Guidance for Friends of the Earth local groups on how to comply with the new General Data Protection Regulation (GDPR), including actions that local groups need to take, and where to seek advice.
05 Sep 2019
What is GDPR and what information does it apply to?
The General Data Protection Regulation (GDPR) is a new, EU-wide law that sets out new requirements for how all organisations will need to handle EU citizens’ personal data from 25 May 2018. In the UK it replaces the 1998 Data Protection Act, and will be written into law under the 2018 Data Protection Bill. UK GDPR regulation sits with the Information Commissioner’s Office (ICO).
It’s being introduced across the EU to give people greater control and rights across the personal data that organisations hold about them. It also simplifies the regulations for all organisations based in the EU (including the UK, even after Brexit).
The GDPR applies to personal data, which means any information that enables a person to be directly or indirectly identified. This includes names, postal or email addresses, phone numbers, reference numbers (eg National Insurance number) and even digital information such as IP addresses. Whilst local groups won’t hold all of these, even keeping one identifier on record means GDPR is applicable.
How will local groups be affected?
Because of the relationships that local groups have with their members or local individuals it is expected that they will own and manage their own local records in support of those relationships. These records need to be held securely, and to be GDPR compliant. In simple terms, this means:
- Clear and unambiguous consent is needed from each member or local individual for the local group to hold their personal data. This should be captured proactively at the earliest opportunity.
- Individuals’ personal data should be held securely. You will need to protect any locally held digital record (eg Excel spreadsheets) with a password and securely lock away any physical lists (eg on paper).
- Anyone receiving communication from a local group by any channel or channels (email, post, etc) has the right to opt out of any communication at any stage. If consent is withdrawn to be contacted via a particular channel, communication via said channel must stop immediately. It cannot be resumed until new consent is proactively given by that individual.
Not following these steps puts the local group at risk of GDPR non-compliance. This means that the local group will lose the right to contact the member or individual. Continued contact when consent has not been given means that the local group would be in breach of the GDPR regulations. This could result in a fine of up to 20,000 Euros and significant damage to our good name both locally and nationally.
However, it isn’t all doom and gloom – this is a great opportunity to ensure you're holding correct information about your group members and have considered how you communicate with them and what works best. Some groups are using this as a chance to consolidate their database of members, removing records for those who have long since left, and reaching out to those who have fallen out of touch recently.
What are the main things to focus on ahead of the GDPR deadline?
- Use any engagement opportunity to seek consent. There may not be many chances to contact your local group members or supporters to seek their consent to be contacted by email/ post/ phone from your local activists. Think about doing this right from the first interaction you have with potential new members, for example when getting someone’s details at a stall.
- Review your data. Take the opportunity to check through the records that you hold. Are any out of date or duplicated? If so, guidance can be sought from email@example.com on how to update them securely and safely.
- Take ownership. Under GDPR the importance of data security and protection is greater than ever. Each local group should appoint a person or group of people to be responsible for keeping the data secure (e.g both the sole person or group who retains passwords, codes for safes and so on).
- Record people’s preferences. When consent conversations or other communications (e.g email) take place, record the preferences that the individual gives accurately and securely and make sure to keep a track record of changing consents.
- Do ask questions about GDPR. This is new territory for everyone and all organisations are learning as we go.
- Managing queries. Seek guidance if you’re not sure how to manage a query from an existing or new local group member.
- Understand the risks. Take the time to make sure you are managing the personal data of group members and any other individual the group has contact with in a way that is GDPR compliant, and to understand the risks of non-compliance.
- Use the GDPR glossary (below) to build your understanding of the different elements and definitions.
- Recruiting new members. Should new people join the group who will be handling or recording data, you must make sure they are fully briefed on data protection and GDPR compliance (as laid out in this guide).
- Collecting data at stalls and events. Prior to attending any events, make sure that everyone representing the group is aware of the most recent data compliance requirements, and that the most recent forms (with our current data protection statement) are used to capture both data and the individual’s consent.
- What to do with old data. When disposing of old data, a common sense should be followed at all times, so give some thought to how you do this. Most data breaches result from inadvertent poor processing of redundant data. Personal data held on paper (such as old petition sheets) should be shredded and recycled. Files on laptops should be permanently deleted (including clearing out the desktop recycling box) and memory sticks should be put into a secure recycling facility.
- Take responsibility. Remember, data security and GDPR compliance is something your group needs to take responsibility for. You cannot ignore this, and help is at hand if needed.
Where can I get guidance or help?
Please raise your question via firstname.lastname@example.org.
- Consent – freely given, specific, informed and explicit consent by statement or action signifying a person’s agreement to the processing of their personal data.
- Data Breach – the loss of data by an organisation, usually as a result of hacking or similar activities.
- Data Controller – organisations that collect and manage personal data from EU residents, e.g a Local Group.
- Data Portability – the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.
- Data Processor – organisations that process data on behalf of data controller including 3rd party agencies.
- Data Protection Act 1998 – the legislation that will be replaced by GDPR.
- Data Protection Bill 2017 – the new legislation that will enshrine GDPR (and some supplementary items) into UK law, even once the UK leaves the EU.
- Data Protection Officer – the person responsible within an organisation for ensuring it is compliant with data protection laws and regulations, and for controlling that organisation’s data protection policies and procedures.
- Data Sharing – the process through which different parts of an organisation, or different organisations, share data with each other.
- Data Subject – the person / EU citizen about whom data is collected or held.
- Encrypted Data – personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access.
- GDPR – General Data Protection Regulation. The new EU wide data protection legislation that comes into force on 25th May 2018.
- Information Commissioner’s Office (ICO) – the UK regulator responsible for data protection.
- Lawful Processing – the means by which organisations collect and manage people’s data (see also consent and legitimate interest).
- Legitimate Interest – where GDPR compliant consent has been given previously, and organisations have evidence of this, personal data can continue to be used without the need for refreshed consent, provided that the interests of the data subject are not harmed.
- Personal Data – any information related to a person or "Data Subject", that can be used to directly or indirectly identify the person.
- Privacy Impact Assessment – a tool used to identify and reduce the privacy risks of organisations by analysing the personal data that are processed and the policies in place to protect the data.
- Privacy Shield / Safe Harbor – framework for exchanges of personal data for commercial purposes between the EU and the USA. It’s main aim is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect EU citizens.
- Processing – any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
- Right to be Forgotten – also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, stop sharing their data, and potentially have third parties stop processing of the data.
- Subject Access Right – also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.