GDPR Please don’t panic! You are probably already compliant – just a few things that you need to be aware of It really is about using your common sense and applying the law to your circumstances As long as you start to plan for GDPR by 25 May you will be fine I will send out links to ICO and anything else as they come through Don’t scribble – this will be sent round Please email me any questions you have if I can’t answer them tonight Will use MAP as an example of what we will do

Data What is the purpose of using the data? Can you justify the data that you hold? Context and purpose of using the data is critical Must give information at the beginning saying what you will do with the data (in your constitution?) You don’t need to get consent every time/year (only if your purpose changes) Email addresses for e-bulletins, invitation to forums Piece of paper here tonight inviting you to join the mailing list

Consent What is Consent? Consent has to be opt-in, not opt-out Consent must be verifiable (so verbal consent must be recorded) https://ico.org.uk/for-organisations/guide-to-the-general-data-protection- regulation-gdpr/lawful-basis-for-processing/consent/ What is not Consent? Silence, tickboxes Opting-out Withdrawing consent should be as easy as giving consent

Six principles Processed lawfully, fairly and in a transparent manner in relation to individuals Collected for a specific purpose Relevant and limited to the purpose Accurate and up-to-date Kept in a form which permits identification of data subjects for no longer than is necessary Processed in a manner that ensures appropriate security of the personal data Can you comply with all of them? And do you have evidence? Mention IGS and postal address Always using BCC blind copy on emails

Suggestions/advice Do an information audit – give yourselves until 15 May to complete Decide if any changes need to be made to the type of data you hold Write a couple of sentences explaining how and why you will use people’s data Write a sentence explaining how members can opt-out Make the information available (website, bottom of emails, etc) Minute the work you have done to be GDPR compliant Review in a year’s time

Further reading ICO (Information Commissioner’s Office) https://ico.org.uk/for-organisations/guide-to-the-general-data- protection-regulation-gdpr/ https://ico.org.uk/media/for- organisations/documents/1624219/preparing-for-the-gdpr-12- steps.pdf Will be publishing guidance mid-March Self-assessment toolkit