Last updated 8th April 2022
Means:
Means the General Data Protection Regulation (EU) 2016/679.
Means Jo Jenks, person responsible for data protection within GDI, contactable at the following mailing address: Disinformation Index Ltd, 4 Emmanuel Court, Reddicroft, Sutton Coldfield, West Midlands B73 6AX, UK or via email at: [privacy@disinformationindex.org](<>)
Means a register of all systems or contexts in which personal data is processed by GDI.
GDI is committed to processing data in accordance with its responsibilities under legislation in the countries in which it operates, which includes (but is not limited to) the GDPR. Article 5 of the GDPR requires that personal data shall be:
This policy applies to all personal data processed by GDI.
The Responsible Person has lead responsibility for GDI’s ongoing compliance with this policy.
This policy shall be reviewed at least annually.
Disinformation Index Ltd is not required to pay a fee to the Information Commissioner’s Office as an organisation that processes personal data since it is a company limited by guarantee set up for not-for-profit purposes.
To ensure its processing of data is lawful, fair and transparent, GDI maintains a Register of Systems, which is reviewed at least annually.
Individuals have rights in relation to the processing of their date, including the right to access their personal data in accordance with legal requirements, and any such requests made to GDI shall be dealt with in a timely manner, and in accordance with statutory deadlines.
All data processed by GDI shall fall within one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information). GDI will note the appropriate lawful basis in the Register of Systems and - where consent is relied upon as a lawful basis for processing data - evidence of opt-in consent will be kept with the personal data.
Data is retained for three (3) years following your last contact with GDI or until you object to one and/or more of these uses by clicking on the corresponding link appearing in GDI’s newsletters, or by sending a simple written request to the Responsible Person at the above-mentioned address.
To ensure that personal data is kept for no longer than necessary, GDI has in place an archiving policy for each area in which personal data is processed and reviews this process annually. The archiving policy considers what data should/must be retained, for how long, and why.
GDI ensures that personal data is stored securely using modern software that is kept-up to date.
Access to personal data is limited to personnel who need access and appropriate security is in place to avoid unauthorised sharing of information.
When personal data is deleted, the data is rendered irrecoverable.
Appropriate back-up and disaster recovery solutions are in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, GDI shall promptly assess the risk to people’s rights and freedoms and, if appropriate, report this breach to the applicable regulator.