Introduction to the GDPR and how it affects Member Organisations

Unless you’ve been living under a rock for the past year, it’s highly likely that you will have heard of the GDPR.  It can seem like an overwhelming task to have the responsibility of making sure your organisation is GDPR-compliant.

We aim in this article to give you a brief summary of the GDPR is, and how to make sure your organisation is complying with it.

So...what is the GDPR, and what is its purpose?

The General Data Protection Regulation is an EU law that came into force on 25th May 2018. 

It was designed to standardise data protection laws across Europe, and to allow individuals (e.g. you and me) to have more say over how our personal data is processed and used.

What is the definition of ‘Personal Data’?

Personal data is “any information relating to an identified or identifiable data subject.”Examples of personal data include name, telephone number, email address, home address, membership number.

Ok great … but what do I need to know?

Well if you are a member organisation, it is extremely likely that you collect and store personal data, and are therefore subject to the GDPR.

Here are some things  that you need to be able to answer:

  • What data you collect
  • Why you collect this data (there needs to be a valid reason)
  • How long this data stored for
  • Where this data is stored
  • Who has access to this data (this includes members of staff, volunteers, and any third parties)

You also need to have a record of each individual’s consent for their personal data to be stored.  The consent must be opt-in, rather than opt-out.

A simple way to answer these questions, is to keep a spreadsheet listing all the different data types that you collect, together with the other information required by GDPR.

For example:

In this way, you can easily provide answers to the questions that one must be able to answer under GDPR.

Other points to be aware of are:

  • You must not collect any personal data unless there is a valid reason
  • Certain categories of personal data are considered ‘sensitive’ and must only be processed if specific conditions apply.
  • Data subjects (i.e. your members) have the right to request what data you hold on them, and have the right to amend or request deletion of their personal data.