GDPR Guidlines

GDPR Guidelines

What is the General Data Protection Regulation (GDPR)?

The European Union (EU) General Data Protection Regulation (GDPR) raises the standards for processing personal data, to strengthen and unify protection for individuals across the EU. The new legislation comes into force in the UK on 25 May 2018 and will exist post-Brexit.

Krayova Uprava (National Committee) and Oseredky (Branches) collect and process lots of personal data on young people and adult members and volunteers. This could be anything from names, addresses, telephone numbers right through to more sensitive data such as medical conditions and disabilities. As a result, it’s important that we are all aware of the new legislation and comply with it.

This page is an introduction to the GDPR and offers insight into how the changes may affect your local Branch activity and administration. Scroll down to find some practical examples that may need to be considered within your Branch.

Key GDPR Terms

There are many key terms that are in the GDPR and used throughout this document. These are listed and explained below:

• Personally Identifiable Information (PII) or personal data – Any information that can be used to identify an individual. This information could be names, addresses, telephone numbers or more sensitive information such as medical conditions and disabilities.

• Data subject – This is an individual. This means a member of CYM.

• Data controller – This is the owner and user of the gathered personal data. This is anybody gathering and retaining PII data, such as Krayova Uprava, Oseredok Uprava, Taborova Komisia.

• Data processor – This is the Uprava/Komisia or individual who processes the information on behalf of the controller.

• Lawful processing – The legitimate reason for holding and processing PII data, such as it being necessary to protect the vital interests of young people.

• Subject Access Request (SAR) – This is a request from an individual to the Krayova Uprava or an oseredok uprava to find out what information we hold on them. They also have the right to request that we change or permanently remove any details that we hold on them.

• Breach – This is the loss of information. This could come from a hacker or physically losing files/folders.

• Data Protection Officer (DPO) – Representative for data protection duties.

Key Branch Activities and Administration

Promotion
Example
Promoting CYM to encourage new members could include: events, email campaigns, stalls at events.

What does this mean for GDPR?
It needs to be clear who you are promoting to and the lawful processing you are using as grounds to contact them. This needs to be evidenced as either:

• consent – they opted-in
• non-digital – physical event/handing out leaflets
• legitimate interest – your use of the data is necessary and is not overridden by their interests or fundamental rights. On balance, it’s more positive for them than negative.

Want to join CYM
Example
Potential new members and/or their parents or guardians communicate with you via:

• email or other electronic means
• face-to-face
• Young Person/Adult Information Form

What does this mean for GDPR?
When communicating with a potential member, parent or guardian, they are consenting to the communications but care needs to be taken to keep these communications private, especially when PII is shared, such as in Application Forms, where some parts will be classed as sensitive data.

Application/Registration Forms
Example
The Form is used to capture information about a young person or adult in order to begin the joining/ registration process, this could be via:

• email
• web form
• paper form

What does this mean for GDPR?
The Form may be the first data capture exercise for a new member. The form must state:

The purpose – What you are going to do with the form and the data.
Timeframe – How long you will hold onto the data (delete or securely destroy when no longer required).

The data collected must be:

Limited – It only includes what you need
Kept secure – Special care taken in storing

Please note: Tabir 2018 forms now include a separate consent sheet which explains use of data and length of time it will be stored, and by when it will be destroyed.

Active
Example
The young person, parent/guardian or adult volunteer are now active within CYM.

What does this mean for GDPR?
The young person, parent/guardian data will be stored in a filing system such as excel sheets on local laptops, online record keeping systems and/or paper based records.

During this period you need to consider:

Third party processors that are holding data on your behalf, such as online record keeping systems or cloud storage systems.

Accuracy of date. Is it kept up-to-date?
Data flows ie. where, how and who is the data passed to.

Events

Example
CYM events are held frequently involving young people and adults.

These can be:
• activities and events in an oseredok
• tabir or nights away (trips)

These events can require further data gathering, such as activity or nights away information and health forms completed by parents/guardians.

What does this mean for GDPR?
When further data gathering is being completed you need to consider:

• purpose – what are you going to do with it
• limit – it only includes what you need
• retention – delete when no longer required
• secure – special care taken in storing

This activity should consider what data you already have on file and only capture what is necessary.

Collection of sensitive data
Example
Young person and adult information is presented to CYM periodically to allow for statistical analysis. This may include:

• disability
• medical condition

What does this mean for GDPR?
Transfer of personal data of any kind needs to be handled with care, especially with details considered sensitive, such as disability or medical condition. In all cases the purpose of the transfer should be well understood and documented with techniques such as anonymising the data being used.

Register
Example
At every meeting or event, the person in charge is obliged for safety reasons to take a register of those attending the session.

What does this mean for GDPR?
Registration of those attending each meeting is good practice from a safety perspective. What this highlights is the importance of the following:

• accurate data on members
• maintaining a log of attendees but retaining a high level of data protection, such as the use of digital data as opposed to paper records and minimised data purely for attendance.

Communications

Example
A requirement of the Ukrainian Youth Association in Great Britain is to keep young people, parents/guardians and other adult volunteers updated.

These are updates about weekly meetings, upcoming events and general information, both nationally and locally.

What does this mean for GDPR?
Communication to the young people, parents/guardians or adult volunteers is essential for the effective operation of the Ukrainian Youth Association in Great Britain. The GDPR recognises these types of communications and categorises them as necessary to fulfil your role. However, this communication should only be for the purposes of the Ukrainian Youth Association in Great Britain and not for further advertising, unless the person receiving the communication has specifically opted-in.

Moving on

Example
When sumivsti move through the ranks, they may or will have either a new Role, Function or Responsibility.
The young person and or adult, can also leave the Ukrainian Youth Association in Great Britain at any point.

Example – Changing Branches
There may be times when a member may move to another part of Great Britain and wish to transfer their membership from one branch to another. The member can also leave the Ukrainian Youth Association in Great Britain at any point.

What does this mean for GDPR?
When data is being transferred from one person (a Branch Head or National Executive Member) to another, care needs to be taken in the transfer and receipt. In addition, the data being transferred needs to be accurate and minimised. If at any time a member wishes to leave our Organisation, their data should be deleted fully if not required for further purposes. All personal data should have a defined and appropriate retention period.

Data Breach

Example
It may occur that personal data is disclosed externally accidently or removed from CYM via malicious means. Members and parents/guardians may exercise the rights they have over their data.

What does this mean for GDPR?
In the event of a breach, via malicious means or through accidental disclosure, the data controller is obligated to do the following:

• report the breach to the DPO
• complete an ICO data protection breach notification form

In the event that a member or parent/guardian asks for their data to be deleted, updated or disclosed, the data controller has 30 days to complete the request if it is not deemed excessive.

Our GDPR toolkit

Duty of care for the security of data lies with everybody that gathers, handles or receives personal data. The Branches and National Committee have overall responsibility for making sure that they comply with legal requirements, including data protection legislation.

Krayova Uprava are working towards building a GDPR toolkit, which will include the following:

• a FAQ page
• a step-by-step guide on how to fill out the documentation
• a GDPR framework register documenting the data types and lawful processes for collection, storage and use of data
• guides on how to handle data subject access requests and data breaches
• a guide on how to maintain alignment with GDPR

This information is provided as guidance only and is not exhaustive. It does not supersede, amend or negate the provisions of the GDPR or any other applicable data protection legislation. For more detailed or specific guidance please go to: https://ico.org.uk/for-organisations/

Krayova Uprava 23rd May 2018