Privacy policy.

GDPR

The General Data Protection Regulation (GDPR) aims to harmonise data protection across the EU. Reforms aim to protect data, while supporting its free movement. The rights of individuals regarding personal data were extended.

The GDPR was retained as UK law after Brexit and forms part of the UK-GDPR regime in conjunction with the Data Protection Act 2018, which is also included on this register.

Scope

Under the UK-GDPR regime, duties apply to all persons holding or processing personal data concerning UK residents, whether inside or outside UK. The Regulation applies to personal data supplied via automated systems or if information within manual filing systems is readily accessible.

The definition of ‘sensitive personal data’ was extended under the GDPR to include philosophical beliefs, genetic and biometric information.

Rights of Individuals

Under the GDPR individuals have eight rights with regard to their data:

  • The right to be informed:  data controllers will be required to communicate how personal information will be used and the data subject’s rights. This may be communicated through privacy notices.

  • The right of access:  individuals may continue to access personal data held by any data controller, alongside details of its processing.

  • The right of rectification: individuals may have incorrect or incomplete personal data corrected on request.

  • The right of erasure (right to be forgotten): individuals may request the deletion or removal of personal data.

  • The right to restrict processing: individuals will continue to be able to block or suppress further processing of personal data held by a data controller.

  • The right to data portability: individuals must be permitted to move, copy or transfer personal data from one service to another.

  • The right to object: individuals may object to direct marketing, processing of their data for tasks in the public interest or on the exercise of official authorities and any processing for research and statistical purposes.

  • Rights regarding automated decision making and profiling: individuals are protected against automated potentially damaging decisions made without human involvement.

Processing

Six lawful bases are available for the processing of data under the GDPR. At least one must apply for the processing of personal data to take place: 

  • Consent is held from the individual; 

  • Processing is necessary to execute or enter into a Contract;

  • There is a Legal Obligation to process personal data; 

  • Processing is necessary to protect someone's life - Vital Interests;

  • Processing is required to perform a task in the Public Interest, as based in law; or 

  • Processing is needed for the organisation's or a third party's Legitimate Interests, where there is not a good reason to protect the personal data of the individuals concerned. This basis is not available to public bodies. 

The GDPR sets out six data protection principles on the processing of personal data. Personal data must be:

  • Processed lawfully, fairly and transparently; 

  • Adequate, relevant and limited to what is necessary; 

  • Accurate and kept up to date as necessary; 

  • Kept in a form allowing identification of data subjects no longer than is needed; and

  • Processed securely with appropriate protection. 

Data controllers must be able to demonstrate compliance.

What WHH must do: 

1.      Identify and map all personal data

List all personal data you collect: names, emails, company names, payment details, IP addresses, etc.

Include data from:

  • Ticket purchases

  • Newsletter sign-ups

  • Website analytics

  • Podcast subscriptions

2. Establish a Legal Basis for Processing

You must have a valid reason for collecting and using personal data:

  • Consent: For newsletters, marketing emails, and cookies.

  • Contract: For ticket purchases.

  • Legitimate interest: For analytics or improving services

3. Create Clear Privacy and Cookie Notices

  • Explain what data you collect, why, how it’s used, and users’ rights.

  • Include these notices on:

    • Your website

    • Event registration pages

    • Newsletter sign-up forms

    • Podcast platforms (if collecting listener data)

4. Get Valid Consent

  • Use opt-in checkboxes (not pre-ticked) for newsletters and marketing.

  • Keep records of when and how consent was given.

  • Allow users to withdraw consent easily.

 

5. Respect Data Subject Rights

You must allow users to:

  • Access their data

  • Correct inaccuracies

  • Request deletion

  • Object to processing

  • Port their data (in some cases)

6. Secure the Data

  • Use HTTPS on your website.

  • Encrypt sensitive data.

  • Limit access to personal data within your team.

  • Use secure third-party tools (e.g. Stripe, Mailchimp, Google Analytics).

7. Prepare for Data Breaches

  • Have a breach response plan.

  • Notify the ICO within 72 hours if a breach occurs.

  • Inform affected individuals if there’s a high risk to their rights.

8. Register with the ICO

  • Most UK businesses processing personal data must pay a data protection fee to the Information Commissioner’s Office (ICO).