.
Volunteers, providers and administrators are presented with large amounts of information and we have been working hard to make this volume of information easy to digest in our Volunteer management application so the individual user focus is on the most pertinent information.
The biggest layout difference you will see is the support for a two-pane design with navigation elements in the left pane and the action area in the right pane. This layout also encourages the collection of tasks into one area, either functionally similar tasks or tasks commonly undertaken at the same time.
A two pane layout with a navigation bar on the left and the action panes on the right
Colours are restricted to a limited palette so that actionable areas like buttons, menus and links, are obvious and easy to find.
Font sizes are consistent and changes in font size are restricted to key text and headings.
Animation are used to indicated areas of focus when information is updated or the user enters a new area.
Panels are elevated when active using an animated shadow effect
Message and information areas are distinguished by a thick left border, the colour is contextual and can refer to the category, message type or other information.
Thick left borders indicated messages or important content areas
Where possible we want to avoid page refresh as this slows the users experience and can break their focus on the task at hand. Volunteers, Providers and Admin users all want to be able to undertake tasks with the need for a screen refresh. Extended use of AJAX , a method of performing user interactions immediately without reloading a new page, enables us to keep the user focused on their task without the interruption of a page refresh and the subsequent visual scan of the page to locate the last point of focus.
AJAX methods are employed extensively across the admin area, especially when editing opportunities or volunteer profiles.
Grids and spacing automatically adjust to screen size and allow navigation areas to collapse to icon only links and wide content to collapse into vertical stacks keeping readability high.
Collapsible elements retain readability and usability for small screens
We just wanted to let you know what’s behind some of the design decisions in the brand new TeamKinetic v1 release and our design intent going forward.
Please add any comments you have below, thanks, The Team.
