Page 7 - ALG Issue 2 2018 html
P. 7

             £
Legal
 Next steps to GDPR
The deadline is getting closer
                                               As outlined in the last article in ALG 4 2017 the General Data Protection Regulations will provide key changes that will need to be addressed even by Allotment Associations. These regulations apply to any data controllers or data processors, so if you collect personal data in the running or organisation, these regulations will apply to you.
It is better to use the Regulator as a source of direct information www.ico.org.uk
However, the National Allotment Society is happy to provide guidance on specific members’ queries as they arise. The GDPR has been published and comes into effect on 25 May 2018. However, there are important sections which are currently subject to consultation by the Information Commissioners Office (ICO) in order for the ICO to issue guidance to assist organisations (of all sizes).
The issue is further complicated by Brexit – the GDPR will come into force before the Brexit date in 2019. The UK will then pass
its own updated Data Protection laws which must incorporate the GDPR requirements, but there may be further changes. Whilst there are compliance issues the principles of data protection will be largely and broadly as now.
TOP TIPS TO START YOUR JOURNEY TO THE GDPR
PROCESS
To some extent associations and societies are likely to have fairly limited Data Processing activities. The first step is to assess the data processing activities. The five ‘Ws’ is a good place to start with a data mapping exercise (see below).
This will actually be beneficial in helping to secure compliance under the new data protection law. It is important to know whether the association or society knows what it does with data. The data map will then help develop an Information Notice which will serve as the rationale and legal basis for processing data – a requirement under the GDPR.
An association or society needs to complete an overview of how it handles data by asking five key questions:
WHY/WHO/WHAT/WHERE/WHEN
Why? What is the purpose / reason for holding data? Who? Whose data is being held?
What? What data is being held?
Where? Where is the data being held?
When? How long is the data held?
AWARENESS
Ensure your volunteers are aware of the principles of the GDPR and data protection issues; also, who they need to tell if they receive a subject access request, or what to do if there is a breach of data.
• GDRP Principles for processing data:
• Lawful / fair and transparent
• Accountable to demonstrate compliance
• Purpose limited
• Adequate / relevant / limited data
• No longer than necessary
• Data security – Technological, protection from breach/
notification of breach / planning
POLICY
Ensure that the policies and procedures that you have in place help your volunteers to deal with data protection issues.
Make sure you have a process for collecting and storing data. Make sure you have someone whose job it is to follow those procedures. If you are a one-person or small organisation it does add a layer of work but you have to do this to be compliant. A flowchart of your processes will usually be enough and this is then something you can pass on or show to others, who will be able to follow your procedures easily.
Have a consent form that asks people permission to store their details and what you do with those details. This is the ‘opt in’ or consent policy. You can make this consent policy part of your one page document but make sure that they have a copy and you have a signed copy.
25
                                        COMMUNICATION
By law under the GDPR, you must tell people about the data of theirs that you hold and what you will do with it; in particular, you must justify using the information. GDPR means that you will need to give much more information than you do now.
Issue a privacy notice
You will need to provide a privacy notice before or at the time of taking people’s information. If you receive personal information indirectly from another organisation you must provide a notice within a reasonable time (no more than a month later).
What is in the privacy notice?
1. Under the GDPR, notices must:
2. Use clear, concise and accessible language
3. Identify who controls the data
4. Explain the purpose you are holding the data, the legal basis,
and justification for holding it
5. Identify any other entity that the data might be sent to
6. Say if you intend to transfer the information to an organisation
based outside the EU
7. Say how long the information will be stored 8. Explain people’s rights to:
• Be removed from the list
• See what information you store on them • Have their history deleted
• Change details
How do you provide a privacy notice?
These can be provided on a website, on paper, by email or even verbally. Choose the method that is most appropriate in the circumstances, the way that is most visible and understandable for the person concerned.
Finally, SECURITY
You should also make sure any data is safely stored. If stored in
an electronic format it should be on a computer that has the latest security software installed, and if possible encrypted (most systems have this as an option).
How you store their data, and the security of it, are your only real challenging legal issues. It does mean keeping a regular watch on your systems to ensure they are up to date, but that is just good practice and common sense anyway in today’s highly dangerous cyber environment.
Liz Bunting
Legal and Operations Manager
7
   5   6   7   8   9