The General Data Protection Regulation (GDPR)
On 25th May 2018 the new General Data Protection Regulation (GDPR) will come into operation. This is the first major review of data protection laws for 20 years and will seriously impact how many organisations communicate with their audiences.
The legislation has primarily been introduced to protect the privacy of individuals whilst harmonising legislation across the EU member states.
In reality it was intended to shine a light on some of the behaviour by commercial organisations and fundraising charities. However, the legislation will affect any organisation which processes “personal data”. Personal data is defined as any information relating to an identified or identifiable natural person.
We are making good progress putting in place the necessary procedures and policies. Your response to the volunteers’ guidance has been very useful and our Data Protection Officer is working through all the feedback. It’s great that so many of you are positively engaging with the process and it is helping us to evolve our guidelines & procedures to meet our operational needs and the new legal requirements.
The Ramblers nationwide re-consenting exercise commenced in the middle of May as planned. Please ensure you respond to the re-consent email as soon as possible, if you have not already done so. It is very important that you respond and that you encourage others to do so too, as we are using consent as the legal basis for sending newsletters, walk programmes and other marketing communications by email to members. More information on how consent will be used can be found as part of the GDPR toolkit, within the frequently asked questions document (FAQs) at http://www.ramblers.org.uk/volunteer-zone/support-and-development/volunteer-toolkits-alphabetically-sorted/gdpr-toolkit.aspx
Retaining historical archives
A number of you have flagged the important issue of retaining historical archival documents and images. We agree this is a grey area and are awaiting further interpretation from external sources such as case law as it develops to fully understand what constitutes personal data that may be held in the public interest. This may take months if not years. In the meantime there is no need to destroy your archives if you stick to the GDPR principles particularly with regard to minimising any significant risk to individuals and securely storing the data.
Newsletters and walk programmes
Another grey area that has emerged is around newsletters & walk programmes. Initially we issued guidelines which classed local Ramblers newsletters & walk programmes as “direct marketing” communications – which meant that they legally required explicit consent from a member before groups sent them out, whether by email or post. Over the last few weeks we have further examined the ICO guidelines and we believe that we can class local Ramblers newsletters & walk programmes which are sent by post to members as “legitimate interest” – ie not as “direct marketing”.
This means that newsletters & walk programmes can be sent by post to any local member, without specifically asking for their consent, just like Walk magazine. However please remember that email as a communication channel legally requires specific consent – even for administrative communications – so this means sending local newsletters & walk programmes by email will still require an explicit opt-in to be captured.
This stricter requirement for emails arise due to the combination of new GDPR rules on consent combined with the existing requirements of the Privacy of Electronic Communications Regulations (PECR). The specific ICO wording is “You must not send marketing emails or texts to individuals without specific consent. “The ICO goes on to define direct marketing as the promotion of aims and ideals as well as the sale of products and services. This means that the rules will cover not only commercial organisations but also not-for-profit organisations (eg charities and political parties).
We are defining emailed newsletters and walks programmes as marketing because we know from your feedback that there is so no agreed standard format or definition for the content for these communications.
Some areas and groups email their newsletter/programmes to non-members, and include advertising, this is therefore clearly selling/promoting products and is therefore electronic direct marketing.
Having different rules for different groups is risky, over-complicated to administer and confusing for our members thus increasing the likelihood of a data breach or complaints.
The ICO now has powers to levy fines of up to €10 million or 2% of a company’s global annual turnover for serious non-compliance.
Media consent for photos
As part of our GDPR preparations, we have also updated our media consent form to ensure it is compliant with the new regulations. You will hopefully already have seen the updated form in the GDPR toolkit. For the sake of consistency and to help ensure we have compliance across the organisation, we strongly recommend that you delete all old media consent templates and use the updated template. We have also heard some concerns that GDPR means you cannot collect or use photographs showing identifiable people or that you need to blur or pixelate images of people on your website or social media feeds. Please be reassured that this is not the case as long as you have clear verbal consent or have a completed media consent form for the use of images. Consent forms should be kept securely, ideally in a locked drawer or filing cabinet and/or scanned and kept digitally for as long as you retain images or stories featuring that person.
Maintaining local lists and sharing personal data
Some of you have mentioned that some members may not wish to share their contact details with Central Office but are happy for their details to be held locally by groups. We understand the issue but it is not a position that can be maintained. Ramblers is a national and a local organisation and members join groups, areas and the organisation. It is very important that we hold correct up-to-date contact information for all our members on our central system. There are a variety of legal requirements for the Ramblers to maintain up to date information (including Financial, Insurance and Safeguarding regulations as well as for general GDPR compliance) which require members to share their contact details with Central Office as well as local groups and areas.
We have also provided specific guidance on keeping miscellaneous lists in the toolkit. Please be reassured that It is perfectly fine for designated volunteers to maintain lists e.g. lists that just contain names and contact details to manage local activities and events. Just ensure you are clear about how an individual’s personal data is being used and stick to the GDPR principles around data minimisation, security and retention.
Our commitment to you
You have our ongoing commitment that we will continue to listen to your feedback and evolve our procedures & guidance to best meet the needs of the whole organisation and stay within the law. If you have any further questions, please continue to refer to the GDPR toolkit, speak with your membership secretary or get in touch with Felix, our Data Protection Officer via firstname.lastname@example.org