What are the General Data Protection Regulations (GDPR)?
On 25 May 2018 the new General Data Protection Regulations (GDPR) came into force, replacing the previous Data Protection Act. The new regulations apply to all types of organisations including small charities and voluntary groups and so it is something you should be aware of. It may mean you need to make some changes to the way you handle personal data.
GDPR is about organisations collecting and using personal data in a fair, responsible and transparent way. It means organisations need a good reason for holding and using personal data and need to be clear about what those reasons are. It also emphasises the need to have consent from individuals (in some situations) and gives individual’s more rights over their data.
What is personal data?
The GDPR expands the definition of what is personal data. It now includes almost anything that can be used to identify an individual – so this could be personal contact details, a membership number or a photo. You need to consider all the data you hold. A common name might not be enough to identify someone but put with an email or postal address and it might be. Similarly, bank details next to an ID number might not be enough on their own but if the ID number can be linked to a name/address it becomes identifiable.
What will it mean for our group?
Getting ready for the GDPR is a good opportunity for your group to review its policies and approach to personal data and make sure your organisation is responsible in the way it handles data. If data protection is something you have not considered in the past or perhaps you have let your procedures and processes slip a little, then you may need to do some more work to make sure you are compliant with the GDPR.
What action should we take?
- Start with an audit of the data you hold; what you have, how you use it and if you still need it. Make sure you are aware of all the data you might hold about someone – not just the traditional things like name and address. Try to think of different ways that people may have captured personal information and where this would have been recorded or stored. Make sure you think about paper and digital records and think about everyone from staff to volunteers to visitors.
- You need a good reason to use personal data but you don’t always need consent. E.g. you don’t need consent to hold a member’s contact details to communicate with them about group activities.
- Sometimes you will need consent and under the GDPR and if this is required then that consent will have to be positive. This means the individual will have to take definite action which shows they have given consent for you to hold and use their data – so they have to tick a box to say they agree, rather than unticking a pre-filled tick if they don’t agree.
- Whether you rely on consent or not, you should provide access to a clear and specific privacy statement which explains what the data they are providing will be used for. It shouldn’t be a general catchall for all data and all use – it has to be specific to the data they are providing at the time. If you have their email address because they have booked to come to an event, you can’t automatically add their email address to your mailing list unless you have clearly told them that you will do that when collecting the data.
- Data retention: Under the GDPR you might have to be more cautious about how long you keep data. If you don’t need it anymore then you shouldn’t have it. The ‘need’ for information will mean different things for different types of data.
- Documentation: You need to be able to demonstrate that you have policies and processes in place that show how you use data
Does the GDPR apply to us?
The GDPR might seem overly burdensome and just more work for your already stretched group but GDPR applies to all sorts of organisations, from large multi-national banks to local community groups. You probably care about how organisations use your data; you want to be confident that it is stored safely and used fairly. The GDPR are there to protect individuals and to make sure that organisations are acting responsibly.
Please note: This information is intended as a brief overview of the GDPR, to give you an idea of what the changes are and how they might affect your group/organisation. We can’t cover everything in this short introduction so we recommend you read the full guidance before taking any action. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/