Select Page

The following quick references can be used to help your Shed assess its compliance with the General Data Protection Regulation (the GDPR) and make the relevant improvements to your data protection processes and procedures. It should be used as a quick reference and refresher only and not a substitute for full familiarisation with the requirements of data protection regulation. See here to read our full guide on the GDPR and its requirements for personal data processing.

Be aware

You should make sure that all key people in your Shed, particularly the management committee / trustees are aware of the new regulation. It is the law from 25th May 2018. Prior to that, the Data Protection Act 1998 applies and its principles are very similar. The GDPR, however, has a number of key enhancements and additions that you must be aware of. You risk enforcement and potentially prosecution if you ignore it or don’t comply. The Information Commissioner’s Office (ICO) is the UK authority on data protection.

Documenting personal data collection

You need to document what personal data you hold about people, how you obtained it and why. You also need to demonstrate that your reasons and processing of the data are lawful.

Lawful Basis

You must identify at least one of six lawful bases for every data collection and processing activity you carry out e.g. membership information, emergency contact information. The six lawful bases are consent, contract, legal obligation, vital interests, public task or legitimate interest. You must document the lawful basis for each data processing activity along with the type of data and purpose for collecting it, and review it regularly to make sure it remains lawful. This information must be on hand for transparency and proof of compliance with the GDPR. We provide a template here. If the data is ‘special personal data’, you will also need to meet one of ten conditions for processing. See page 38 of the GDPR for these conditions here.

Privacy Notices

You have to let people know why, how and on what lawful basis you intend to collect and process their data, before you do it. You may need to amend existing privacy notices to comply with the GDPR.

Individual’s Rights

Your data processing and protection procedures need to cover the various rights individuals have under the GDPR. For example, individuals have the right to access the personal data you hold about them, have it kept up to date and have it erased if it’s no longer lawfully required. You’ll need to consider these with other regulations, like holding onto financial data for six years.

Getting consent

For many data processing purposes, the best-fit lawful basis is consent. You’ll need to review how you ask for consent to ensure the method of collection is transparent and lawful, and individuals give it in the most conscious way appropriate. You’ll need to record consents for the duration you use the data.

Data breaches

The GDPR includes guidelines to record, rectify and report, where necessary, data breaches; where a breach of security leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. If a data breach is serious enough to cause adverse risk to the individuals the data concerns – ‘the data subjects’ – then you’ll need to tell them there has been a breach as soon as possible. You may also need to inform the Information Commissioner’s Office (ICO – the authority responsible for information rights) if the breach is particularly serious. Usually within 72 hours.

Prevention through security should be high on the list of robust measures for data protection.

Data Privacy Impact Assessments (DPIA)

When deciding to use a new process or technology for data collection and processing, you may need to carry out a DPIA to ensure it is appropriate, safe and lawful. You should familiarise yourself with the ICO’s code of practice on DPIAs.

Data Protection Officers

As small, usually voluntary organisations, it is not currently necessary for Sheds to appoint Data Protection Officers (DPOs), but it wouldn’t hurt to ensure you are always compliant.

Registration with the ICO

The GDPR requires organisations that process personal data to register with the ICO and pay a fee. Some non-profit organisations are exempt, including many Sheds, but you should check yours to be sure using the ICO’s handy self-assessment application here.

Download a PDF version of this guide.

Looking for something?

There's a lot going on at Men's Sheds so make sure you take it all in. Search for topics, resources and more here:

Subscribe to our newsletter

Sign up for our monthly newsletter, Shoulder to Shoulder.