General Data Protection Regulations

From 25th May 2018 the new General Data Protection Regulations (GDPR) will be in place, replacing the current Data Protection Act.  The new regulations will apply to all types of organisations and although this legislation isn't aimed at bands, it will effect them.  It is something you should be aware of and it may mean making some changes.

Personal data

Individuals currently have rights over their data.  These rights have been extended in GDPR, for example, individuals now have the right to access, amend and object to the use of their data. The definition of  'personal data' has been expanded to define anything that can be used to identify an individual; their name, postal address, bank details, ID/membership number, personal contact details or photographs (yes, if you can identify someone on a photo this is now defined as their personal data).  Be aware of all the data you hold on someone.  Always think: Could someone identify a person from this data? If you're storing information properly and securely then this shouldn’t prove to be a problem.

Reason, Consent and Legitimate interests

  • Reason: Under GDPR you should not be collecting data if there isn't good reason to do so.  So unless you have legitimate reason for having and using data - don’t ask for it.
    • Consider the data you currently hold and decide if you need it.
  • Consent: Previously consent could be implied by inaction or silence (a pre-ticked box or, ‘unless you tell us otherwise we will email you’).  Under GDPR consent will have to be proactive i.e. an individual will have to take definitive action to say ‘you can have and use my data’ (E.g. they tick the box rather then it being pre-ticked).  They should also have access to a clear and specific privacy statement that explains what the data they are providing will be used for.
    • Change how you ask for consent.
    • Historical opt-ins will need to be looked at.
    • You may have to develop a few different privacy statements.
  • Legitimate interests - Some situations won't require positive consent as the use of data is implied.  For example, emailing a member about a rehearsal change or a reminder about subs being due.  This being said, members should still have access to clear and straightforward information about how their data will be kept and used.
    • When someone provides data that will be used in this way, make sure privacy statements are readily available for them to read when they sign their data over.
    • Regularly review (every year/two years) the data you hold to decide if it is still relevant to your band.

Retention

Under GDPR you will have to be more careful about how long you keep data for; if you no longer need it, you shouldn’t have it.

  • Regularly review (every year/two years) the data you hold to decide if it is still relevant to your band.

Secure storage of data

  • Rules around how you store data have not changed too much:
    • Any electronically held data should be in a password-protected, secure environment, and passwords should be changed regularly, and with each personnel change (e.g. on the committee).
    • It can be easy to focus on digital/electronic data but physically held data should be kept secure too.  Keys should be kept track of/combination codes changed regularly and with each personnel change (e.g. on the committee).

Under GPDR you also need to consider how your data is stored by third parties such as Google Docs or MailChimp.  It is your responsibility to ensure they are compliant with GDPR. Generally, larger organisations will have bases in the EU and will be GDPR compliant.  Smaller organisations may be storing data outside of the EU so make sure you are aware of this.

  • Review your storage policies as a matter of good practice.
  • Think about which third parties you use (a quick internet search will tell you if they are aware of and on top of GDPR).

Documentation and processes

With GDPR, you must be able to show that you are compliant.  So having policies, processes and privacy statements in place to show that you are treating data responsibly is important, as is having evidence of consent being given.

  • Review and update your current documentation.

Does all this really apply to us?

From a band leader/committee member point of view GDPR might seem like a lot of work for you to do but it applies to all organisations; from multi-national banks to local community organisations. GDPR is there to protect individuals and to make sure organisations act responsibly.  We expect banks to be compliant, and data breaches can cause significant damage to an organisations reputation.  Whilst a band is obviously different to a bank, people still have the right to expect that their data is well looked after. Most of it is common sense and you don’t need to get bogged down in the regulation.  Just bear these three things in mind:

  1. The work done now will help your group in the long run.
  2. GDPR takes effect from 25th May 2018.
  3. The spirit of GDPR: The overarching aim and spirit of GDPR is that individuals’ data is treated fairly, reasonably and transparently.  You may well be faced with a situation where there is a choice for you to make between the absolute letter of the law, and acting within the spirit of GDPR and the best interests of your group.

Finally – what about Brexit?

GDPR is EU regulation and it will also be the regulation for data protection in the UK as of May 2018.  Once the UK has left the EU, changes to the GDPR framework will be possible but the principles of data protection set out in GDPR are unlikely to change.   You can read the more in-depth guide from Voluntary Arts here.