Are you ready for GDPR?
23 March 2018 IN: Parish News
The General Data Protection Regulation (GDPR) takes effect from 25 May, replacing the existing law on data protection (the Data Protection Act 1998). GDPR gives individuals more rights and protection in how their personal data is used by organisations. Parishes must comply with its requirements, just like any other charity or organisation.
The GDPR is concerned with the processing of personal data which relates to a living individual who can be identified from that data. Data for example can be a name, photograph, email address, bank details, post on social media, medical information, or a computer IP address. Identification can be by the data alone or in conjunction with any other information in the parish’s possession or likely to come into its possession.
WHERE TO GET HELP
There’s a lot to take on board, but help is at hand on the Parish Resources website where there are plenty of resources including checklists, templates, guidance and frequently asked questions. These are being regularly updated as more detail is understood about how the GDPR relates to parishes. www.parishresources.org.uk/gdpr
FIND OUT WHAT DATA YOU HAVE
The first step for most parishes will be to do a data audit to find out exactly what personal data is held – you may be surprised at just how much personal data is stored and processed around the parish.
Processing includes collecting, recording, storing, altering, retrieving, and sharing personal data. Processing must be fair, for a specific purpose, limited to only the relevant data and kept up to date, for only as long as it is needed and stored securely
One of the key things to establish in the data audit is the basis for processing the data. It is not true that you always need the consent of the data subject (the person whose data you are processing) in order to process their data. Some processing is legally required, or can be done in the legitimate interests of the parish. A good example of this is the publication of the Electoral Roll.
GET A PRIVACY NOTICE
But parishes must be able to demonstrate compliance with the principles relating to processing of personal data. A privacy notice can help with this and is something that all parishes should produce, based on the findings of the data audit. There is a sample Privacy Notice on the Parish Resources website. We recommend adapting this for your own purposes.