This post has been written by Daniel Duke (a resident, and website volunteer)
—–
Definition: the “General Data Protection Regulation”
As many of you may have noticed over the past few weeks, there have been more and more emails landing in your inbox talking about a thing called GDPR. They have asked you to confirm you still want access to the content, whilst appearing to threaten to remove you from the list if you don’t reply by the 25th May.
This is not a threat though, but a legal requirement, brought about by this important (and not pointless) law. It’s main intention is to ensure that if a company has our data, and that they use it for marketing, research, or anything else, that we have specifically said that we definitely want our data used in that way. Complex privacy policies are not good enough anymore, neither are preselecting checkboxes, or just writing an email on a scrap of paper and saying that it counts as consent.
The main points are: a user must give consent, they must have known they were doing so, and you should have a record showing exactly what they filled out (and when).
Now, it is worth noting I do am not an expert in GDPR, and if you are concerned, then it may be worth talking to an professional advisor on this matter. The purpose of this article is to help the small community groups in our village to understand what needs to be done.
There are a lot of sites that can help though, in particular the checklist on this page, which helps you to easily work out if you need to do something based on how you acquired the data:
If you think this is useful, please do share to others in the village via email/facebook/twitter/etc. So that all people with mailing lists for their events/groups/teams knows that they may need to do something.
Also, the Parish Council will be updating their Privacy Policy about GDPR by the end of the coming week to help inform you all on how they have to use any information given to them.
Exemptions:
As with any law, there are of course exemptions, which can be found here
But on a basic note, this page lists all the security/health/legal things you may not be working with.
On a small business basis though the exemption which may be of most interest to you would be ‘contractual’ (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/) now this doesn’t get around the fact that you should only store data necessary to perform the task (do you really need to know someones gender to quote for some electrical work?), but if you have been asked to give a quote, or are providing a service, then for this purpose (and this purpose only) you have been given suitable consent to use their data.
Of course, if you are considering whether an exemption applies to you, contact a professional to confirm if it does or not.
Example 1: The village newsletter
Issues with our signup form
- The 2 extra lists (village announcements and lost/found alerts) were pre-selected. You (the user) must specifically click on one of them to approve
- As we had these sub-lists, we should also have had one for the general bulletin too (so people can sign up for lost/found, but not the bulletin)
- We did not have suitable text explaining exactly how your information would be used
What we have therefore done
- An email has gone out asking for people to confirm they still want our newsletter
- The new form does not auto-select the checkboxes
- The bulletin has it’s own checkbox
- On the 25th May, we will delete ALL users that have not yet confirmed they want to receive the bulletin still
Example 2: A community group in the village hall
What may have been done in the past:
- Signup by writing an email on a blank/vague piece of paper
- Word of mouth
- A general request for information (but not to join)
- A historic signing up, but no obvious way to leave the group
What could now be done:
- A proper paper form, explaining what they are signing up for, and what their data will be used for (you must keeps these forms)
- When emails are sent out, always explain in the footer how they can unsubscribe from the list
- Email all users now to reply to confirm they want to stay on this specific list (be very specific, and you must also keep these emails)
Example 3: Event planning
What may have been done in the past:
- You may have slowly created a manual email list of volunteers/donors to contact
- You may have collected emails of people that have attended before
- You may have collected details through raffle/competitions
What could now be done:
- You need those users to confirm they want to be on those lists, so similar process’ to that in example 2.
- An exception MIGHT be possible for businesses whose details are public anyway (equivalent of looking on their website and contacting them).
Example 4: An alert email list
What may have been done in the past:
- You may have slowly collected emails, and just added to a mailing list thinking people were interested
What could now be done:
- You have to ask if they want to still be on that list
Further Reading
- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
- https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms#Set-Up-Your-GDPR-Friendly-Signup-Form
- https://www.theguardian.com/technology/shortcuts/2018/may/16/what-are-all-these-gdpr-emails-filling-up-your-inbox