Privacy Policy

Introduction

The EU General Data Protection Regulation ("GDPR") comes into force across the European

Union on 25 th May 2018 and brings with it the most significant changes to data protection

law in two decades. Founded on the fundamentals of privacy by design and a risk-based

approach, the GDPR has been designed to meet the requirements of the digital age.

The 21 st Century brings with it broad use of technology, new definitions of what constitutes

personal data, and a vast increase in cross-border processing. The new Regulation aims to

standardise data protection laws and processing across the EU, affording individuals

stronger, more consistent rights to access and control their personal information.

Our Commitment

Lets Do (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and

protection of the personal information that we process, and to provide a compliant and

consistent approach to data protection. We have always had a robust and effective data

protection program in place which complies with existing law and abides by the data

protection principles. However, we recognise the requirement and importance of updating

and expanding this program to meet the demands of the GDPR.

Lets Do are dedicated to safeguarding the personal information under our remit

and to developing a data protection regime that is effective, fit for purpose and

demonstrates an understanding of, and appreciation for the new Regulation. Our

preparation plans for the GDPR have been summarised in this statement and includes the

development and implementation of new data protection roles, policies, procedures,

controls and measures to ensure maximum and ongoing compliance.

How we are Preparing for the GDPR

Lets Do already have a consistent level of data protection and security across our

organisation, to be fully compliant with GDPR Our preparation includes: -

● Information Audit - carrying out a company-wide information audit to identify and

assess what personal information we hold, where it comes from, how and why it is

processed and if and to whom it is disclosed.

● Policies & Procedures - revising data protection policies and procedures to meet the

requirements and standards of the GDPR and any relevant data protection laws,

including: -

o Data Protection – our main policy and procedure document for data

protection has been overhauled to meet the standards and requirements of

the GDPR. Accountability and governance measures are in place to ensure

that we understand and adequately disseminate and evidence our obligations

and responsibilities; with a dedicated focus on privacy by design and the

rights of individuals.

o Data Retention & Erasure – we have updated our retention policy and

schedule to ensure that we meet the ‘data minimisation’ and ‘storage

limitation’ principles and that personal information is stored, archived and

destroyed compliantly and ethically. We have dedicated erasure procedures

in place to meet the new ‘Right to Erasure’ obligation and are aware of when

this and other data subject’s rights apply; along with any exemptions,

response timeframes and notification responsibilities.

o Data Breaches – our breach procedures ensure that we have safeguards and

measures in place to identify, assess, investigate and report any personal

data breach at the earliest possibility. Our procedures are robust and have

been disseminated to all employees, who are aware of the reporting lines

and steps to follow.

o Subject Access Request (SAR) – we have revised our SAR procedures to

accommodate the revised 1-month timeframe for providing the requested

information and for making this provision free of charge. Our new procedures

detail how to verify the data subject, what steps to take for processing an

access request, what exemptions apply and a suite of response templates to

ensure that communications with data subjects are compliant, consistent and

adequate.

● Legal Basis for Processing - we are reviewing all processing activities to identify the

legal basis for processing and ensuring that each basis is appropriate for the activity

it relates to. Where applicable, we are also maintaining records of our processing

activities, ensuring that our obligations under Article 30 of the GDPR are met.

● Privacy Policy – we have revised our Privacy Notice(s) to comply with the GDPR,

ensuring that all individuals whose personal information we process have been

informed of why we need it, how it is used, what their rights are, who the

information is disclosed to and what safeguarding measures are in place to protect

their information.

● Obtaining Consent - we have revised our consent mechanisms for obtaining personal

data, ensuring that individuals understand what they are providing, why and how we

use it and giving clear, defined ways to consent to us processing their information.

We have developed stringent processes for recording consent, making sure that we

can evidence an affirmative opt-in, along with time and date records; and an easy to

see and access way to withdraw consent at any time.

● Direct Marketing - we have revised the wording and processes for direct marketing,

including clear opt-in mechanisms for marketing subscriptions; a clear notice and

method for opting out and providing unsubscribe features on all subsequent

marketing materials.

Notice of Collection Data and Cookies

By visiting www.letsdo.org.uk , you accept the practices described in this privacy policy and

consent to the collection and use of your personal data by us for the purposes outlined in

this Privacy Policy.

www.letsdo.org.uk use cookie and tracking technology. Cookie and tracking technology are

useful for gathering information such as browser type and operating systems, tracking the

numbers of visitors to www.letsdo.org.uk and understanding how visitors use the website.

Personal information cannot be collected via cookie and other tracking technologies,

however, if you previously provided personally identifiable information, cookies may be tied

to such information.

Our cookie policy is outlined on this website separately.

What data is being collected

If you are simply visiting www.letsdo.org.uk we do not collect any personal data about you

besides cookie data. Information collected in this way does not reveal your contact details

or any type of data.

We collect personally identifiable information like names, postal addresses, email address

etc when voluntarily submitted by you. You may choose to sign up to our newsletter, enter

a competition, apply for an offer, make contact with an area sales manager, provide

business cards at exhibitions etc...

How we collect data

We collect data from information supplied by you when you give Lets Do your

email address (Via website subscription or through our area sales managers) You may opt

out of any marketing emails at any point by clicking ‘unsubscribe’ or ask us to permanently

remove your information from our internal systems.

Why data is being collected

We collect data to help us tailor and personalize your experience with Lets Do. We

want you to have the most up to date information where possible and Information gathered

helps us to monitor traffic patterns such as number of users to the site, pages visited and

the length of visit to enable us to improve the service we provide.

How we use your data

The information you provide to us (Via website subscription or through our area sales

managers) is used to fulfil your specific request and send you up to date marketing

information on a monthly basis. (You have the option to unsubscribe or opt out of these

emails at any point) Your personal information will not be passed on to another company.

Data is stored on our protected CRM system and Marketing mailing lists. We use

appropriate physical, electronic and managerial measures to try and prevent that personal

data from being accessed by unauthorized persons to ensure that you may input personal

data safely.

Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can

enforce their data protection rights, we provide easy to access information via our head

office in Staffordshire of an individual’s right to access any personal information that

Lets Do processes about them and to request information about: -

● What personal data we hold about them

● The purposes of the processing

● The categories of personal data concerned

● The recipients to whom the personal data has/will be disclosed

● How long we intend to store your personal data for

● If we did not collect the data directly from them, information about the source

● The right to have incomplete or inaccurate data about them corrected or completed

and the process for requesting this

● The right to request erasure of personal data ( where applicable ) or to restrict

processing in accordance with data protection laws, as well as to object to any direct

marketing from us and to be informed about any automated decision-making that

we use

● The right to lodge a complaint or seek judicial remedy and who to contact in such

instances

Information Security & Technical and Organisational Measures

Lets Do takes the privacy and security of individuals and their personal information

very seriously and are taking every reasonable measure and precaution to protect and

secure the personal data that we process. We have dedicated information security policies

and procedures in place to protect personal information from unauthorized access,

alteration, disclosure or destruction and have several layers of security measures, including:

-

SSL certificates, access controls, password policies, encryptions, restriction, IT security

systems.