GDPR can seem complicated and difficult to understand, particularly for community groups. We’ve produced some information for Big Local partnerships, chairs, support workers and LTOs. But to help you get started, we’ve also put together some top tips on the issues you need to think about. These tips are not a comprehensive guide to GDPR, and aren’t intended to replace the information, or any advice you receive from your LTO. But they should help you to start thinking about the sorts of things that are important when dealing with your GDPR obligations
1. What is GDPR and what does it apply to? GDPR is a new set of rules about how you manage both data you hold now and data you might collect in the future. If you as an individual or partnership collect and store personal data, then GDPR applies to you. This might – for instance – include newsletter mailing lists, results of consultations and engagement activities, names and addresses of people that attended community events, or even lists of previous partnership members. As an individual or a partnership you need to consider whether you hold data of this sort, and if so put in appropriate steps to ensure that you are complying with the legislation.
2. Does it apply differently to workers and partnership members? GDPR applies to everyone who holds personal information. Where your worker holds data the LTO, or employing body where different, will will be responsible for ensuring they comply with GDPR. You may find it easier to leave collecting and storing data to your worker but you should still check that your LTO has put necessary GDPR policies in place.
3. Three key questions to ask. Regardless of when or how you collected data previously if you hold personal data, you now need to look at the data you hold and ask yourselves:
- do you have evidence of permission to have that data and for what purpose was permission given? If you aren’t sure about where the data came from, whether permission was given for a particular and limited purpose or if it’s unclear, then you might want to consider if you still have a good reason for keeping hold of it. If not, delete it
- do you still need all or some of the data? Depending on how you use the data you might find that some or all of the data is no longer relevant.
- who has access to the data and is it secure? Think about who has access to the information and consider whether this is appropriate, if other people can view or edit the data and what measures you can put in place to ensure it is safe and secure.
4. Don’t collect more data on individuals than you have to and don’t collect data you don’t have a good use for. GDPR is all about protecting personal data. The less data you collect and store, the less you need to worry about getting it right. For most Big Local partnerships the sort of data you might want to keep is probably limited to name, address, phone number and email addresses residents who are interested in Big Local. GDPR also means that you need a good reason for keeping hold of personal data. If you aren’t planning to use it, delete it.
5. Make sure people know what their data is being collected for, and clearly agree to that use. GDPR requires that people consent to how you use their personal data. Make sure that when you collect personal data from them, you get their agreement for it to be used in the way you plan to. So, for example, if you are collecting email information so that people can be contacted about upcoming events, make sure they indicate on the form you use to collect that information that they are happy for their information to be used in that way; if you are collecting emails to publish on a contact list, make sure that people indicate they are happy for you to use it in this way.
6. Take care to look after personal information carefully. You shouldn’t share personal data unnecessarily and when you do share information – for example an email list to enable someone to send out your monthly newsletter – make sure those you are giving the information don’t share it with third parties, protect it from being accessed by others and ensure it is properly protected.
7. Make sure that your data is up to date. GDPR requires you to ensure that any information you hold on individuals is up to date. If you keep membership records, ensure that you periodically check that information is correct, and update it/delete it as necessary. You should also periodically check if people are still ok with your holding their data.
8. Take particular care of “special classes” of information. Sometimes you may collect more personal information on an individual – for example their race, ethnic origin, politics, religion, trade union membership, health or sexual orientation – perhaps to enable you to monitor the effectiveness with which a project is being delivered within a diverse community. This sort of potentially sensitive information needs to be more carefully protected than other types of information. We do not expect partnerships to hold this type of sensitive information – if that sort of information does need to be collected and used, you are better off leaving it to your worker, who will be subject to GDPR obligations falling on your LTO.
9. Photos are also classified as personal data. Personal data isn’t just about birthdays and email addresses – if you are taking a photo of someone for your records you need to ensure that you keep a record of their consent to your storing and using it.
10. If in doubt, check with your LTO! Your LTO will also be subject to GDPR and may have received advice on how best to comply. Where a Big Local worker is holding data they will be subject to any rules put in place by the LTO. You may find it easiest to ensure that your rules and guidelines are kept in line with theirs.