header image

GDPR - Privacy Notice and Data Protection Policy

Privacy Notice


Revised: 24/05/2018

This privacy notice relates to the personal data processed by The Ditchley Foundation (Ditchley), in pursuant of its mission to connect people and ideas to enable new thinking, new connections and new scope for action to address the current global challenges and help shape the future.

There is a separate privacy notice applicable to employees of Ditchley which can be read in full here.

Who is the Data Controller?


The Ditchley Foundation is registered with the Information Commissioner’s Office (ICO) as a Data Controller.

What does Ditchley do?

Ditchley connects people and ideas to enable new thinking, new connections and new scope for action to address the current global challenges and help shape the future.

Positioned at the crossroads of government, business and technology, we work to renew and redefine how liberal democracies can lead and engage in an evolving world.

This is achieved by connecting with individuals who have a publicly identified interest in the given subject and inviting them to engage with Ditchley by means of events of varying sizes, either at Ditchley Park or elsewhere.

How do we process data?


Ditchley staff process data under the lawful basis of legitimate interests.

We are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.

Will we share your data to anyone else?

Personal information is not shared with any unauthorised third parties. Authorised third parties may use your personal information for payment processing or analysis on behalf of Ditchley.

For how long will you keep my personal data?

All data we hold has a limited privacy impact and will be retained for the purposes of contacting you in the course of our normal activity and for historical, statistical or research purposes as outlined above unless its disposal is requested.

What rights do I have to my personal data?

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
•  Right of access – you have the right to request a copy of the information that we hold about you.
•  Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
•  Right to be forgotten – you can ask for the data we hold about you to be erased from our records.
•  Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
•  Right of portability – you have the right to have the data we hold about you transferred to another organisation.
•  Right to object – you have the right to object to certain types of processing, such as direct marketing.
•  Right to object to automated processing, including profiling – you also have the right to be
subject to the legal effects of automated processing or profiling.
•  Right to judicial review: if our office refuses your request under rights of access, we will provide you with a reason why. You have the right to complain.


Data Protection Policy summary


This document outlines how The Ditchley Foundation processes and manages personal data. It:
•  identifies our data controller and designated data protection officer;
•  provides our lawful basis for processing personal data;
•  outlines the scope of personal data we hold and process;
•  outlines the scope of the special category personal data we hold and process;
•  describes and justifies our data retention policy;
•  shows how we intend to respond to Subject Access Requests; and
•  contains a copy of our privacy notice.

1. Data Controller and Data Protection Officer

The Ditchley Foundation (Ditchley) is registered with the Information Commissioner’s Office (ICO) as a Data Controller. Ditchley has appointed Katie Williams, Major Events and Projects Lead as Data Protection Officer.

2. Lawful basis for processing

Data is processed primarily under the lawful basis of legitimate interests. It has a limited privacy impact.

We undertake to always act within the reasonable expectations of any individuals about whom we hold personal data.

3. Data we hold

As of 18th May 2018, Ditchley’s database holds information on approximately 34,000 individuals.

Data is stored electronically and securely on our computer system or in, the case of personnel records, in locked cabinets.

Core activity
Ditchley uses a CRM (Customer Relationship Management) System, to manage its programme of events and activity. This information primarily includes but is not limited to:
•  Names, addresses and email addresses.
•  Telephone numbers.


Fundraising
Ditchley also uses its CRM, to record donations and other gifts and generate gift aid reports. This information primarily includes but is not limited to:
•  Names, addresses and email addresses.
•  Telephone numbers.
•  Gift date, amount and whether gift aided.

Staff
In addition, Ditchley stores details of all personnel according to its legal obligations electronically using Sage, Xero and in paper format in locked cabinets. This information predominantly includes but is not limited to:
•  Names, addresses and email addresses.
•  Telephone numbers.
•  National Insurance Numbers, Passport Numbers, Driver Licence Numbers.

A more detailed statement regarding the privacy policy applying to staff data may be found here.

5. Data retention policy

All data we hold has a limited privacy impact and will be retained for the purposes of contacting you in the course of our normal activity and for historical, statistical or research purposes as outlined above unless its disposal is requested.

6. Subject Access Requests

We will comply with Subject Access Requests in line with the guidance given by the ICO.
•  We will respond as quickly as possible, within 30 calendar days.
•  We will request verification of the identity of any individual making a request, and ask for further clarification and details if needed.
•  Data subjects have the right to the following:

           - To be told whether any personal data is being processed

          -  To be given a description of the personal data, the reasons it is being processed and whether it will be  given to other organisations or people.

           - To be given a copy of the information comprising the data, and given details of the source of the data where this is available.


    7. Privacy notice

    Ditchley will undertake to ensure that all individuals for whom we hold data can have the opportunity to read our privacy notice. We will:
    •  Publish our privacy notice on the website at www.ditchley.co.uk
    •  Add a link to our privacy notice to staff email signatures.


    Ditchley's full Data Protection Policy can be found here.