GDPR and local societies : general advice

Posted on 29th January 2018 by Paul Carter

The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018.

If your society has an up to date Data Protection policy and effective record keeping procedures, the impact of GDPR is likely to be limited
If your society has no such policy and procedures in place, you will need to work toward compliance with GDPR. You need to identify what you must do in the short, medium and long term. There is no ‘one size fits all’ formula and your strategy needs to be proportionate to your obligations
Best practice guidance on GDPR is provided by the Information Commissioner’s Office (ICO). Its website has much useful information including an action plan and checklists. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

What is GDPR?

GDPR is a piece of legislation which builds on the Data Protection Act, 1998 (DPA). It relates to personal data concerning identifiable, living individuals. The eight principles of the DPA remain the same (see https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/), but the GDPR gives individuals a greater level of control over how their data is managed and requires organisations which hold personal data to explain and justify how this is done. The shift is to greater transparency and accountability.

What is personal data?

Information such as: name, postal and email addresses, career or employment details, date of birth, and financial information such as bank details. It also includes any written comments or opinions about an individual and photographs from which an individual can be identified. Data held on new technology is included: location data on an iPhone, IP address, etc. There are obligations for data processors as well as data controllers and so GDPR applies to external mailing lists (such as MailChimp), cloud data storage providers and out-sourced data management services. Most local history societies are unlikely to hold what is classed as ‘sensitive personal data’ (information about an individual’s sexual orientation, their racial or ethnic origin, criminal record, political opinions, and religious beliefs, etc) and it is strongly recommended that care is taken that your society does not acquire or hold such data to which strict management and retention procedures apply.

What does accountability mean in this context?

Under GDPR an organisation needs to be able to demonstrate why it collects personal data and what it is used for. You need to be able record what data processing activities are undertaken and what measures you have in place to keep personal data secure and up to date. Processing refers to manual (hard copy) activities as well as to electronic record keeping. You must be able to show the individual whose data you hold has clearly given his or her consent. You also need to be aware that consent can be withdrawn at any time and so you also need to facilitate and document such decisions. Subjects have the ‘right to be forgotten’.

What does our society need to do to comply with GDPR?

This will depend on what personal information your society holds, how it collects it and how it keeps it. You may have a membership database or membership forms; a mailing list for a newsletter; Gift Aid statements; details of partners in projects or of people who have donated money or archives or artefacts to your society; you may have attendance lists from events or details of permissions from individuals who are copyright holders in images you have used or publications you have issued. You may have surveyed visitors or members, either in person or online. If you employ staff, you will have HR and payroll records. If you sell goods or services, you will have purchasers’ details.   All these are examples of sources of personal data; there will be many others.

So the first step is to find out what personal information you have and who holds it.

Having clarified these aspects, you then need to look at how and why. Security of personal data is paramount: you need to be clear who has access to it and for what purpose and that everyone involved takes precautions to avoid inadvertent disclosure or inappropriate data sharing. Risk management is essential. Under GDPR you need to be more specific about your justification for keeping personal data. ‘We always have’ or ‘just in case we might need it’ are not adequate reasons. ‘In order to provide you as a member with our regular publications‘ is the type of statement  you should  aim to provide.

What is meant by consent to using personal data?

One option under GDPR – and the one that is probably most relevant to local societies - is to justify your data collecting activities by ensuring you have explicit consent from the individual concerned.  So you need to ask him or her to say ‘yes, I agree’ , rather than assuming silence means consent. The means of contact – email, social media, telephone, etc. -  also need to be clearly stated. You should check your existing mailing and membership lists and take action accordingly. There are many templates available for consent forms which can be adapted to specific circumstances. See the ICO website (address above) or https://www.itgovernance.eu/blog/en/how-to-create-gdpr-compliant-consent-forms/ or   https://dma.org.uk/article/gdpr-in-practice-tick-box-consent-forms

Does our society need a privacy notice?

Yes. You need to state how you will safeguard the personal data you hold and this is the purpose of a privacy notice. It should be on your society website and on membership and other forms. See:https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/privacy-notices-in-practice/

Our mailing lists probably go back several years. What do we do with them?

Check them by contacting the addressee, either by email or by post. If there is no reply within a reasonable period, delete the information. Under DPA and GDPR, you should not hold personal  information for longer than is necessary.

Where can we get further advice?

In addition to the Information Commissioner’s Office, many organisations provide advice and guidance on GDPR. For local societies, one useful source is the NCVO website. See: https://www.ncvo.org.uk/practical-support/information/data-protection

Because each society is different, BALH cannot provide specific advice, but if you have a general query, please email:admin@balh.org.uk and we will try to help with sources of information.