General Data Protection
Regulations. A simple guide for the not too
For those involved with running groups here
is the information you need to be compliant -
The new EU wide regulations are effective from
25th May 2018 and cover all forms of 'processing' of your personal
data to protect you from misuse. Processing covers a very wide use
of your personal details from clubs sending you newsletters to your
bank handling all your financial affairs.
Put simply there will be more protection of
data, more accountability, more control and more punishment for
negligent or misuse of your data. So, all good then? Not exactly. It
will not stop scam telephone calls and emails. It will not stop
rogue direct marketing calls from abroad or even from UK.
There are 6 legal bases on which all
organisations hold your data -
Consent - Something you signed
up for like The Guardian
Contract - Something you bought
or pay for, e.g. electricity bills
Legal Obligation - such as Inland
Vital Interest - sharing and
using your details to save your life e.g. police, doctors,
Public Task - such as your rates
Legitimate Interests - clubs,
teams, Friends groups, small charities
There is a lot of misunderstanding,
misinformation and worry but it is actually very simple and in fact
you are probably doing it all already.
All organisations (meaning any formal group or
business that stores and processes personal data of members /
customers) must have a clear Privacy Statement declaring how, why
and who accesses your data and importantly which of the above
bases they are using. For almost all small clubs and Friends
groups the basis would be Legitimate Interest, allowing
normal group communication without any onerous compliance, so don't
blindly go down the Consent route as it is not what you think!
All the following rights must be complied with (which should
already be normal practice in an efficient organisation) whichever
lawful basis is relevant.
the right to be informed;
the right of access;
the right to rectification;
the right to erasure;
the right to restrict processing;
the right to data portability;
the right to object; and
the right not to be subject to automated
decision-making including profiling.
This is how the Information Commissioners
Office (ico) explains Legitimate Interest -
When might legitimate interests be appropriate?
Legitimate interests is the most flexible of the six lawful bases.
It is not focused on a particular purpose and therefore gives you
more scope to potentially rely on it in many different
It may be the most appropriate basis when:
processing is not required by law but is of a clear benefit to
you or others;
- there’s a
limited privacy impact on the individual;
the individual should reasonably expect
you to use their data in that way; and
cannot, or do not want to, give the individual full upfront
control (ie consent) or bother them with disruptive consent
requests when they are unlikely to object to the processing.
There may also be occasions when you have a compelling justification
for the processing which may mean that a more intrusive impact on
the individual can be warranted. However in such cases you need to
ensure that you can demonstrate that any impact is justified.
The legitimate interests basis is likely to be most useful where
there is either a minimal impact on the individual, or else a
compelling justification for the processing.
So what do Friends Groups have to do (not a lot!) -
1. Write a simple Privacy Statement
as per this sample -
(keep it updated and make it available on your website, or
membership form, etc.)
Sample Privacy Statement
Name of Group and contact address and Telephone number -
Data Protection Officer -
Our Lawful Basis for processing your data
The lawful basis of our holding members personal details is ' Legitimate
Interests ' meaning that we can process your personal information if
we have a genuine and legitimate reason and we
are not harming any of your rights and interests.
When we process personal data
When you become a member we will add your data to our mailing
What data we process
We only store name, address, telephone numbers and email
The purpose of processing this data
The purpose is for keeping in touch with you occasionally
with news of the group or other relevant information.
Categories of recipients that we may
disclose this data to
We will not disclose your data to any other person without
careful consideration of your interests.
We will only hold your details until either you ask us to
remove them or we decide to delete them.
Consequences of revoking permission for us
to store/process this data
We will not be able to send you information about the group.
You can amend / delete your data
at any time by contacting the Data Protection Officer above.
Date of statement -
2. Ensure you protect members details
and only hold details that are relevant to the group and that you
only use the details for your Groups agreed vision and aims.
3. Members details you hold already
should just be checked to make sure you are not holding irrelevant
details. You DO NOT have to contact them all if you are using
Legitimate Interests as your lawful basis, which you should be.
That's all you need to do.