The GDPR replaced the 1995 EC Data Protection Directive and introduced new requirements for the processing of personal data. In the UK, a new Data Protection Bill incorporating the provisions of the GDPR has replaced the existing Data Protection Act.
If your Big Local partnership holds personal data about individuals, including volunteers, members of your community, residents and others, you should be aware of the GDPR’s requirements and consider the steps you might take to ensure compliance.
The key data protection principles in the GDPR are similar to those in the current Data Protection Act. The major difference between the GDPR and the old data protection regime are the provisions for accountability. Whereas the current law is based on a ‘checklist’ approach to data protection, the new law is designed to make data controllers more accountable for their data processing activities. This means that data controllers must maintain an overview of their data processing activities, be sure that they have a legitimate basis (valid reason) for processing the data, and, where necessary or appropriate, introduce specific policies and practices that meet the GDPR requirements.
Personal data is any information that can be used to identify a person. This could be a name, photograph, address, phone number or email address. It is important to remember that personal data can be held electronically, but it may also be held in other forms, such as paper, photographs, etc. The GDPR applies to all of your personal data processing activities and everyone whose data you keep. This includes employees, volunteers, members of your community and residents, supporters and donors. These people are your “data subjects” and they have rights to seek information and redress in respect to what you do with their personal data.
“Special categories” of personal data – formerly known as “sensitive data” – includes information concerning an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for identification purposes), health, sex life or sexual orientation.
“Data processing” means just about anything that you may do with the data, including collecting or receiving, recording, storing, consulting, sharing, backing-up, updating, sending, deleting etc.
The GDPR requires that personal data must be:
To be compliant with the GDPR, organisations or groups must ensure that they have at least one legitimate basis or valid reason for using or processing the personal data they are holding. These include (but are not limited to):
While it is often assumed that “consent” is the only or most important legitimate basis for processing personal data, the other legal bases are actually much more widely used in practice. For the GDPR, consent is particularly important where you intend to contact people repeatedly to provide information about and/or “market” your services. In these instances, you should seek the clear and unambiguous consent of the data subject to receive such communications.
The GDPR also extends the rights of those whose personal data you hold to access their information, withdraw their consent or object to the processing, and to request the correction or deletion of inaccurate or obsolete data. In simple terms, this means people can make requests at any time to check what data you hold and what you do with it, and that you are under a legal obligation to respond. If the data subject is unhappy with your response, they have the right to seek redress from a regulator (in the UK this is the Information Commissioner’s Office).
Under the GDPR, the “data controller” is the legal person who (either alone or in common with others) decides the purposes for which and how any personal data is processed. A “data processor” is an individual or entity that processes the data on behalf of a data controller. The GDPR places legal obligations on both the data controller and the data processor and distinguishing between the two is important in establishing lines of accountability. As a controller you must ensure that your contracts with processors meet the standards of the GDPR; as a processor you may be legally liable for any data breaches.
Local Trust has reviewed its data processing activities and relations with partners and service providers to ensure that it complies with the GDPR. While Local Trust is not responsible for the data processing activities of its Big Local partnerships or locally trusted organisations, it does expect individuals and organisations collecting personal data in the course of their Big Local work to comply with the GDPR.
As a “data controller” it is your responsibility to comply with the GDPR and to seek assurance that any data processors you engage also comply with the GDPR. To meet your responsibilities under the GDPR you (as the partnership or locally trusted organisation) may wish to:
We recognise that the new regulation means you might decide to delete the data you have because it does not comply with GDPR. If this is the case you will need to consider how to ensure you comply in the future.