GDPR and the, non-corporate, Small Organisation

Introduction to the Series

The GDPR, the General Data Protection Regulation, is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a transitionary phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.

For much of what I discuss I am assuming that we are discussing how this affects registered organisations and not a mailing list (etc.). A general rule of thumb is the ‘registered’ part of the previous sentence. If the body is officially documented (company, organisation, club, society), or if they collect fees in any form then the GDPR applies almost in full to them.

The rules concerning non-official organisations are a little more difficult and are more dependent on context (what is stored, where it is, how it is used) and purpose. So the rules regarding a forum or mailing list that has no official body and is run by an individual are applied the same way, but not all parts of the GDPR will be relevant. In most cases the creators of forum and mailing list software will already be working to, if they haven’t already, make changes to comply with the GDPR. But it may be worthwhile verifying what they have done or updating to newer software that does comply. Online services are already changing to reflect the GDPR.

The Small Organisation and the GDPR

So you are a non-corporate body[1] who has to comply with the GDPR. You might be a club, society or a small charity. Your activities are likely constrained to local fund-raising or exhibitions. You may collect data for a mailing list, newsletter, or simply to inform members of what is happening.

How does the GDPR affect you?

Well in your case this seems relatively easy and there is very little that you need to do, there is a bit of up-front work and then it should be simply follow the steps of your plan for each member or change in system. You will likely be doing most of this anyway all this does is codify existing law better and add in specific clauses to stop the abuses being performed.

Step 1: Process

Make sure you have a process for collecting and storing data. Make sure you have someone whose job it is to follow that process. If you are a one-person or small organisation it does add a layer of work but you have to do this to be compliant. A flowchart of your processes will usually be enough and is then something you can pass on or show and others will be able to follow.

You must have a simple document, that you give to everyone, that explains:

1. What data you collect (names and addresses etc.);[2]
2. Where and how it is stored;
3. Who can view it and importantly what they can view;
4. Any information that is shared - this includes data that you must supply to legal bodies, though you may cover that with lawful processing (see Article 6 of the GDPR);
5. Give people a copy when they opt in, and make sure it is in simple language.[3]

Step 2: Consent

Have a consent form that asks people permission to store their details and what you do with those details. This is the 'opt in' or consent policy. You can make this consent policy part of your one page document but make sure that they have a copy and you have a signed copy.

Step 3: Their rights

Make sure they have the right to:

1. Be removed from the list;
2. See what information you store (on them);
3. Have history deleted (theirs);
4. Change details.

The on-going concerns you will have is that you must let them know who has access to the list (even if from an outside body) and why (can be on your single page form), and any changes you make. This must be declared and their consent asked for, this includes when you make changes, you must ask for their consent again (before and not after).

Security

You should also make sure any data is safely stored, if stored in an electronic format it should be on a computer that is patched, has the latest software/security software installed and if possible encrypted (most systems have this as an option).

How you store their data, and the security of it, are your only real challenging legal issue. It does mean keeping a regular watch on your systems to ensure they are up to date, but that is just good practice and common sense anyway in today's highly dangerous cyber environment.

Summary

Most of your duties are easily solved with a one page document explaining your processes and how to contact people with a consent box and their signature (have two copies for each person, one for your records, one for them). You should detail your processes so that anyone can repeat them with a master guide to make sure the proper procedure is followed.

Having a single named person as your DPO (Data Protection Officer) who can make sure this is all followed and kept up to date will help. There is, as previously stated, a little bit of work up front but once you have the process and document it is a well regulated and repeatable thing.

[Don't forget that you can join in this conversation by using the comments form or by tweeting at @shadowcat_mdk]

Notes

[1] some of this does apply to corporate bodies as well but I wanted to focus on the other organisations in this article.

[2] Please note that data you collect and store that is from a public forum, even media, must be listed. Just because they gave the information freely to the world does not confer on you the right to store it.

[3] The best way to think about it is that you are writing for a 13 year old. Try not to make yourself sound like a lawyer, sound like a documentary on the Discovery Channel. Introduce things one at a time and state what is done in simple terms.