General Data Protection Regulations

GDPR Full Guidance

Introduction of General Data Protection Regulations – some key principles

Since May 2018 the new General Data Protection Regulations (GDPR) have been in place.  The definition of what is personal data has been expanded and now includes almost anything that can be used to identify an individual, so this could be personal contact details, a membership number or a photo.  The key thing with all data is that there is a good reason to have it and consent to use it.

Reason – under GDPR we should not be collecting data for no good reason.

Consent – under GDPR a person must give positive consent.  They should have access to a clear and specific privacy statement that explains what the data they are providing will be used for.

Legitimate interests – there are situations where positive consent is not needed because use of data is implied in the activity the individual is taking part in.  Whilst positive consent might not be needed there should still be access to clear and simple information about how the data will be used.

Retention of Data – we need to be vigilant about how long we keep data, if we don’t need it any more we shouldn’t keep it.

Secure Storage – any electronic data should be in a secure password-protected environment.  Physically held data should be held locked and secured too.

Documentation and Process – there is a shift in emphasis to show compliance.  So having documentation is important for example having evidence of consent being given.

Reason, consent and legitimate interests

The key thing with all data is not that you have it as such – but that you have a good reason to have it and that you have consent to use it.

  • Reason: under GDPR you should not be collecting data for no good reason. Unless you have a genuine reason for having and using data then don’t ask for it. This is common sense really – and good practice. All it will do is take up digital or physical space - and if you have no use for it, it essentially exists only as a risk for you – so why have it all?
  • Consent: this will perhaps be the biggest change. Previously consent could be implied by inaction or silence – it’s the pre-ticked box or ‘unless you tell us otherwise we will email you’ approach. Under GDPR consent will have to be positive – an individual will have to take definite action to say ‘you can have and use my data’ – so they tick the box rather then it being pre-ticked. They should also have access to a clear and specific privacy statement that explains what the data they are providing will be used for. It shouldn’t be a general catchall for all data and all use – it has to be specific to the data they are providing at the time.
  • Legitimate interests - there will be situations where you don’t need positive consent as use of data is implied in the activity the individual is taking part in. For example emailing a member of your group about a meeting change or fee reminder is legitimate interest and implied by being a member. Whilst positive consent might not be needed they should still have access to clear and simple information about how the data will be used.

Retention of data

One of the changes with GDPR is that you will need to be more vigilant with regards to how long you keep data for. It can be very easy to keep old data on a spreadsheet somewhere or locked away in a filing cabinet.  However, you should not hold and use data unless you have a good reason for doing so.

Removing old data may seem like an administrative burden. But tidying up data is a good administrative process to go through anyway – and if you don’t need the data, why have it? It takes up space and exists purely to create risk for you – which you can easily remove.

Having a regular review of the data you hold and how you use it is a good idea. But thinking about data retention and making sure your data is clean and useful should be an ongoing process. If you have some processes in place for cleaning data as you go, it will help ensure you are being fair and responsible in how you use data and reduce any risk to your group, not to mention making a regular data review much easier.

Have a process in place for reviewing your data on a regular basis. The point of this review should be to decide if you still have a good and fair reason to store and/or use the data, and that you have any necessary permissions in place.

Secure storage

Rules around how data is stored have not changed too much. But it’s always useful to have a reminder:

  • Any electronically held data should be in a password-protected, secure environment, and those passwords should be changed regularly.
  • It can be easy to focus on digital/electronic data for GDPR. Physically held data should be kept locked and secure too.