GDPR – What should I be doing?
Advice from Martin Elliot, Deputy Regional Commissioner
In last month’s newsletter, I introduced the new General Data Protection Regulation (GDPR), a new EU law that will come into effect on 25 May 2018, and will govern how organisations, including Scout Groups, Districts and Regions, process personal data.
Since then the Scout Association has released its GDPR Toolkit, a step-by-step collection of tools that includes ‘how to’ videos and support materials prepared by Black Penny Consultancy to help local Scouting, and specifically local Executive Committees, to work towards alignment to the GDPR.
This article provides some initial guidance on how groups and districts within the Region can start working towards compliance with the GDPR requirements but for a fuller guide I would encourage all groups to make use of the Toolkit as it prepares for this new legislation.
Does GDPR apply to us?
GDPR will apply to all groups and districts within the Region, regardless of size and charitable status. This is because each group and district is a “Data Controller” and as such processes sensitive personal data.
It is important to note that groups and districts already have this Data Controller responsibility under the existing Data Protection Act, so any processes that you already have in place to meet this responsibility will provide a strong basis for your requirements under GDPR.
The owner and user of the gathered personal data. This is anybody gathering and retaining personal data.
Any information that can be used to identify an individual. This information could be names, addresses, telephone numbers or more sensitive information such as religion, ethnicity and disabilities. May also be referred to as Personally Identifiable Information (PII).
Personal data revealing religion, ethnicity, political opinions, sexual orientation or data concerning health.
The Information Commissioner’s Office
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
What data do we process?
Groups and Districts store a large amount of information:
- Personal Details such as names, addresses, email addresses, phone numbers, membership numbers
- Sensitive personal details such as religion, ethnicity, sexuality and medical/health information
- Participation, event, activity, badge and training records
- Complaints, disputes, suspensions
- Safeguarding information
Thus, they have to be aware of their responsibilities under GDPR.
What should we do?
It is important that trustees of groups and districts recognise that they are collectively responsible for compliance with the GDPR regulation and take time to invest time understanding the responsibilities that it places upon them.
The Information Commissioner’s Office, which regulates Data Protection in the UK, has produced a 12-step checklist for preparing for GDPR which provides a useful guide for Executive committees looking to identify what actions they need to take.
The rest of this article is based on a subset of these 12 steps and provides some more information about what each mean for your group or district.
Make sure that trustees in your group and district are aware that the law is changing to the GDPR and that they need to appreciate the impact this is likely to have. This article is designed to help increase awareness among groups and district and The Scout Association has produced a What is the GDPR document as an introduction for members.
2 Identify information you hold
As highlighted above, each group and district holds an large amount of data so it is important that all personal data and sensitive personal data held relating to individuals (youth members and adults) is identified. For all data held you should also identify:
- How and where the data is processed. If this is delegated to a Data Processor such as Online Scout Manager, their data protection policies should be checked.
Data ProcessorThis is a company or individual who processes the information on behalf of the data controller.
- Why is the data processed? If you cannot answer this question then it probably means you shouldn’t be holding the data!
- How long the data should be held for. Data on young people or adults should not be held for longer than is required i.e. any data relating to a young person should be removed when they leave the group.
The GDPR Toolkit released by the Scout Association includes a Data Inventory which will serve as a useful starting point for any executive committees looking to carry out a Data Identification exercise.
3 Communication Privacy Information
When collecting information, we need to ensure that we are transparent about why we are collecting the data and what we are going to do with it. Any information forms that you use for collecting personal data – e.g. joining forms, event forms – should include information on the following:
a. your identity and how you intend to use their information.
b. your lawful basis for processing the data (see step 6 below)
c. your data retention periods
d. individuals right to complain to the ICO if they think there is a problem with the way you are handling their data.
GDPR requires the information to be provided in concise, easy to understand and clear language. This can be provided on the form or by referring to a published Privacy Notice.
4 Individual's Rights
GDPR provides individuals with greater rights. It recognises that using data for communication to young people, parents/guardians or adult volunteers is essential for the effective operation of groups and Districts and categorises them as necessary to fulfil your role. However, this communication should only be for the purposes of the group and district and not for further advertising e.g. fundraising events unless the person receiving the communication has specifically opted-in.
5 Subject Access Requests
These are not new as individuals have always had the right to make a Subject Access Request but GDPR reduces the time data controllers have to comply to one month and removes the £10 charge data controllers could previously levy to those making a request.
Subject Access Request
A process for executive committees to use when responding to Subject Access Requests can be found in The Scout Association’s Guide to GDPR Subject Access Request process .
6 Lawful Basis
Many executive committees will have never thought about their lawful basis for processing personal data but under GDPR individuals’ rights depend on the lawful basis for processing their personal data so it is important that the lawful basis for processing data is identified. There are a number of lawful bases under which data can be used but the most relevant for Scouting are:
- Consent – The individual has given consent for their data to be used.
- Compliance with Legal Obligations – Legal obligations e.g. Disclosure Checks supersede GDPR
- Legitimate Interest – the use of personal data by a data controller is deemed necessary (e.g. to provide the product or service) or would reasonably be expected by a data subject
A Lawful Processing Records tool is included in The Scout Association’s GDPR Toolkit and provides a starting point for Executive Committee’s looking to establish the lawful basis for processing personal data.
For any data for which the Consent legal basis is used, a positive opt-in is required i.e. pre-ticked boxes, presumed consent by silence, opt-outs or any other method of default consent cannot be used.
For the first time, the GDPR will bring in special protection for children’s personal data. GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
9 Data Breaches
Executive committees need to put procedures in place to effectively detect, report and investigate a Personal Data Breach. GDPR brings a duty to notify the ICO when they suffer a personal data breach within 72 hours or risk a significant fine.
Personal Data Breach
Where a breach is likely to result in a high risk to the rights and freedoms of individuals – e.g. leaves them open to identity theft – groups and districts are required to notify those concerned directly.
10 Data Protection Officers
Under GDPR, it will be mandatory for organisations processing personal data on a large scale as a ‘core’ activity for systematic monitoring purpose or involving sensitive personal data to appoint a Data Protection Officer (DPO). Scout Units as smaller organisations operating locally will not be required to appoint a DPO. However, Executive Committees must ensure that they can fulfil their obligations under the GDPR and therefore it is advisable to allocate an executive member to oversee GDPR compliance wherever possible.
Working through these steps will provide Executive Committees with a clearer idea of what is required to ensure that they are compliant with GDPR.
The Risk and Audit Committee of the Regional Executive will continue to review the implementation of GDPR and provide updates where necessary. If you have any questions about GDPR you can speak to Brian Muir, Chair of the Risk and Audit Committee, or Martin Elliot, Deputy Regional Commissioner, or e-mail firstname.lastname@example.org .