What is GDPR?
The General Data Protection Regulation (GDPR) is the new, Europe-wide law that supersedes the Data Protection Act 1998 in the UK. The GDPR describes the requirements for how organisations must handle personal data. It is effective from 25th May 2018. The Information Commissioner’s Office (ICO) is the UK authority on data protection and upholds information rights in the public interest.
Who does it apply to?
The GDPR applies to both information ‘controllers’ and ‘processors’.
A controller a is described by the ICO as a ‘person’ who determines the purposes for information processing and the manner in which it is done. A data controller will be a ‘person’ reconised by law i.e. individuals, organisation and corporate bodies. Data controllers in the case of Sheds will be the Shed organisations themselves. Even if an individual Shedder is given responsibility for data protection within the Shed, they will be acting on behalf of the organisation – the Shed, which is the data controller.
Example: A Shed that has a membership will process personal data about it’s members, keeping a record of their details. This makes a Shed a data controller.
A processor is any ‘person’ (again, a person as recognised by law), other than an employee of a data controller, who processes the data on behalf of the data controller.
Example: If a Shed was to engage a company to handle their membership database and receive payments from it’s member, that company would be a data processor. It would be processing the information on behalf of the Shed. If the Shed does not engage with other companies to process personal data about individuals related to the Shed, then no processor is involved. The Shed’s employees or volunteers would be the processors, but they are not recognised separately as such under the regulation because they are part of the controller.
What type of information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person. In relation to Sheds, this will be individuals. This could be a volunteer, for example members of your management committee or trustee board, service users (Shedders) or individuals who have donated money, time or other resources to your Shed. It includes sensitive personal data as well as general personal data.
The regulation applies to both automated personal data and manual filing systems.
Under the regulation, there are key principles to adhere to when controlling and managing personal data. These include:
- Processing data lawfully, fairly and in a transparent manner.
- Collecting data only for specified, explicit and legitimate purposes and not further processing in a manner that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and kept up to date, rectifying and erasing any errors or inaccuracies without delay.
- Kept in a form that permits identification of individuals for no longer than is necessary for the purpose.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against loss, destruction or damage.
The GDPR states that “controllers shall be responsible for, and be able to demonstrate, compliance with the principles.”
For the full list and details of principles, see the exerpt from the regulations (Article 5) on the ICO website here.
What is considered personal data?
The GDPR identifies personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.
What do I need to do to comply?
Under the GDPR, you need to ensure you have a lawful basis for collecting and processing personal data, and this needs to be recorded somewhere i.e. in a working appendix to your Data Protection Policy, so that you can demonstrate your compliance at any time. The GDPR sets out what is considered a lawful basis with six statements. No one lawful basis is considered more important than the other and most require that collection and processing of data is legitimately necessary. If you can achieve the same result without handling the personal data, then it is likely you do not have a lawful basis.
You must determine your lawful basis before you begin processing personal data, as well as the exact purposes for processing it. You should have a privacy notice on any application or documentation used to collect personal data that includes your lawful basis for processing as well as the reason. This must be done up front, before collecting the data.
The six lawful bases for processing personal data are listed below, and at least one of them must legitimately apply to any data you collect or process from any natural person.
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life. The ICO state that this lawful basis is likely to be relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is incapable of giving consent to the processing.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
If you cannot meet any of the lawful bases, you must not collect the personal data.
If you decide that more than one lawful basis applies to the reason for collecting personal data, you should record each of them. You should also ensure you select the appropriate legal basis for each instance that you collect data. For example, the legal basis for collecting employee data to pay them would like be different from the legal basis for collecting member information to send them a welcome pack.
It is up to the data controller to decide the lawful basis and be comfortable in justifying it.
In determining the best-fit legal basis for each data processing activity, you could ask yourself the following questions:
- What are we going to do with the data we are intending to collect?
- Can the activity we are intending to collect data for be reasonably achieved in another way, without collecting the data?
Consider the basis carefully. It is the controller’s responsibility to ensure a best fit, and to document it, along with details of the activity and purpose, prior to carrying out a particular processing purpose.
For any processing purpose that is not for legal obligation, contract, vital interest or public task, the appropriate lawful basis may be more difficult to determine. You may consider legitimate interests as your lawful basis if your committee or trustees want to keep control over the process and take responsibility for demonstrating that your reasons for processing the particular data are in line with what the individual’s would expect, and it wouldn’t have an unjustified impact on them. If, however, you’d like to give individuals full control and responsibility for their data, including the ability to opt out or change their mind, you may consider relying on consent.
The ICO recommends asking yourself the following questions when in this situation:
- Who does the processing benefit?
- Would individuals expect this processing to take place?
- What is your relationship with the individual?
- What is the impact of the processing on the individual?
- Are they vulnerable?
- Are some of the individuals concerned likely to object?
- Are you able to stop the processing at any time on requests?
If a purpose or lawful basis changes, or you want to use individuals’ personal data for another reason in addition to the original reason, you must document each reason and each lawful basis, unless the new lawful basis is compatible with the original basis. However, depending on the lawful basis, you may need to ask an individual’s permission for each use if it is not directly compatible with the original use.
Example: If you collect an individual’s personal data to sign them up as member’s to your Shed – telling them this purpose at the time and having them consent to it through a sign up process – but you later want to post them information unrelated to their membership, you’d need to get a new consent and document the intention to collect data in this way, as well as the legal basis for doing so.
How do we document lawful basis?
The regulation’s principle of accountability requires you to be able to demonstrate that you are complying with the GDPR, and have appropriate policies and processes in place. This means keeping records showing that you have thoroughly considered the purpose and legal basis for each data processing activity and can justify your decision. There is no set way that you are required to do this, as long as you record sufficient information to demonstrate you are compliant with the requirements for purpose and legal basis.
It is a good idea to have a Data Protection policy to help with this, and a record of data processing purposes, methods and legal bases to go with it. This will also help you to write your privacy notices, for example, letting new members know how and why you will process and secure their data when they sign up. See our templates and guides here.
You can read a more in depth guidance on lawful bases on the ICO website here.
What about ‘special’ personal data?
The GDPR states that “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
That is unless you can meet one of ten conditions for processing – in addition to having a lawful basis.
See page 38 of the GDPR for Article 9 – ‘Processing of special categories of personal data’ – here.
It is likely for Sheds that the main one to consider is consent.
What is a privacy notice?
A privacy notice is a short statement informing an individual of your intended purpose for processing their personal data and the lawful basis for processing it. You must ensure a privacy notice is available at the time you collect the personal data, whether this is directly or from another source. Full details of the information you must give can be found here.
The information you give about the processing of personal data must be clear, concise, transparent and easily accessible. It should be in plain language and free of charge.
See some Privacy Notice examples relevant to Sheds in our resource library here.
Right to be informed
Individuals have the right to be informed about the fair and lawful processing of their data. This is usually satisfied through a privacy notice. This requirement emphasises the need for transparency over how you will use the personal data.
Rights of access
Under the GDPR, individuals have the right to access the personal data you hold about them and get confirmation that their personal data is being processed. They also have the right to obtain, or be reminded of the information provided in the privacy notice related to the personal data they have provided. This is so they can be comfortable knowing you are processing their data lawfully.
Rights for information to be rectified
The GDPR also gives individuals the right to have their personal data rectified, should it be incomplete, inaccurate or need updating. You must respond to these requests within one month.
Rights for erasure
Individuals have the right to have their personal data erased in specific circumstances, including when the data you hold about them is no longer needed, or was unlawfully processed. They also have the right for their personal data to be erased if they have withdrawn consent or have objected to the holding of their personal data, providing there is no overriding legitimate interest for continuing the processing.
These individual rights are likely to be most relevant to Sheds, but the GDPR does describe more individual rights explained here in detail.
Good governance for Data Protection
Transparency, accountability and governance are at the core of the GDPR. You should put in place comprehensive, but appropriate governance measures to ensure the lawfulness and security of data processing. The measures you put in place should minimise the risk of breaches and maximise the protection of personal data.
You could do this by:
- Implementing an appropriate Data Protection Policy (see our template here).
- Carry out regular audits to ensure all personal data processing is lawful and appropriate (see our template here).
- Maintain relevant documentation on processing activities (same template).
- Be transparent with all data handling processes.
- Ensure all relevant people know the responsibilities for data protection in your Shed.
Do we need to appoint a Data Protection Officer (DPO)?
If you’ve done some research into the GDPR, you’ll have noticed that it includes the requirement to appoint a DPO. As it stands, this is unlikely to apply to Sheds, particularly those without employees. Organisations obligated to appoint a DPO are public authorities and organisations involved in large-scale monitoring of individuals. However, it’s good practice to have at least one person in your Shed with the responsibility of ensuring you meet the requirements of the GDPR. You can call them a DPO if you’d like.
Security of personal data
The ICO have yet to produce guidelines for storage and security of personal data in line with the GDPR, but it will likely be similar to previous guidelines for the Data Protection Act 1998, particularly at the level Sheds will be processing personal data.
The Act does not define exact security measures you should have in place, but instead states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Here are some ideas for securely storing personal data:
- First assess the sensitivity of personal data held in relation to your Shed. The more sensitive the data about an individual – or the more harm that would result from a security breach – the more you’ll need to do to secure it.
- Build a culture of awareness and security within the Shed ensuring good communication with key people.
- Only ever provide access to people that need it for lawful processing.
- Physical security could include good quality doors and locks, alarms, security lighting and CCTV.
- Computer security could include passwords, encryption or two-factor authentication.
- Check your storage and security practices regularly to ensure they are in line with regulation and appropriate for the personal data you hold.
The GDPR includes guidelines to record, rectify and report, where necessary, data breaches; where a breach of security leads to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. If a data breach is serious enough to cause adverse risk to the individuals the data concerns – ‘the data subjects’ – then you’ll need to tell them there has been a breach as soon as possible. You may also need to inform the ICO if the breach is particularly serious. Usually within 72 hours.
Prevention through security is key for robust data protection.
Many organisations that process personal data have to register with the ICO and pay a fee. Some non-profit organisations are exempt, including many Sheds, but you should check yours to be sure using the ICO’s handy self-assessment application here.
What happens if we fail to comply with GDPR?
Failure to comply with data protection law puts you at risk of enforcement action, including prosecution depending on the extent of the non-compliance, and risks compensation claims from individuals. Check your readiness for the GDPR here.
The Information Commissioner’s Office (ICO) have set up a dedicated helpline for small organisations who may have questions about GDPR and its implementation. You can contact them on 0303 123 1113 (option four).
Download a PDF version of this guide.