The General Data Protection Regulation (GDPR)
On 25th May 2018 the new General Data Protection Regulation (GDPR) will come into operation. This is the first major review of data protection laws for 20 years and will seriously impact how many organisations communicate with their audiences.
The legislation has primarily been introduced to protect the privacy of individuals whilst harmonising legislation across the EU member states.
In reality it was intended to shine a light on some of the behaviour by commercial organisations and fundraising charities. However, the legislation will affect any organisation which processes “personal data”. Personal data is defined as any information relating to an identified or identifiable natural person.
Unlike most legislation GDPR is “principles based” meaning that interpreting the rules to fit the special circumstances of our own organisation is vital.
There are six lawful reasons that can be used to justify the utilisation of personal data to communicate with our audience. Only one of the six is required and it can and will differ depending on the audience we are referring to.
The six are:
Consent – this is the one which has been seen most widely in the press. The requirement has been strengthened to mean that the individual must have clearly, specifically and unambiguously demonstrated their wishes. This means that no longer will pre-ticked boxes be allowed or an option to “opt out”. In simple terms the individual will be “opted out” unless they explicitly advise (by ticking a box for example) otherwise. In addition there must also be an understanding of what the data will be used for.
Necessary for performance of a contract – this is where there is a situation where a transaction has occurred, and in order to satisfy the contractual relationship that now exists the communication would be required.
Necessary for compliance with a legal obligation – an example of this would be the retention of financial documentation for 6 years.
There is a “legitimate interest” – this would refer to the interest to sell something or raise money for a cause. The key questions to ask ourselves is; would the individual reasonably expect to hear from us? and would there be any negative impact on the individual through our communicating with them?
Vital Interests – essentially refers to “life and death” situations.
Public Interest – this refers to Public Authorities or those working within the public interest.
There is also the additional criteria of “Implied consent”. Implied consent is created when a contract is created. For example if an individual pays to attend an event then it would be deemed as appropriate to notify them about upcoming events.
Communicating with members
Communications sent to members to notify them of upcoming events or items of interest would fall within the criteria of both:
- Performance of a contract
- Legitimate interest
Performance of a contract and legitimate interest both override the need to gain specific consent around the utilisation of personal data for the purpose of communications.
Opting out of communications
The legislation gives the individual the right to opt out of communications (or certain types of communications). A process must be in place whereby individuals can be removed from any mailing list immediately if they request to do so.
Subject access requests
Individuals are able to ask what personal data is being held relating to them and for what purpose. In the event that this is requested then the request must be responded to within one month.
Data Security and Data Access
Any personal information must be kept securely and only accessed by those who have a legitimate reason to do so.
In terms of data security if information is kept in a hard copy / paper form this should be kept as securely as possible. Electronic data should be either on a password protected computer or as a password protected document.
The access to data should be at the very least restricted to a Committee and further drilled down within this to those responsible for specific communications. In some cases this would be the Programme Secretary (for the purpose of notification of events) and Walks Coordinators (for the purposes collating walks).
Demonstration of Compliance
The Information Commissioner’s Office will only investigate an organisation if a complaint has been received. In the event of an investigation because of the wide scope for interpretation in the legislation, rather than looking at strict compliance, they will be focussing on reviewing the overall plan that is in place and the processes that have been implemented.
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorised to do so.
In the event that this occurs, the organisation has 72 hours to inform the Information Commissioner’s Office unless it is unlikely to result in a risk to the rights and freedoms of the individual.
We have interpreted that the processing of personal data is legal on the basis of performance of the contract of the contract entered into when the individual joined the Ramblers.
Additionally the legal basis of “legitimate interest” is appropriate as we can be confident that a member would expect their information to be used for the purposes of disseminating information to them in accordance with their membership of the Ramblers, and there is no reason to think that the communication of this information would negatively affect the member in any way.
Therefore consent is not required but as a matter of good housekeeping we would suggest that this is confirmed at the time of joining / renewing. It would also be good for transparency purposes to confirm how they would like to receive communications.
GDPR is a very complex area but is not designed to adversely affect the relationships which exist between the Ramblers and their Members. In terms of data security a common sense approach is requested. As long as we are able to satisfy ourselves that we acted in the most appropriate and proportionate way then the ICO would accept the procedures.