Within the next eight months, Europe’s data protection rules will undergo their biggest changes in two decades. Since they were created in the 90s, the amount of digital information we create and store has vastly increased. In the last 12 months, there
have been a great number of massive data breaches including millions of Yahoo, LinkedIn and MySpace account details. This demonstrates we have reached a position where the old regime of data protection is no longer  t for purpose.
The European General Data Protection Regulation (GDPR), which will come into force on the 25th May 2018, has been designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are
large changes for the public as well as businesses and bodies that handle personal information. This legislation will be enforced in the
UK by the Information Commissioner’s Of ce.
With so many
businesses and services
operating across borders,
international consistency
around data protection
laws and rights is crucial
both to businesses and
organisations, and to individuals. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever, given the growing digital economy, and the ICO have stated they will work with government to stay at the centre of these conversations about the long-term future of UK data protection law.
In the GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new  nes regime and a clear responsibility for organisations to obtain the consent of people they collect information about.
Does Brexit matter?
The UK has implemented a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same. The GDPR was published on 14th September 2017. The bill has now to pass through the House of Commons and the House of Lords before it becomes law.
For most organisations, who keep HR records, customer lists, or contact details etc, the change to the de nition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual  ling systems where personal data are accessible according to speci c criteria. This is wider than the DPA’s de nition and could include chronologically ordered sets of manual records containing personal data. Personal data broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address... Both personal data and sensitive personal data
are covered by GDPR. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation and more.
How will this affect societies and associations?
Under the Data Protection Act you do not have to register if an organisation was established for nonpro t purposes and does not make a pro t, or if your organisation makes a pro t for its own purposes, as long as the pro t is not used to enrich others. You must:
• Only process information necessary to establish or maintain membership or support
• Only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
• Only share the information with people and organisations necessary to carry out the organisation’s activities. Important - if individuals give you permission to share their information, this is OK (you can still answer ‘yes’)
• Only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration
However, as an association keeping membership details you do have to comply with the principles of the GDPR; these are similar to those of the Data Protection Act, with further detail and a new accountability requirement. Article 5 of the GDPR requires that personal data shall be:
• (a) Processed lawfully, fairly and in a transparent manner in relation to individuals
• (b) Collected for speci ed, explicit and legitimate purposes and
not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scienti c or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
• (c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• (d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or recti ed without delay
• (e) Kept in a form which permits identi cation of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scienti c or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
• (f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
What is the accountability principle?
Article 5(2) requires that:
“The controller shall be responsible for, and be able to demonstrate, compliance with the principles” and states explicitly that this is your responsibility.
Further information will become available and another article will
be updating on the situation in the next magazine. The Information Commissioners Of ce have further consultation pending on contracts and liabilities which is due to end in the middle of October 2017.
Liz Bunting
Legal and Operations Manager
This legislation will be enforced in the UK by the Information Commissioner’s Of ce.
Legal
Data Protection laws set to change
Letter
Problem weeds...
Dear Editor
I was given a copy of Issue 2 2017 of The Allotment at one of our allotment workdays. I read the long letter from Gary Hartley on page 10 in which he says that he puts perennial weeds on his compost heap.
I’m writing to point out that it is only the soft green parts of perennial weeds, with no seed heads, that should be added to a compost heap. The roots can be rotted down separately, for example in water.
I was also worried by the thought of a tiller being used to rotovate weeds in to the soil. Every piece of the chopped up roots of perennial weeds will grow, to produce even more weeds!
Best wishes Sue Whitehead
7