15 Feb 2021
What is GDPR and what information does it apply to?
The General Data Protection Regulation is an EU-wide law (GDPR) that came into force on 25 May 2018 and which sets out how all organisations need to handle EU citizens’ personal data. It was written into UK law as the 2018 Data Protection Act.
GDPR was introduced across the EU to give people greater control control and rights across the personal data that organisations hold about them. It also simplified the regulations for all organisations based in the EU.
Following the exit of the UK from the EU and after the end of transitional arrangements on 31 December 2020, the DPPEC Regulations 2019 came into force which merged the EU GDPR requirements into the DPA 2018.
This new regime, known as "the UK GDPR" applies only in the UK and is regulated by the Information Commissioner’s Office (ICO). The UK GDPR is essentially the same as the EU GDPR for most purposes and a formal equivalence agreement is expected to be agreed in due course.
The GDPR applies to personal data, which means any information that enables a person to be directly or indirectly identified. This includes names, postal or email addresses, phone numbers, reference numbers (eg National Insurance number) and even digital information such as IP addresses. Whilst community groups won’t hold all of these, even keeping one identifier on record means GDPR is applicable.
How are community groups affected?
Because of the relationships that community groups have with their members or local individuals it is expected that they will own and manage their own local records in support of those relationships. These records need to be held securely, and to be GDPR compliant. In simple terms, this means:
- Clear and unambiguous consent is needed from each member or local individual for the community group to hold their personal data. This should be captured proactively at the earliest opportunity.
- Individuals’ personal data should be held securely. You need to protect any locally held digital record (eg Excel spreadsheets) with a password and securely lock away any physical lists (eg on paper).
- Anyone receiving communication from a community group by any channel or channels (email, post, etc) has the right to opt out of any communication at any stage. If consent is withdrawn to be contacted via a particular channel, communication via said channel must stop immediately. It cannot be resumed until new consent is proactively given by that individual.
Not following these steps puts the community group at risk of GDPR non-compliance. This means that the group will lose the right to contact the member or individual. Continued contact when consent has not been given means that the group would be in breach of the GDPR regulations. This could result in a fine of up to 20,000 Euros and significant damage to our good name both locally and nationally.
However, it isn’t all doom and gloom – this is a great opportunity to ensure you're holding correct information about your group members and have considered how you communicate with them and what works best. Some groups used this as a chance to consolidate their database of members, removing records for those who have long since left, and reaching out to those who have fallen out of touch recently.
What are the main things to focus on in relation to GDPR?
- Use any engagement opportunity to seek consent. There may not be many chances to contact your community group members or supporters to seek their consent to be contacted by email/ post/ phone from your local activists. Think about doing this right from the first interaction you have with potential new members, for example when getting someone’s details at a stall.
- Review your data. Check through the records that you hold. Are any out of date or duplicated? If so, guidance can be sought from [email protected] on how to update them securely and safely.
- Take ownership. Under GDPR the importance of data security and protection is greater than ever. Each community group should appoint a person or group of people to be responsible for keeping the data secure (e.g. both the sole person or group who retains passwords, codes for safes and so on).
- Record people’s preferences. When consent conversations or other communications (e.g. email) take place, record the preferences that the individual gives accurately and securely and make sure to keep a track record of changing consents.
- Managing queries. Seek guidance if you’re not sure how to manage a query from an existing or new community group member.
- Understand the risks. Take the time to make sure you are managing the personal data of group members and any other individual the group has contact with in a way that is GDPR compliant, and to understand the risks of non-compliance.
- Contacting group members. It's important you don't share personal data of members publicly. This means sending emails to your mailing list using 'BCC' so email addresses are not visible to everyone on the list.
- Use the GDPR glossary (below) to build your understanding of the different elements and definitions.
- Recruiting new members. Should new people join the group who will be handling or recording data, you must make sure they are fully briefed on data protection and GDPR compliance (as laid out in this guide).
- Collecting data at stalls and events. Prior to attending any events, make sure that everyone representing the group is aware of the most recent data compliance requirements, and that the most recent forms (with our current data protection statement) are used to capture both data and the individual’s consent.
- What to do with old data. When disposing of old data, a common sense should be followed at all times, so give some thought to how you do this. Most data breaches result from inadvertent poor processing of redundant data. Personal data held on paper (such as old petition sheets) should be shredded and recycled. Files on laptops should be permanently deleted (including clearing out the desktop recycling box) and memory sticks should be put into a secure recycling facility.
- Take responsibility. Remember, data security and GDPR compliance is something your group needs to take responsibility for. You cannot ignore this, and help is at hand if needed.
Where can I get guidance or help?
Please raise your question via [email protected].
- Consent – freely given, specific, informed and explicit consent by statement or action signifying a person’s agreement to the processing of their personal data.
- Data Breach – the loss of data by an organisation, usually as a result of hacking or similar activities.
- Data Controller – organisations that collect and manage personal data from EU residents, e.g a Community Group.
- Data Portability – the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.
- Data Processor – organisations that process data on behalf of data controller including 3rd party agencies.
- Data Protection Act 1998 – the legislation that will be replaced by GDPR.
- Data Protection Bill 2017 – the new legislation that will enshrine GDPR (and some supplementary items) into UK law, even once the UK leaves the EU.
- Data Protection Officer – the person responsible within an organisation for ensuring it is compliant with data protection laws and regulations, and for controlling that organisation’s data protection policies and procedures.
- Data Sharing – the process through which different parts of an organisation, or different organisations, share data with each other.
- Data Subject – the person / EU citizen about whom data is collected or held.
- Encrypted Data – personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access.
- GDPR – General Data Protection Regulation. The new EU wide data protection legislation that comes into force on 25th May 2018.
- Information Commissioner’s Office (ICO) – the UK regulator responsible for data protection.
- Lawful Processing – the means by which organisations collect and manage people’s data (see also consent and legitimate interest).
- Legitimate Interest – where GDPR compliant consent has been given previously, and organisations have evidence of this, personal data can continue to be used without the need for refreshed consent, provided that the interests of the data subject are not harmed.
- Personal Data – any information related to a person or "Data Subject", that can be used to directly or indirectly identify the person.
- Privacy Impact Assessment – a tool used to identify and reduce the privacy risks of organisations by analysing the personal data that are processed and the policies in place to protect the data.
- Privacy Shield / Safe Harbor – framework for exchanges of personal data for commercial purposes between the EU and the USA. It’s main aim is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect EU citizens.
- Processing – any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
- Right to be Forgotten – also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, stop sharing their data, and potentially have third parties stop processing of the data.
- Subject Access Right – also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.