Becoming GDPR Compliant – for member organisations & committees
MFCHA have consulted with specialist Data Consultants; Ordered Company Ltd. Together with Michelle Bevan, a qualified Solicitor and Data Consultant from Ordered Company Ltd we have been working on how to bring the MFCHA organisation in line with the new GDPR regulations and to find out what you, the membership, need to do to comply.
Below are sections that will help guide you to becoming GDPR compliant:
- an explanation of the data protection principles
- our guide to understanding the basics of GDPR
- FAQ’s that relate to scenarios that you, as an organisation/committee, would be likely to face
- downloadable documents to help you comply (Privacy Policies and Consent Forms as editable templates)
- useful links for further information and self-assessment checks
Data Protection Principles:
- Process lawfully, fairly and in a transparent manner.
- Data is collected for specified, explicit and legitimate purposes and not processed further in a manner which is incompatable for those puposes.
- Data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
- Data is kept in a form which permits identification of data subject (people) for no longer than is necessary for the purpose.
- Data is processed in a manner that ensures appropriate security of the personal data held.
In clear terms, this means:
- You only use the data held for organisation/committee business (legitimate interest) and NOT for future marketing campaigns etc.
- You are only holding the data needed to perform as an orgaisation and are NOT holding irrelevant data on the individuals.
- You should only hold the data for as long is necessary for the purposes of processing it or for as long as your organisation/committee deems fit to hold such records. There are no laws defining length of time to hold this data.
- All data is subject to security basics such as password protection of pc’s/laptops locked filing cabinets for paper records etc and is not accessible by non authorised eyes.
GDPR – The Basics
What is personal data?
Personal Data as defined by the ICO (Information Commissioner’s Office):-
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (i.e. email address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Security of Data held.
You must ensure that you have appropriate security measures in place to protect the personal data you hold. Which basically means if you store personal data on a pc or laptop you MUST ensure that;
- Your pc/laptop is password protected
- Has all of the latest security patches for the operating system installed (i.E. Window updates)
- Has antivirus software installed to prevent malicious attacks
And if you only hold paper records you MUST ensure that these are kept in a locked drawer/filing system and are secure at all times.
Data Controller & Data Processor –
Each organisation/committee would be the Data Controller and they must have a Data processor, (i.e. someone who sends out minutes and emails on behalf of your organisation/committee – the Secretary for example), who is responsible for maintaining the security & integrity of the data held by your organisation/committee.
Consent requires a positive opt-in rather than opt-out. Don’t use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent. Keep your consent requests separate from other terms and conditions, i.e. specific consent forms (templates available below).
- Name any third party controllers/processors who will rely on the consent (i.e. MFCHA – Eileen).
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people, preferably in a log.
- Keep consent under review, and refresh it if anything changes.
Legitimate Interests –
There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
Right to be informed –
- Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
- You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with.
Right of Access –
- Individuals have the right to have access to data held verbally or written – your committee/organisation has one month to respond and you cannot normally charge for this.
Right to erasure –
- Individuals can request verbally or written that their data is erased – your committee/organisation has one month to respond.
Right to restrict processing –
- Individuals can request either written or verbally that their data is restricted, you can still hold data just not process it – your committee/organisation has one month to respond.
Right to object –
- Individuals have an absolute right to stop their data being used for direct marketing.
GDPR – Guidance for Halls & Associations – FAQ’s
What is defined as Personal Data?
The ICO (Information Commissioner’s Office) defines this as-
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Does GDPR affect our organisation/committee?
Yes – GDPR affects all organisations and committees as it is a part of the Data Protection Act (you should have a policy already in place for data protection).
Do we need to register with the Information Commissioner’s Office (ICO)?
Not every organisation needs to register – Visit the ICO website and take the self-assessment to see if you need to register CLICK HERE or go to: https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/ and run the test which takes about a minute. You will need to register with the ICO if your organisation has CCTV on your premises. You will also need to be in possession of the appropriate licenses to legally operate CCTV.
Do we need a Data Controller or a Data Processor?
Yes – organisations that hold and process data ARE the Data Controllers and you would need a Data Processor, that being the one person responsible for processing the data, such as sending committee emails/minutes round via their distribution lists.
Do we need to obtain consent to include committee members’ names in Meeting Minutes?
Consent from your committee members is required ONLY if your minutes are published anywhere making them available to the public. This could include being pinned onto a notice board, included in parish/church magazines and of course websites.
Do we need to obtain consent from our 100 Club Members?
Only if you publish the winning ticket and its owner’s name in the public domain.
Do we need to destroy previous Meeting Minutes that include former committee members’ names?
No – so long as this data is not being used for marketing purposes and is purely an historical reference document.
Do we need to obtain consent from a hirer of our Hall?
How long can we keep any Hall Hire Agreements beyond the date of hire?
Hall Hire Agreements would be required by your insurance company to be held for six years in case of property damage and three years for personal injury claims. How long you, as an organisation/committee, decide to hold records is a decision that your organisation/committee must decide upon, there are no rules governing the length of time records can be held.
Do we need consent from our stallholders to contact them about future events that they may be interested in attending? i.e. Craft Fayres.
If you have had a contract with any of the stallholders (a contract can be verbal or written), then you can continue to contact them by email/ phone unless they have told you that they do not wish you to do so, and provided that you tell them that they can stop receiving communications from you at any time (e.g. unsubscribe to emails). If you do not believe you have correct consents in place to contact the stallholders about future events you can contact them by post, providing you can justify this as a legitimate interest of your committee.
Do we need to obtain consent to contact our volunteers for help at events etc?
Generally no as the definition of the ‘volunteer’ is that they have put themselves forward and given consent to be contacted (either verbally or written) but if you publish their names in the public domain you would need to have consent given. Legitimate interest can also be applied to this scenario as you need their help to succeed. It is always a good idea to obtain consent from any of your volunteers anyway, just to be certain that any use of their data complies with GDPR.
Do we need consent for people’s images on our website or other published material such as posters?
Yes – an individual can be identified by an image therefore it is classed as Data.
How do we send emails without showing the distribution list?
Sending emails with the entire distribution list visible is against the GDPR regulations as you are displaying personal data that could identify an individual, so the easiest way to comply is to send the email to yourself and use the ‘Bcc:’ (blind carbon copy) facility to enter the distribution list. That way each recipient will only see the sender’s email address in the ‘To:’ field of any received email.Download GDPR - FAQ's
Data Audit –
You should audit the data you hold and obtain the necessary consents required to process any of the individuals data.
This sets out the rights of the individual and their data. (templates for website and non website owning orgaisations are available to download and customise below).
Consent Forms –
Consent forms must be filled out for all members of your organisation/committee and for any other individual whose data you are holding/processing. (template available to download and customise below).
Record Keeping –
A log of consents and their subsequent amendments should be kept so that if any individual challenges you on the holding/processing of their data you have a record of such consent and/or amendments of that data held.
GDPR Compliance Templates for your use:
These templates are editable Word documents, all of the areas to be edited are highlighted in red, just download and amend to suit your requirements.
Related document downloads:
Useful Links relating to GDPR & Organisations Compliance:
Information Commissioner’s Office Website
Here you can find a wealth of information about how to comply along with self-assements to work out where you are not complying, we have include a few links below to get you started
Below is the collated data from the GDPR Awareness Session – as laid on by the Joint Community Councils (JCC) laying out some do’s & don’ts that you may find useful.
GDPR – What things SHOULD WE DO with personal data?
- Individually obtain consent, and ask permission to hold information.
- Members need to know why we store information.
- Make all commitee members aware of Data Protection Agreement.
- If using CCTV – make sure its not hidden. Put up notice telling people that it is there.
- Keep a record of all GDPR discussions so all aware of what we as an organisation/committee do to comply.
- Shred hard copies rather than bin them.
- Think about GDPR processes when starting new projects.
- Password protect laptop, computers, tablets and mobile phones.
- Agree on a procedure for your organisation/committee for contacting ICO about a breach.
- Ask for permission to share.
- 100 Club Members : ask to hold name and telephone number and only publish minimal information regarding the winning tickets.
- Ask permission for membership forms Constitution Documents / Signatures
- Agree which hardware to use for photos and where to archive securely.
- Put disclaimer sentence saying that info can be removed at any time.
- Develop internal policies and procedures and add to constitution.
- Make contact with ICO and check to see if it is necessary to register.
- Get consent from employees and volunteers.
- Provide training during normal working hours (where necessary).
- Keep minimum amount of data and keep appropriate records secure.
- Keep data for the minimum time necessary.
- Set up a policy for different types or people and projects.
- How long keeping data? 6-12 months? Keep no longer than need it for.
- Inform visitors / speakers that minutes are uploaded to website (if appropriate).
- Locked Filing Cabinet
- Data Security/ Shredding
- Do Computer Updates
- Use Antivirus Software
- Upgrade computer software if it is out of date.
- Keep an audit trail or notebook of what data has been deleted or destroyed.
- Contact ICO within 72 hours if had a breach.
- Record the details of breach and make others ‘relevant’ aware.
- Attend and pass on Data Protection training to other members.
GDPR – What things SHOULD WE NOT DO with personal data?
- Don’t leave equipment lying around.
- Stop using USB stick, (and wipe information off of existing ones.)
- No sharing Personal Data without prior permission.
- Don’t hold onto information longer than is necessary for the event or specic purpose.
- Don’t continue as is
- Not having a password on computers and phones.
- Don’t put personal data in general rubbish bin.
- Don’t share data that you don’t have consent for.
- Don’t forget to do computer updates.
- Don’t not have antivirus software.
- Dont ignore breaches.
- Don’t ask or bother about consent.
This content is restricted to site members. If you are an existing user, please log in. New users may register below.