Contact Sales
Not For Profit suite: Get in touch
Access Assemble

GDPR for volunteers

It’s important for organisations to choose a provider that makes every effort to protect customer data. Satisfying compliance is an on-going process, many organisations cannot adequately manage their assets with traditional manual processes – Access Assemble offers a powerful set of features and functionality to make the process easier.

Take a product tourSchedule your live demo

Working with customers to keep their data secure

The regulatory landscape is changing and we built Access Assemble with that in mind – take advantage of security and privacy features that are built into Access Assemble. Whether you’re someone responsible for compliance, a decision-maker considering volunteer management software or a current Access Assemble user seeking clarification, find out how we help with identifying, managing and safeguarding your data.

Access Assemble lets you configure and use your account in ways that help assist with your organisation’s GDPR compliance efforts. Broken down into four key areas – we show you how Access Assemble offers a range of features that can help address requirements of the GDPR.

Identify

An important step towards GDPR compliance is understanding what data you have and where it resides. Assemble provides you with complete control, making it easier to quickly locate and identify the personal data you collect across your organisation.

With Access Assemble, you can:

  • Search - Every person, message, application, and document in Assemble is archived, indexed, and available through search, making the past easily referenceable. Assemble also indexes the content of every file so you can search within PDFs, Word documents, and more.
  • Filter - Refine and limit the data you're looking for based on a specific criteria.
  • Centralisation - Feature rich platform to help keep data and processes together in one place; incorporate recruiting, scheduling, document management, communication and reporting efforts in one central location.

Manage

The GDPR provides data subjects with more control over how their personal data is collected and used. In order to satisfy obligations to data subjects, it’s important to govern how personal data is used and accessed.

With Access Assemble, you can:

  • Include consent - Display custom privacy notices and request and obtain consent where personal data is collected.
  • Update - Amend inaccurate or incomplete personal data (Self-service functionality also exists for volunteers to update personal information).
  • Export - Meet data subject access/portability requests by using Assemble data export capabilities.
    Archive - Automatically archive and anonymise data after storage retention limits have been triggered.
  • Data erasure - Based on parameters set by customers, Assemble will retain data accordingly before they begin to be processed for deletion.
  • Pseudo-anonymise - Sensitive information is never stored against an identifiable individual. Data is collected but this key is never exposed to any user of the system.
  • Restrict - Lock role profiles during the application process to ensure recruiting teams adhere to data minimisation.

Safeguard

The GDPR requires that organisations incorporate data privacy and protection principles into their products. As part of our Information Security Management System (ISMS), Access Assemble is developed to incorporate privacy-by-design and privacy-by-default methodologies.

With Access Assemble, you can:

  • Manage user identities - Sign in as a user and easily manage your team and data from a single access point.
  • Role based permissions - Group together a set of privileges that limit access to data and the tasks that can be performed by a given user via security roles and hierarchy levels.
  • Two-factor authentication - Optional security feature which adds an extra layer of protection to user accounts. Users are required to input a six-digit security code to sign in or connect a new device.
  • Access - Temporarily grant, pause and restrict user access to the system.
  • Data centres - ISO27001 accredited data centres store all customer data in the EU.
  • Transparent Data Encryption - To protect personal data in transit and at rest.

Audit

The GDPR sets new standards in transparency, accountability, and record-keeping. Organisations will need to demonstrate how they handle personal data and actively maintain documentation defining processes and use of personal data.

With Access Assemble, you can:

  • Track and record - Touchpoints let you record changes to personal data providing a history of activity.
  • Audit trail - Automatic tracking of when and how volunteer data was obtained.
  • Transparent communication - Trackable team and volunteer communication.
  • User logs - Track the date and time of user logins, password reminder requests and successful/failed two-factor authentication attempts.
  • Consent - Prove when and how consent was obtained when collecting personal data.

Still using spreadsheets to manage your volunteers?

Spreadsheets, which are widely used in organisations for storing and managing volunteer data, pose one of the biggest risks to GDPR compliance and could prove costly.

Poor audit trail

No access controls

Poor versioning

Easily duplicated and modified

Your compliance journey: what to know

01 03

Assess your readiness

If you ever collect, record, store, use, or erase personal data from volunteers or contacts in the EU, then GDPR should be on your radar. Organisations, large and small, need to assess their readiness now that the data protection law is in place. It is recommended you seek legal advice to determine what may be required for your organisation. However, there are a number of factors that all organisations should be considering.

02 03

GDPR: The basics

If you’re new to GDPR, here’s a bit of background: On 25th May, 2018 GDPR officially became a law that strengthens the fundamental right to privacy for people living in the EU. We’ve highlighted some points below to help you get on your way.

03 03

Next steps

Even with a well thought out approach, satisfying GDPR requirements is a major responsibility which requires a lot of preparation throughout the organisation. Resources and support from all teams is needed to implement any changes successfully. From our own experience and from working alongside our customers, we appreciate the scale of the exercise. Organisations should not underestimate the risks and impacts to reputation and volunteer trust that GDPR can cause.

GDPR is not to be taken lightly, but at the same time it’s important not to get overwhelmed. Take the opportunity to make sure there are plans in place to make any changes to ensure you’re compliant. As an organisation, you’ll need to be prepared but it’s integral to also establish close supply chain relationships with any third-party products you use — making sure they are GDPR compliant is just as important. You can rest easy knowing that we take the responsibility of protecting your information seriously.

GDPR FAQs

Guidance

What is GDPR?

The General Data Protection Regulation, or GDPR, is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU citizens. It replaces the Data Protection Directive and came into effect on 25th May 2018. Irrespective of Britain leaving the European Union, UK organisations that handle personal data will still need to comply with the new regulation.

You should consult with legal and other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however, if you are an organisation that is processing the personal data of EU citizens, the GDPR will apply to you. Even if all that you are doing is collecting or storing email addresses, if those email addresses belong to EU citizens, the GDPR likely applies to you.

One of the main aims of the GDPR is to harmonise and bring data privacy laws across Europe up to speed with the rapid technological change in the past two decades, helping to strengthen an invididual's rights to privacy.

How do I ensure we're GDPR compliant?

It is recommended you seek legal advice to determine what may be required for your organisation. However, there are a number of factors that all organisations should be considering.

Although it affects how organisations deal with employee data, one of the more pressing issues will be the impact on how they handle donor data and relationships with volunteers. A lot of the GDPR has direct implications on how organisations run and how they handle volunteer data — introducing stricter rules about data processing and who organisations can contact.

You should be making sure that key people and decision makers in your organisation are aware of the introduction of the GDPR. Much of the new regulation coincides with requirements already set by the DPA, however there are some changes and they need to understand the impact this is likely to have.

Non-compliance beyond the enforcement date, is liable to attract heavy penalties.

How can software help ensure we're GDPR compliant?

Satisfying GDPR requires investment in time, effort, and expertise. One way to solve this is by being part of a cloud or SaaS system, providing a safe environment to manage and process your data.

However, you should be confident that any providers which you work with meet the necessary standards for data protection, understand the obligations of the GDPR, and are well prepared to meet them. 

Our approach to GDPR

How does Access Assemble protect my data?

We take security seriously; our success depends on it.

Access Assemble is committed to providing a secure and trusted service by implementing and adhering to compliance policies. After 15 years’ experience working with the Public Sector, we have worked hard to become equipped for the toughest standards. 

We need to make sure your data is secure, and protecting it is one of our most important responsibilities. We’re committed to being transparent about our security practices and helping you understand our approach.

Information security is critical to our business, our robust Information Security Management System (ISMS) is designed to control information assets appropriately, assess risks and build a culture of security at Access Assemble.

Access Assemble is committed to GDPR compliance and part of this commitment is to help our customers through their GDPR compliance journey by providing them with robust privacy and security protections. We currently comply with a range of requirements, policies and controls, to ensure we have vigorous measures in place to protect users’ data.

Access Assemble welcomes the GDPR as an important step forward in unifying data protection requirements across the EU and as an opportunity for Access Assemble to expand our commitment to data protection. We have closely analysed the requirements of the GDPR, and we’ve worked hard to develop functionality to make compliance easier for you. We are also on the journey to independent certification for ISO 27001:2013, the international standard for information security.

We encourage you to verify that our security practices meet the most widely accepted standards and regulations. After 15 years’ experience working in the public sector we have achieved a range of certifications. As a G-Cloud 12 supplier, we’re one of the selected, trusted providers of cloud software and services to government. We’re also Cyber Essentials accredited – a government backed and industry supported scheme that helps business to protect themselves against the ever growing threat of cyber attacks.

We value the confidence you've put in us and work hard to maintain that trust. 

Is Access Assemble a data processor or a data controller?

For our customers,  Access UK Ltd is a data processor - we process your personal data on your behalf, in accordance with our Terms and Conditions.

You are the owner of your data, we do not mine your data for advertising or marketing purposes. We only use the provided data to supply the services of Access Assemble.

How do you comply with the requirements of the GDPR principles?

Article 5 of the GDPR "Principles relating to processing of personal data" requires:

Lawfulness, fairness and transparency

We will process any personal data we collect in a fair, lawful and transparent manner; and in accordance with individuals’ rights.

As a customer of Assemble we will only process the personal data entered into the system in accordance with our Terms and Conditions.

Purpose limitations

We will only collect personal data for specified, explicit and legitimate purposes. Data we collect will not be used for any other purposes other than what you have been made aware of.

As a customer of Assemble we will only process personal data entered into the system for the purpose of providing you our service and in accordance with our Terms and Conditions.

Data minimisation

We will only collect personal data that is needed, adequate and relevant for the specific purpose.

As a customer of Assemble you are responsible for ensuring that the data you hold about your volunteers/employees is limited to what is needed, adequate and relevant for the specific purpose. Features and controls exist in our platform to help facilitate this.

Accuracy

To the best of our ability we will ensure that any personal data we collect is accurate, kept up to date and correct.

As a customer of Assemble you are responsible for ensuring that the data entered into the system about your volunteers/employees is accurate and kept up to date. Our systems are designed to maintain a high level of integrity, meaning that your data will remain as entered and unchanged. Self-service functionality exists in the application to encourage volunteers to keep personal information up to date.

Storage limitations

We will only keep personal data we collect for as long as it is needed, in addition, you have the right to request erasure of your individual data.

Based on parameters set by customers, Assemble will retain data accordingly before they begin to be processed for deletion. Customers can specify a timeframe (based on their specific policies of when legal justification for keeping personal data has expired) and we then proceed to automatically anonymise data.

Integrity and confidentiality

We will process all personal data we collect in a manner that protects it against unwanted modification, disclosure or unlawful processing.

We take a risk based approach to ensure that our systems have the appropriate technical and organisational controls to safeguard the integrity and confidentiality of all personal data.

Accountability

Processes are recorded, implemented and reviewed on a regular basis. All staff are trained and appropriate technical and organisational measures are taken to ensure and demonstrate compliance. We are creating and improving security features on an ongoing basis. As part of our Information Security Management System (ISMS), Assemble is developed to incorporate privacy-by-design and privacy-by-default methodologies, making sure whenever we develop or introduce new systems, privacy and security requirements are considered at every stage.

Where is my data stored?

Your data is stored on the EU clusters of Amazon Web Services (AWS) - none of your data leaves the EU. Featuring state of the art environmental security controls, it’s one of the best and most renowned in the world, so rest assured your data is safe.

Will I be notified in the case of a breach?

Under the GDPR, Assemble is required to report data breaches to the ICO within 72 hours. As part of our information security incident management procedure, appropriate communications will be made, including notifications to all affected parties.

How do you handle subject access requests (SAR)?

Access UK Ltd act as a Data Processor on behalf of its customers so we are not able to process subject access requests on your behalf. If we receive a subject access request from one of your volunteers/employees, we will forward the request to you.

How do you process data portability requests?

We provide you with export tools inside Assemble to extract information in commonly used file formats.

How do you handle data erasure?

Customers (Data Controller) - If you choose to close your account or your subscription expires we will store your customer data for 30 days (the retention period) to give you time to extract the data or renew your subscription. After this 30-day period, we will disable the account and commit to deleting all data under our control. Volunteers/employees (Data Subject) - Assemble works with its customers to help facilitate data erasure requests. Assemble makes it easier to locate and identify the personal data you collect across your organisation. With our search functionality, every person, message, application, and document in Assemble is archived, indexed, and available through search. Customers are in control of the data stored in their instance of Assemble. Based on parameters set by customers, Assemble will retain data accordingly before they begin to be processed for deletion. Customers can specify a timeframe (based on their specific policies of when legal justification for keeping personal data has expired) and we then proceed to automatically anonymise data. As noted in the GDPR (Provision 28), “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. We will remove the user’s name, email address, contact information and other unique identifiers from the system. To prevent confusion and preserve the history of an account, some form of record will still exist for reporting/auditing purposes. Applicants - In line with the principle of ‘data minimisation’, when collecting personal data during the recruitment process, ensure that as an organisation you are requesting only what is ‘adequate, relevant and limited to what is necessary’, and that you have a full understanding of exactly why that data is required. If an applicant requests to have their data deleted, functionality exists in the application to remove all personal data associated with the applicant.

How do you ensure you meet with the privacy by design requirements?

As part of our Information Security Management System (ISMS), we have implemented system development principles to ensure that whenever we develop or introduce new systems, privacy and security requirements are considered at every stage.

Data Protection Registration

We have a strong track record on data protection. As a company we are registered with the Information Comissioner’s Office (ICO). This means we are contractually committed to delivering our services in compliance with the Data Protection Act (DPA).

ICO Registration Number: Z9806829

Disclaimer

Please note that this information is intended to provide helpful guidance to customers on the GDPR and not as a solution or legal advice. We encourage each organisation to undertake their own steps to ensure compliance. Have any further questions?

Get in touch