GCMA® Data Protection Policy

1.INTRODUCTION

Global Crowd Management Alliance (GCMA®) is a not-for-profit organisation. The organisation needs to collect, store, and use certain types of information about their members in order to carry out the day-to-day work of the Alliance.

2.DATA CONTROLLER

GCMA® is the Data Controller under the Data Protection Act 2018, which means that it determines what purposes personal information held will be used for.

As it is a not-for-profit organisation collecting and storing data for membership purposes only, it is not required to inform the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for.

See exemption information here

To this end, GCMA® will adhere to the Principles of Data Protection, as detailed in the Data Protection Act 1998. Specifically, the Principles require that personal information:

  • Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met,

  • Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes,

  • Shall be adequate, relevant, and not excessive in relation to those purpose(s)

  • Shall be accurate and, where necessary, kept up to date,

  • Shall not be kept for longer than is necessary,

  • Shall be processed in accordance with the rights of data subjects under the Act,

  • Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,

  • Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of Individuals/Service Users in relation to the processing of personal information.

3.TRANSPARENCY

3.1 The personal data we collect:

Our primary reason for collecting data is to manage our membership. Data collection will only take place with informed consent.

Informed consent is when

  • A member clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data

  • And then gives their consent.

GCMA® will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person or online.

When collecting data, GCMA® will ensure that members:

  • Clearly understand why the information is needed

  • Understand what it will be used for and what the consequences are should the member decide not to give consent to processing

  • As far as reasonably possible, grant explicit consent, either written or verbal for data to be processed

  • Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress

  • Has received sufficient information on why their data is needed and how it will be used

3.2 We collect data when you:

  • Apply to be a member or renew membership

  • Tell us about changes in personnel

  • Tell us about changes in your business e.g. moving location / new address

  • Respond to surveys

  • Attend meetings (virtual or face-to-face)

  • Attend trainings/webinars (virtual or face-to-face)

3.3 How we collect the data:

  • Data is predominantly collected online, via the application portal, online surveys, emails, and booking forms.

  • Data may also be collected in person at face-to-face meetings, events, conferences, and training sessions. This data will be transferred to the digital database at the earliest opportunity and paper copies destroyed.

3.4 The data we collect includes:

  • Names / addresses / email addresses / phone numbers / website address / social media addresses

  • Level of membership applied for

  • Business description / details of goods and/or services

  • VAT status

  • Insurance information

  • Details of annual turnover / published accounts / financial information in the public domain

  • Details of your internal policies and procedures e.g. Accident reporting, HR and Recruitment, H&S Policy, Communication Policy etc.

  • Training delivered to employees

  • PPE / uniform given to employees

  • Number of employees

  • Membership of professional bodies / approved contractor schemes

  • Management Structure

  • Contact details for referees

  • Comments / feedback in response to survey questions

  • Comments / feedback on:

    • Proposed Board members

    • New Alliance members

    • Alliance business – policies, strategic direction etc.

3.5 How we use the data we collect:

  • To process membership applications

  • To inform Alliance business activities

  • To provide anonymised data to relevant partners, government bodies, media etc. regarding issues that impact the crowd management industry

  • To book places on training courses (face-to-face and virtual) and at meetings (face-to-face and virtual)

3.6 Storage location of the data we collect:

  • Data will be held on a shared Google drive, only accessible by the Board.

3.7 How long do we store the data we collect:

  • For the duration of your membership. Personal data will be deleted / destroyed within 6 months of termination of membership.

4.YOUR RIGHTS

Should you believe that any personal data we hold on you is incorrect or incomplete, you can request to see this information, rectify it or have it deleted. Please contact us at hello@thegcma.com

In the event that you wish to complain about how we have handled your personal data, please contact hello@thegcma.com and we will investigate and respond within 21 working days.

If you still feel that your personal data has not been handled appropriately according to the law, you can contact the Government Data Protection Authority offices for your country/region and file a complaint with them.

5.ACCOUNTABILITY

The Secretariat is responsible for the collection, processing, and storage of data

The Board is responsible for monitoring systems and procedures and ensuring data is being handled in line with this policy

6.DATA BREACH PRACTICES

If GCMA® learns of a suspected or actual personal data breach, the Secretariat, under instruction from the Board, will perform an internal investigation and take appropriate remedial measures in a timely manner. Where there is any risk to the rights and freedoms of Data Subjects, GCMA® shall notify the relevant members without undue delay and, when possible, within 72 hours.