Following the introduction of the General Data Protection Regulation (GDPR), introduced in the UK through the Data Protection Act 2018 earlier this year, the Regional Executive tasked its Risk and Audit Committee to establish an updated Data Protection Policy to ensure that the Region was compliant with the updated regulation and to set good practice for how the Region should handle the personal data that it holds. This policy had a number of aims including:
- To document what personal data the Region holds
- To document the processes in place to ensure that the Region handles the personal data it holds in a safe and secure manner
- To document the procedures to be followed in the event that individuals make use of their expanded rights under GDPR such as their Right to Be Forgotten or their Right to Access through a Subject Access Request
At its September meeting the Regional Executive agreed to adopt the Data Protection Policy and also agreed that this should be made available through the Regional Website.
The Regional Executive would encourage all members to review the policy at https://sesscouts.org.uk/privacy/. In addition, for those districts and groups which don’t currently have their own policy, the Regional Executive would encourage the relevant executive committees to use this as a template to adapt for your own policy documents.
If you have any questions about the policy or GDPR you can speak to Martin Elliot, Deputy Regional Commissioner, or e-mail firstname.lastname@example.org .
GDPR is live – What now?
By the time that you read this, the new General Data Protection Regulation (GDPR) will have come into effect and now governs how all Scout Groups, Districts and Regions process personal data.
Hopefully this will not come as a surprise to you and you will have read the GDPR Advice we previously produced in preparation for the new regulation as well as made use of the GDPR Toolkit and your Group and/or District is ready or at least taking steps to ensure readiness for the new rules. If not, then now is a great time to review these resources to identify what steps, if any, your Group/District need to take to adhere to the regulations.
In this article, we cover a few GDPR topics which have arisen since we published our previous articles.
GDPR Training Module
You may have noticed from other communications that a new eLearning module has been released focusing on GDPR. This is mandatory learning for all adult members, including members of Executive Committees. The eLearning takes about 25 minutes to complete and can be found on the Scouts UK website.
Being able to demonstrate that adult volunteers within Scout Groups, Districts or Regions have been made aware of their responsibilities through this training is an important part of being able to demonstrate GDPR alignment. A record that this training has been completed should be kept and it can now be added as a module on Compass.
Like other modules, the LOVE (Learning Optional, Validation Essential) principle applies so as well as completing the eLearning, you should meet with your Training Advisor (TA) to review the validation criteria to ensure that you meet them. If you do not have a Training Advisor, then any current TA can validate it so please check with your line manager who in your group or district may be able to validate the module. If appropriate, the module can be validated for small groups of adults together, providing the TA is satisfied that they all meet the validation criteria.
Do I need to ask for Consent?
There is a common misperception amongst some leaders that under GDPR we now have to ask for member’s consent every time that we store or use their personal data and as a result I have seen personal details forms which state that we require the member’s consent to retain the data.
Under GDPR there are a number of justifications that can be used for holding someone’s data – consent is one of them but if you are using consent as the justification then it means that if the data subject (in this case the member) chooses not to give their consent or later withdraws it then we are no longer able to hold their data. To avoid this issue, in most cases Legitimate Interest can be used as the justification for storing the data and remove these requests for consent.
Communications about the member’s involvement in Scouting are a legitimate interest for all members of Scouting. They count as legitimate interest because, in some way, they support the individual in their Scouting role.
However, for marketing communications e.g. providing offers, discounts, partnerships or promoted competitions we do require the member’s consent.
One of the common questions being asked about GDPR is whether different Data Processors meet the GDPR requirements. Particular Data Processors which Leaders have asked about include:
- Online Scout Manager
- Google Forms/Cloud
At present, it appears that all of the above meet the GDPR requirements. Further information on each of them can be found at the relevant links below:
Online Scout Manager: https://www.onlinescoutmanager.co.uk/security.html
Where Data is stored
Another common misperception is that under GDPR all data must be stored within the EU, which would cause a problem for the latter two Data Processors referred to above as they can store the data in the United States. However the GDPR permits the transfer of personal data to non-EU countries in line with a number of recognised methods. Under GDPR data can be hosted and processed in non-EU countries as long as the data processor can demonstrate that they have one of the necessary transfer mechanisms in place, which both Google and Dropbox do.
If you have any questions about GDPR you can speak to Brian Muir, Chair of the Risk and Audit Committee, or Martin Elliot, Deputy Regional Commissioner, or e-mail email@example.com.
Martin Elliot, Deputy Regional Commissioner
The views expressed in this website are not necessarily those of The South East Scotland Regional Scout Council or The Scout Association.
This website provides links to other websites that may be of interest to our visitors but South East Scotland Regional Scout Council is not responsible for any information contained on these websites.
We make every effort to ensure that information is accurate but we can accept no responsibility for errors or omissions.
We have made every effort to ensure that we have permission to use all photos and other material included on our website. Please contact us if you think there is a problem.
It is our policy to make the material on this website accessible to as many people as possible. To that end we have installed a plugin allowing users to adjust the screen for contrast, greyscale and larger print. Individuals should be aware that they can also adjust the settings of their own browser to assist them. All images should have alternative text that can be read by screen readers.