CIPD Statement of GDPR Compliance
As part of our preparations for GDPR, an internal cross-functional team (the GDPR Steering Committee) was set up with the remit to lead the CIPD’s approach, roll out, provision of advice and monitoring of progress. They will continue to do so once GDPR comes into effect on 25 May 2018 and as such will assume the responsibilities of the ‘DPO’; including maintaining and implementing our policies and procedures relating to GDPR and ensuring we remain compliant. This work is overseen by our Director of Legal and Governance.
If you have any enquiry regarding GPDR and its application within the CIPD you can address them to the GDPR steering committee at firstname.lastname@example.org
When processing personal data, CIPD has adopted the following principles, as laid down in the EU GDPR Regulation:
- Personal Data shall be processed lawfully, fairly and in a transparent way.
- Personal Data shall be collected for specified, explicit and legitimate purposes only.
- Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Personal Data shall be accurate and, kept up to date. This means CIPD must have in place processes for identifying and addressing out-of-date, incorrect and redundant Personal Data.
- Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed.
- The integrity and confidentiality of Personal Data is maintained at all times through appropriate technical and organisational measures, including protection against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.
Data subject rights
GDPR is intended to give individuals, such as our members and customers, more power over how organisations like us manage their personal data. In-line with the GDPR we have reviewed and enhanced our procedures to enable such data to be located and anonymised or erased, in order to respond to requests to delete, rectify, transfer, access or restrict the processing of data. This will enable us to facilitate the below enhanced rights:
- Handling Data Subject Access Requests
- Handling data portability and rectification requests
- The application of retention periods and the secure erasure of personal data
In the unlikely event that a data breach should occur, we have implemented a procedure for rectification, reporting to the ICO and, where required, to the data subject in accordance with the regulation.
Transfer of data
CIPD are an international association with members all over the world and offices in Ireland, United Arab Emirates and Singapore, as such the data we collect may be transferred to, and stored at, a destination outside the European Economic Area (‘EEA'). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. In line with the GDPR, CIPD have the necessary safeguards in place to ensure data is safely and appropriately transferred.
Compliance will be supported by a review of existing contracts with data controllers, processors, the use of sub-contractors and any data export arrangements.
Depending on the purpose for which you are providing your personal data, for the purpose of the Data Protection Act (the ‘Act’), the data controller (or entity responsible for the data collected) will be either us and/or any of our subsidiaries* (together the ‘CIPD Group’). Within the context of this policy ‘we’ means the CIPD Group.
*CIPD Enterprises Ltd, 151 The Broadway, London SW19 1JQ (registered in England: 02921009); CIPD Asia Ltd, 43 Niven Road, Singapore (registered in Singapore: 201401681N); CIPD Middle East FZ-LLC, Dubai Knowledge Park, UAE PO Box 503231 (registered in Middle East: 93098)
Data we may collect from you
The CIPD Group may collect and process the following data about you:
- Information acquired/provided through our Website or the website of any member of the CIPD Group (collectively the ‘Websites’). This includes information provided at the time of registering to use the Websites, subscribing to our services, personalising the Websites with your preferences, participating in discussion boards or other social media functions, posting material or requesting further services. We may also ask you for information when you enter a competition or promotion sponsored by any member of the CIPD Group, when you respond to a survey and/or when you report a problem with the Websites.
- If you contact us, we may keep a record of that correspondence. If you send us personal information which identifies you via email, we may keep your email and email address. We may also collect information that is available from your browser.
- We may ask you to complete optional surveys for research purposes.
- Details of transactions you carry out through the Websites and of the fulfilment of your orders.
- Details of your visits to the Websites including, but not limited to, traffic data, location data, weblogs and other communication data, and the resources that you access.
- Details of your access to our online resources or other materials.
- Providing CVs or other information about yourself for specific purposes.
We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to either the CIPD Group or our advertisers/partners. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.
How we use your data
We use personal information held about you in the following ways:
- to update and enhance our records
- to compile information relating to your use of our products and services and make recommendations about goods and services and other areas that may interest you
- to ensure the content from the Websites is presented in the most effective manner for you and your computer
- to carry out our obligations arising from any contracts entered into between you and us to provide you with the information, products and services that you request from us
- to provide you, or permit selected third parties to provide you, with information about CIPD goods and services which may interest you. If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about goods and services similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, we or permitted third parties will contact you by electronic means only if you have consented to this. You can opt-in/out of such notifications by following the instructions on the relevant forms set out on this Website (or elsewhere as applicable) or at any time after providing your information
- inviting you to participate in research studies and/or market research activities
- we may analyse your data to create a profile of your interests and preferences so that we can contact you in the most appropriate way and with the most relevant information; to respond to queries from members of the public about your membership status
- to provide information about and communications from your local branch network
- to serve notice in accordance with the requirements of our Charter and Bye-laws, Regulations and Code of Conduct, where applicable.
Disclosure of your data
We may disclose your personal information to third parties without obtaining further consent from you including:
- to our business partners, suppliers and subcontractors for the performance of any contract we enter into with you
- where we outsource any of our business functions under which we collect or store your data, in which case we will ensure that any such service provider adheres to at least the same obligations of security with regard to your data as undertaken by us
- where we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Website Terms & Conditions and other agreements; or to protect our rights, property, or safety of our employees, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We will never sell your data to third parties for the purposes of marketing.
Where we store your data
Any payment transactions will be encrypted using SSL technology.
You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we wish to use your data for such purposes or if we intend to disclose your information to any third party for such purposes and request your consent to these activities. If you wish to change your mailing preferences or opt-out of specific marketing communications sent from the CIPD Group, you may notify us via our Contact us form. Alternatively you may contact us on +44 (0)20 8612 6208. It may take up to 21 days for the changes to come into effect. Please note that this will not alter your current email subscription preferences.
The Websites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Access to information
The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee (as amended from time to time) to meet our costs in providing you with details of the information we hold about you.
If you would like to request a copy of your personal data under the Act or have any other related queries, please email email@example.com.
We will take reasonable steps to create an accurate record of any personal data you have submitted. However, we do not assume responsibility for confirming the ongoing accuracy of your personal data. You can update your personal data by making amendments in the 'My Profile' section of our Website, by emailing us at firstname.lastname@example.org or by calling us on +44 (0)20 8612 6208. Please note that it will take up to 21 days for the changes to come into effect.