Back to Home   

General Data Protection Regulations

A simple guide for the not too interested!

I have been asked a lot in training sessions recently about how GDPR affects you as a volunteer, the National Trust and other groups many volunteers are involved with. For National Trust you must follow your managers instructions as the Regulations are wide ranging and complex. Volunteer Day Organisers especially should have been given clear instructions on using and protecting their volunteers data.

To allow for full property and NT communication including direct marketing, members and volunteers must give their consent for communication otherwise certain types of communication could cease without warning, leaving you information deficient.

For those involved with other groups here is some information -

The new EU wide regulations are effective from 25th May 2018 and cover all forms of 'processing' of your personal data to protect you from misuse.  Processing covers a very wide use of your personal details from clubs sending you newsletters to your bank handling all your financial affairs.

Put simply there will be more protection of data, more accountability, more control and more punishment for negligent or misuse of your data. So, all good then? Not exactly. It will not stop scam telephone calls and emails. It will not stop rogue direct marketing calls from abroad or even from UK.

There are 6 legal bases on which all organisations hold your data -

Consent     -     Something you signed up for like The Guardian

Contract    -    Something you bought or pay for, e.g. electricity bills

Legal Obligation   -     such as Inland Revenue

Vital Interest       -     sharing and using your details to save your life e.g.  police, doctors,

Public Task   -     such as your rates

Legitimate Interests   -     clubs, teams, Friends groups, small charities

There is a lot of misunderstanding, misinformation and worry but it is actually very simple and in fact you are probably doing it all already.

All organisations (meaning any formal group or business that stores and processes personal data of members / customers) must have a clear Privacy Statement declaring how, why and who accesses your data and importantly which of the above bases they are using.  For almost all small clubs and Friends groups  the basis would be Legitimate Interest, allowing normal group communication without any onerous compliance, so don't blindly go down the Consent route as it is not what you would think!  However all the following rights must be complied with (which should already be normal practice in an efficient organisation).

 the right to be informed;

 the right of access;

 the right to rectification;

 the right to erasure;

 the right to restrict processing;

 the right to data portability;

 the right to object; and

 the right not to be subject to automated decision-making including profiling.

 

This is how the Information Commissioners Office (ico) explains Legitimate Interest -

When might legitimate interests be appropriate?

Legitimate interests is the most flexible of the six lawful bases. It is not focused on a particular purpose and therefore gives you more scope to potentially rely on it in many different circumstances.

It may be the most appropriate basis when:

  • the processing is not required by law but is of a clear benefit to you or others;
  • there’s a limited privacy impact on the individual;
  • the individual should reasonably expect you to use their data in that way; and
  • you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.

There may also be occasions when you have a compelling justification for the processing which may mean that a more intrusive impact on the individual can be warranted. However in such cases you need to ensure that you can demonstrate that any impact is justified.

The legitimate interests basis is likely to be most useful where there is either a minimal impact on the individual, or else a compelling justification for the processing.

 

So what do Small Groups have to do (not a lot!) -

1. Write a simple Privacy Statement as per this sample - (keep it updated and make it available on your website, or membership form, etc.)

Sample Privacy Statement

Privacy Statement

 

Name of Group and contact address and Telephone number -

 

 

Data Protection Officer -

 

 

Our Lawful Basis for processing your data

The lawful basis of our holding members personal details is ' Legitimate Interests ' meaning that we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights and interests.

 

When we process personal data
When you become a member we will add your data to our mailing list.


What data we process
We only store name, address, telephone numbers and email address.


The purpose of processing this data
The purpose is for keeping in touch with you occasionally with news of the group or other relevant information.


Categories of recipients that we may disclose this data to
We will not disclose your data to any other person without careful consideration of your interests.


Time limits
We will only hold your details until either you ask us to remove them or we decide to delete them.


Consequences of revoking permission for us to store/process this data
We will not be able to send you information about the group.

 

You can amend / delete your data at any time by contacting the Data Protection Officer above.

 

Date of statement -

 

 

2. Ensure you protect members details and only hold details that are relevant to the group and that you only use the details for your Groups agreed vision and aims.

3. Members details you hold already should just be checked to make sure you are not hold irrelevant details. You DO NOT have to contact them if you are using Legitimate Interests as your lawful basis, which you should be.

That's all you need to do.