All our privacy policies in one place

GDPR statement of compliance

Introduction and overview

We have studied the Information Commissioner’s Office (ICO) guidelines concerning compliance with the new General Data Protection Regulation (GDPR) rules. This document explains how We Are Open Co-op (WAO) complies, using the structure of the ICO booklet, “Preparing for the General Data Protection Regulation – 12 Steps to Take Now.


The Company Secretary and all members of WAO are aware that GDPR comes into effect on 25th May 2018. The Company Secretary and all members have read and adhere to our data protection privacy policies.

Data we hold

We hold the following data, which can be accessed by relevant members of WAO:

The Company Secretary has access to the following data:

The Company Secretary and Weaver Financial Ltd. (our accountants) have access to the following data:

We do not share this information with anyone outside of We Are Open Co-op and Weaver Financial Ltd (based in the UK).

Communicating private information

We have taken the following steps:

  1. Placed this document on our website with links to our data protection policy and privacy policy.
  2. Updated MailChimp to ensure our email-based communication is GDPR compliant.
  3. Ensured the Company secretary and members are up to date with latest policy amendments and procedures.

Individuals’ rights

Any individual or organisation may request to be informed on the data held by WAO about them. We will update or delete this data subject to reasonable requests in order to comply with GDPR. Note that we have a legal requirement to retain some financial records for auditing purposes.

Subject access requests

We will respond to all requests for information within the one month compliance period. In order to action the request, please note that the individual or organisation will be requested to prove their identity.

Lawful basis for processing data

Any individual or organisation subscribed to our email lists can unsubscribe at any time by clicking the relevant link in one of our communications, or by contacting us via our website. These email addresses are retained as ‘unsubscribed users’ for a one-year period for auditing reasons.

Information held in Xero is stored solely for accounting purposes.


Individuals and organisations who subscribe to our email lists are over the age of 13. If we find that there are subscribers under this age, we will remove them from the list, explaining why we are doing so.

Data breaches

We aim to prevent data breaches by using strong passwords with two-factor authentication where available. If any organisations who we use as data processors are compromised we would take steps to follow their advice immediately, and inform the data subjects.

Data Protection by Design and Data Protection Impact Assessments

We have familiarised ourselves with the ICO’s code of practice on Privacy Impact Assessments.

Data Protection Officers

We have appointed a Data Protection Officer (DPO) who can be contacted at:


We have registered with the UK’s lead data protection supervisory authority, the Information Commissioner’s Office (ICO).

Our commitment to your privacy

We’re serious about protecting your personal data. This note explains:

If you have any questions or queries about this notice please email us at

How We Are Open Co-operative Ltd (“we”) use your information

Your privacy is important to us. We are committed to safeguarding the privacy of your information.

Why are we collecting your data?

When required we collect personal data to provide an appropriate level of service to you and to comply with the law regarding data sharing. In legal terms this is called ‘legitimate interests’. We collected your personal data when you corresponded with us during a sales process or signed up for one of our services. When it is required, we may also ask you for your consent to process your data. We never share your information with others.

The categories of information that we may collect and hold include:

How and when we use your personal data

We’re committed to using your personal data responsibly and lawfully. Here’s what we do with your personal data:

Your personal data is all stored within the EU or on platforms including Google Applications that have Privacy Shield and/or other features to ensure we can them in ways compliant with the GDPR in general, and our privacy and data retention policies specifically.

Google Apps’ Privacy Sheild Certification is here:

To help us to maintain the accuracy of the personal data that we hold please let us know if we hold out of date or inaccurate information about you.

Storing your data

We hold your data for varying lengths of time depending on the type of information in question but in doing so we always comply with Data Protection legislation. We will hold your data for six years from the end of contracted business relationship or the date of last correspondence, whichever is the later.

Who do we share your information with?

We will not share your information with third parties without your consent unless the law requires us to do so or as necessary for own legitimate interests or those of other persons and organisations eg:

Sharing your personal data

There are only a few occasions where we will share your personal data with a third party. They are:

Requesting access to your personal data

Under Data Protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information contact our Data Protection Officer (DPO).

You also have the right to:

For further information on how your information is used, how we maintain the security of your information and your rights to access information we hold on you please get in touch with our Data Protection Officer using the contact details below.

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us in the first instance or directly to the Information Commissioner’s Office at


To discuss anything in this privacy notice, please contact our Data Protection Officer:


"Data Protection Legislation" means the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (SI 2426/2003 as amended), and all applicable laws and regulations, including any replacement UK or EU data protection legislation relating to the Processing of Personal Data, including, where applicable, the guidance and codes of practice issued by the Information Commissioner’s Office.

The Data Protection Legislation (“the Legislation”) is concerned with the protection of human rights in relation to personal data. The aim of the Legislation is to ensure that personal data is used fairly and lawfully and that where necessary the privacy of individuals is respected. As part of regular business activities, We Are Open Co-op (“WAO”) will collect, store and process personal data about our members, clients and suppliers and other third parties and we recognise that the correct and lawful treatment of this data will maintain confidence in WAO. This policy sets out the basis on which we will process any personal data we collect from data subjects, or that is provided to us by data subjects or other sources.

The Data Protection Officer (“DPO”) is responsible for ensuring compliance with the Legislation and with this policy. The post is currently held by Doug Belshaw.

Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the DPO.

What is personal data?

Personal data is defined as data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the the data controller.

Processing personal data

All personal data should be processed in accordance with the Legislation and this policy. Any breach of this policy may result in disciplinary action such as continued membership of WAO.

Processing includes obtaining, holding, maintaining, storing, erasing, blocking and destroying data.

Personal data is data relating to a living individual. It includes employee data. It will not include data relating to a company or organisation, although any data relating to individuals within companies or organisations may be covered. Personal data can be factual (for example a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

Examples of personal data are employee details, including employment records, names and addresses and other information relating to individuals, including supplier details, any third-party data and any recorded information including any recorded telephone conversations, video calls, emails or CCTV images.

The Secretary and members who process data on behalf of WAO should assume that whatever they do with personal data will be considered to constitute processing. Individuals should only process data:

Compliance with the Legislation

The Secretary and members who process data on WAO’s behalf have a responsibility for processing personal data in accordance with the Legislation. Anyone who has responsibility for processing personal data must ensure that they comply with the data protection principles in the Legislation. These state that personal data must:

Monitoring the use of personal data

WAO are committed to ensuring that this data protection policy is put into practice and that appropriate working practices are being followed. To this end the following steps will be taken:

Handling personal data and data security

We will take appropriate technical and organisational steps to guard against unauthorised or unlawful processing. Records will be stored on Google Apps, Xero, MailChimp, Loomio. Access to these records will be restricted to account holders with passwords only. Paper-based records relating to members, clients or suppliers will be kept secure in a locked cabinet. Access to these will be restricted to the Secretary. The privacy policies of each of the cloud-based applications used by WAO can be found as follows:

We will ensure that the Secretary and members who handle personal data are adequately trained and monitored.

Security policies and procedures will be regularly monitored and reviewed to ensure data is being kept secure.

Where personal data needs to be deleted or destroyed, adequate measures will be taken to ensure data is properly and securely disposed of. This will include destruction of files and back up files and physical destruction of manual files. Particular care should be taken over the destruction of manual sensitive data (written records) including shredding or disposing via specialist contractors.

All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed. Any agent employed to process data on our behalf will be bound to comply with this data protection policy by a written contract. Personal data stored on a laptop should be password protected.

The rights of individuals

The Legislation gives individuals certain rights to know what data is held about them and what it is used for. In principle everyone has the right to see copies of all personal data held about them. There is also a right to have any inaccuracies in data corrected or erased. Data subjects also have the right to prevent the processing of their data for direct marketing purposes.

Any request for access to data under the Legislation should be made to the DPO in writing. In accordance with the Legislation we will ensure that written requests for access to personal data are complied with within 30 days of receipt of a valid request.

When a written data subject access request is received the data subject will be given a description of a) the personal data, b) the purposes for which it is being processed, c) those people and organisations to whom the data may be disclosed, d) be provided with a copy of the information in an intelligible form.

Sensitive data

No sensitive data will be requested, gathered or stored by WAO.

Changes to this policy

We reserve the right to change this policy at any time. Where appropriate we will notify data subjects of those changes by mail or email.

Policy adopted on 22/5/18.