General Data Protection Regulations
A simple guide for the not too interested!
I have been asked a lot in training sessions recently about how GDPR affects you as a volunteer, the National Trust and other groups many volunteers are involved with. For National Trust you must follow your managers instructions as the Regulations are wide ranging and complex. Volunteer Day Organisers especially should have been given clear instructions on using and protecting their volunteers data.
To allow for full property and NT communication including direct marketing, members and volunteers must give their consent for communication otherwise certain types of communication could cease without warning, leaving you information deficient.
For those involved with other groups here is some information -
The new EU wide regulations are effective from 25th May 2018 and cover all forms of 'processing' of your personal data to protect you from misuse. Processing covers a very wide use of your personal details from clubs sending you newsletters to your bank handling all your financial affairs.
Put simply there will be more protection of data, more accountability, more control and more punishment for negligent or misuse of your data. So, all good then? Not exactly. It will not stop scam telephone calls and emails. It will not stop rogue direct marketing calls from abroad or even from UK.
There are 6 legal bases on which all organisations hold your data -
Consent - Something you signed up for like The Guardian
Contract - Something you bought or pay for, e.g. electricity bills
Legal Obligation - such as Inland Revenue
Vital Interest - sharing and using your details to save your life e.g. police, doctors,
Public Task - such as your rates
Legitimate Interests - clubs, teams, Friends groups, small charities
There is a lot of misunderstanding, misinformation and worry but it is actually very simple and in fact you are probably doing it all already.
All organisations (meaning any formal group or business that stores and processes personal data of members / customers) must have a clear Privacy Statement declaring how, why and who accesses your data and importantly which of the above bases they are using. For almost all small clubs and Friends groups the basis would be Legitimate Interest, allowing normal group communication without any onerous compliance, so don't blindly go down the Consent route as it is not what you would think! However all the following rights must be complied with (which should already be normal practice in an efficient organisation).
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated decision-making including profiling.
This is how the Information Commissioners Office (ico) explains Legitimate Interest -
When might legitimate interests be appropriate?