The General Data Protection Act
The previous Data Protection Act was revamped and replaced by the General Data Protection Act in 2018. It gives greater power to the individual to control how their data is used and stored and places a greater responsibility on organisations to be transparent with their data.
It is the reason that all websites must tell you what cookies they are placing on your computer and how those cookies will be used and what the data will go to. It is also the reason you can get rid of any cookie you do not want and change data that has been recorded about you.
Data protection terminology
The Information Commissioners Office (ICO) has a website with a ton of information, riddled with jargon and technical terms. It is an information overload that isn’t well organised and can be extremely confusing. That is why we’ve set out a list to help you wade through the jargon. The following are definitions of the most common terms associated with data protection.
These are the key terms you have to know.
- Data subject: the person whose data is being processed. This could be a child, an employee, a teacher or a volunteer or Fred on YouTube who is letting Google collect data about the cat videos he likes to watch.
- Personal data: any information about an individual that could be used to identify them in any way, such as names, addresses, phone numbers, parental contact details, employment records or photographs, It is irrelevant whether the information is stored electronically or on paper.
- Data controller: the person in control of the data, as in the head honcho who is decided how the information is being stored and use. Usually the owner or management committee.
- Processing data: doing anything with data such as obtaining data in any way, recording and storing, organising, sharing and deleting data. This could be by sending out and collecting forms asking for personal contact details, medical forms, accident records, attendance records, staff appraisals, salary info, wage slips etc.
- Data processor: Anyone who is processing data on behalf of the data controller but is not the employer of the data subject. This could be your payroll processor or an external administrator.
What am I obligated to do under the GDPR?
The GDPA is just an extension of the DPA, as long as you’re meeting DPA guidelines, you’re meeting GDPR guidelines. You must make sure that the data is;
- Collected and processed for a lawful reason (such as to let Fred see more cat videos and not to steal his credit card information), and in a fair and transparent way, transparent means the data subject should know what data you’re taking and what you are using it for.
- Only used for the purpose that you originally collected it
- Relevant, only what’s needed for the purpose it was collected for
- Accurate and up to date
- Only kept for as long as necessary (for example, deleted after a pupil leaves the school)
- Kept secure.
Not only must you comply with all these principals you must be able to demonstrate your compliance.
How to comply with GDPR in practical terms
You need to make sure you’re covering all the points in the GDPR. In practical terms this means you should audit your company to assess all the data you have, where you are storing it, what you use it for and who you share it with. Then you can assess that you’re complying with the standards.
A good idea would be to appoint someone in charge of collecting and managing data. If your organisation is small, you don’t need a data protection officer, but someone should be on top of your data collection and making sure you’re complying with GDPR.
Just like when you surf the web and every website tells you about the cookies and makes sure you consent to them, you must make sure your data subjects know when and why you’re collecting data. Tell them how long the data will be stored for and what you’ll use it for. This could be sent out as a policy notice to members or customers, the first time that you request data from them.
Make sure that data subjects know how to complain and request that you delete their data. Then make sure that someone is dealing with these requests, within a month at most.
All your staff should be aware of and trained in all principals of GDPR/ If one of your volunteers takes a picture with a child from your club and posts it on their personal Instagram, they’ve violated GDPR and you will be held liable. Cover yourself by making sure they know the law,