Are you ready for GDPR?

"What is GDPR?"
GDPR means "General Data Protection Regulation". It is a new law that comes into effect on 25th May and it affects how TRAs handle people's personal data.

"I don't handle anyone's personal data!"
If you help run your TRA, yes you do! If you take an attendance list, you collect personal data. If you take, distribute, and/or publish minutes for your meetings, you share personal data. If you collect phone numbers, emails, or any other information about your members or people who come to your events, you handle personal data.

"What will I need to change?"
Possibly nothing. But you should review how you get your data and what you do with it afterwards to make sure you are following the new rules.

"They'll probably never do anything about it!"
You can never be sure. Although it is impractical to inspect every small organisation on a regular basis, all it takes is for one council officer to have a few extra boxes to tick, and you may end up having to show you are in compliance.

"What's the worst that could happen?"
If you break the rules, you face a fine of £20 million or 4% of turnover, whichever is greater.

"OK, you have my attention. Tell me how it works."
Here are selected points from a useful intro from the Information Commissioner's Office. If you are responsible for data at your TRA, you should read the original guide in full and get to know the ICO site.

Information you hold - You should document what personal data you hold, where it came from and who you share it with.

Communicating privacy information - Whenever you collect data, you need to show people a privacy notice, saying what you are collecting, why, and who will have access to it.

Individuals’ rights - The new rules bring in a set of rights including the right to be forgotten ("delete all the data you hold on me") and the right of access ("give me a copy of all my data that you have"). You will need systems in place to deliver those rights.

Lawful basis for processing personal data - You need to write a legal justification explaining why you need the data you collect. It must relate to the purpose of a TRA as defined in your constitution. For example, you may collect email addresses for the purpose of notifying members about meeting dates. You need to mention the reason you need the data in your privacy notice.

Consent - Under GDPR, people must opt in when they give you consent. You may need to update your attendance sheet, mailing list signup and other forms to have the right consent wording. A simple tick box saying "don't send me a newsletter" is not enough. A minimum should be something like "by providing my details I consent for xxx TRA to collect my data according to their privacy notice". Read more about consent on the ICO website to see what you need.

Children - You should start thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent to use personal data about children.

Data breaches - You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. A breach could be a hacker stealing data (less likely) or a committee member losing data or accidentally sharing data with the wrong person (more likely).

Data security
Make sure anything kept on a computer is secure. Follow best practice for computer security. This list below is a summary but you can read more on the Government's Cyber Essentials website.

  • Have a strong password for your computer, your email, and any other account that holds other people's personal data. It should be hard to guess and contain uppercase and lowercase letters, numbers, and symbols.

  • Do not share your password with anyone. If several people need access to an email account or a shared computer, there are ways of setting up access for each person with a separate password. SGTO is there to help you with things like this if you need it.

  • Do not keep data on a portable device that could be stolen, or if you do, encrypt it. USB sticks can be encrypted with a password. Laptops and tablets can also be set up to have their stored data encrypted.

  • When you send an email containing personal data double-check the recipient(s). Emails sent to a misspelled address are a common type of data breach.

  • If you are sending an email to a group of members, always use the BCC field for the members' email addresses. If you use TO or CC, then everyone who receives the email can see the full list of recipients. You would be effectively broadcasting confidential information to everyone on the list.

Previous
Previous

New Homes: Our Concerns

Next
Next

Getting our concerns about new homes heard