GDPR is live – What now?
By the time that you read this, the new General Data Protection Regulation (GDPR) will have come into effect and now governs how all Scout Groups, Districts and Regions process personal data.
Hopefully this will not come as a surprise to you and you will have read the GDPR Advice we previously produced in preparation for the new regulation as well as made use of the GDPR Toolkit and your Group and/or District is ready or at least taking steps to ensure readiness for the new rules. If not, then now is a great time to review these resources to identify what steps, if any, your Group/District need to take to adhere to the regulations.
In this article, we cover a few GDPR topics which have arisen since we published our previous articles.
GDPR Training Module
You may have noticed from other communications that a new eLearning module has been released focusing on GDPR. This is mandatory learning for all adult members, including members of Executive Committees. The eLearning takes about 25 minutes to complete and can be found on the Scouts UK website.
Being able to demonstrate that adult volunteers within Scout Groups, Districts or Regions have been made aware of their responsibilities through this training is an important part of being able to demonstrate GDPR alignment. A record that this training has been completed should be kept and it can now be added as a module on Compass.
Like other modules, the LOVE (Learning Optional, Validation Essential) principle applies so as well as completing the eLearning, you should meet with your Training Advisor (TA) to review the validation criteria to ensure that you meet them. If you do not have a Training Advisor, then any current TA can validate it so please check with your line manager who in your group or district may be able to validate the module. If appropriate, the module can be validated for small groups of adults together, providing the TA is satisfied that they all meet the validation criteria.
Do I need to ask for Consent?
There is a common misperception amongst some leaders that under GDPR we now have to ask for member’s consent every time that we store or use their personal data and as a result I have seen personal details forms which state that we require the member’s consent to retain the data.
Under GDPR there are a number of justifications that can be used for holding someone’s data – consent is one of them but if you are using consent as the justification then it means that if the data subject (in this case the member) chooses not to give their consent or later withdraws it then we are no longer able to hold their data. To avoid this issue, in most cases Legitimate Interest can be used as the justification for storing the data and remove these requests for consent.
Communications about the member’s involvement in Scouting are a legitimate interest for all members of Scouting. They count as legitimate interest because, in some way, they support the individual in their Scouting role.
However, for marketing communications e.g. providing offers, discounts, partnerships or promoted competitions we do require the member’s consent.
Data Processors
One of the common questions being asked about GDPR is whether different Data Processors meet the GDPR requirements. Particular Data Processors which Leaders have asked about include:
- Compass
- Online Scout Manager
- Google Forms/Cloud
- Dropbox
At present, it appears that all of the above meet the GDPR requirements. Further information on each of them can be found at the relevant links below:
Compass: https://compasssupport.scouts.org.uk/?faq=is-data-on-compass-secure
Online Scout Manager: https://www.onlinescoutmanager.co.uk/security.html
Google: https://services.google.com/fh/files/misc/gdprwhitepaperenglish.pdf
Dropbox: https://www.dropbox.com/security/GDPR
Where Data is stored
Another common misperception is that under GDPR all data must be stored within the EU, which would cause a problem for the latter two Data Processors referred to above as they can store the data in the United States. However the GDPR permits the transfer of personal data to non-EU countries in line with a number of recognised methods. Under GDPR data can be hosted and processed in non-EU countries as long as the data processor can demonstrate that they have one of the necessary transfer mechanisms in place, which both Google and Dropbox do.
If you have any questions about GDPR you can speak to Brian Muir, Chair of the Risk and Audit Committee, or Martin Elliot, Deputy Regional Commissioner, or e-mail communications@sesscouts.org.uk.
Martin Elliot, Deputy Regional Commissioner