1. GDPR (General Data Protection Regulation 25 May 2018)
This document is provided for general information purposes only. Your use of this document is at your own risk.

2. What is data protection?
This means protecting personal data, and the systems that hold data, from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction
To protect the privacy of individuals in order not to put them at risk of harm
Is this a quote as it’s a very long sentence and is therefore quite hard to reach, if a quote I would add a source?

3. What is the GDPR? General Data Protection Regulation
Up until now, the majority of the UK’s data protection has been regulated by two laws: the 1998 Data Protection Act and the Privacy and Electronic Communications Directive Regulations of However, starting from 25th May 2018, these will be replaced by a new European directive: the GDPR.
The central premise behind the GDPR, besides harmonising data collection practices, is the balancing of individual and organisation rights through transparency and accountability. Organisations that have reason to collect and maintain data can continue to do so, but they must provide more justification for why they are doing this.
GDPR provides more clarity as to what defines consent, legitimate interest and personal data, and requires organisations to be transparent about what the data is used for and provide a legitimate reason for processing the data along with a timeframe for holding the information.

4. GDPR: a burden or a new opportunity?
Many people in the youth sector are nervous about the effect that this new regulation could have on their delivery of services to young people. And this is a completely reasonable concern to have, organisations will need to develop structures and processes to ensure that the new legal requirements are being met.
However, it is also important to remember that the GDPR is merely an extension of previous data protection laws and not a complete overhaul (as many are thinking). The aim of the law is not to restrict, but to merely clarify previously ambiguous regulations and ensure peoples rights are protected.

5. What are the major changes that the GDPR will generate?
Pre-ticked and opt-out boxes will no longer be sufficient for proving “consent” – data subjects must actively opt-in to receive different forms of communication. This can take the form of tick boxes written/electronic/oral statements, and consent clearly indicates acceptance "for the reason stated and nothing more".
Requests for opt-in consent must be clear and unambiguous, using easily accessible plain language catered to the person being communicated with.
It is no longer acceptable to withhold goods/services from individuals who do not give consent for something completely unrelated (e.g. free WiFi for subscribing to updates).
The definition for what is considered “personal data” has been expanded to include online identifiers (such as IP addresses and location information). For example: a car's information does not fall under the regulation unless there is a tracking device that provided data to a third party that then can be used to identify a natural person (individual) this data relating to the car then falls under GDPR as it can be used to identify an individual.

6. What are the major changes that the GDPR will generate?
While some data can be collected if it is claimed as “legitimate interest”, adequate reasons must be given for what legal basis there is for collecting this data - the organisation must balance their rights to collect data with the rights of the person.
Greater clarity must be given within privacy policies about what exactly data will be used for and how long it will be held.
All data collection forms, including telephone scripts, must be kept proving consent was granted or a legitimate reason for processing.
Individuals have the right to revoke data consent at any time and they must be made aware of this right. The process of unsubscribing must be just as easy as subscribing.

7. Current GDPR No legal requirement to report breaches.
Self reporting is promoted by ICO (Information Commissioner's Office).
Some sectors require self-reporting –
e.g. the NHS.
Legally required to report all beaches (no lower limit) ‘without undue delay’ – and within 72 hours – to the ICO.
ICO will maintain a public register of the types of breaches notified.
Legally required to inform the individuals ‘without undue delay’ where the breach could result in ID theft or fraud; physical harm; significant humiliation and/or damage to reputation.
Must use clear and plain language and tell them about their rights, including means of redress.

8. Data Protection Management
Current GDPR
No formal requirements
Mandates:
(1) Risk Analysis – an assessment of whether data processing activities present specific risk; undertake on an annual basis or at the time of significant change.
(2) Privacy Impact Assessments – proactive assessment of privacy issues before and during a new or changed processing activity.
(3) Privacy by Design and Privacy by Default – systems and procedures should be designed to comply with DP principles by default – i.e. not collect, retain or share personal data beyond the minimum necessary.

9. Notification and Documentation
Current GDPR
Notification
Must register with the ICO and maintain registration if a business / charity / organisation processes personal data.
Documentation 
No explicit obligation to maintain policies and procedures – although this is best practice and often de facto in order to demonstrate compliance.
Documentation a legal obligation
Required to keep appropriate policies and procedures to demonstrate compliance with the Regulation.
Review them at least every two years, and
No longer required to register with the ICO.

10. One-stop Shop Supervisory Authorities
Current GDPR
Everywhere you trade
Answer to any DPA (Data Protection Authority) in any of the EU countries they trade in.
= numerous investigations led by different DPAs
= many conclusions, often differing to each other,
= different enforcement measures.
One lead DPA
Answer to one DPA – where your main establishment is located.
N.B.: If issue involves citizens from a number of countries, the DP Authority that govern that jurisdiction will be able to input into the case.

11. To Ensure GDPR Compliance
Answer Two Critical Questions:
Where is My Data?
Who is Responsible for that Data?

12. Preparing for GDPR – 12 Steps May 2018 Deadline
Awareness
Data Audit
Review Privacy Notice
Individuals Rights
Subject Access Request
Legal Basis for Processing Data
Consent Process
Young People Consent
Procedure for Data Breach
Data Protection Impact Assessment
Data Protection Officer
International
Preparing for GDPR – 12 Steps May 2018 Deadline
As a starting point, the ICO has developed 12 steps to take now – for organisations to make a start in planning how they’re going to comply by May 2018.
You’ll need to check them all, but a few highlights include:
Privacy notices - Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. Note that the GDPR requires the information to be provided in concise, easy to understand and clear language.
The ICO’s Privacy notices code of practice was revised a couple of months ago and now reflects the new requirements of the GDPR. Make sure you read it and make the changes you need to.
Individual rights - The main rights for individuals under the GDPR will be:
 subject access
 to have inaccuracies corrected,
 to have information erased,
 to prevent direct marketing,
 to prevent automated decision-making and profiling, and
 data portability.
You’re likely to come across some, if not all, of these in schools so you’ll need to know what your obligations are so you can properly deal with any requests you receive.
SARs - The rules for dealing with subject access requests will change under the GDPR. In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days. There will be different grounds for refusing to comply with subject access request – manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.
Consent – if you process any personal data on the basis of consent, you’ll have to review how you are seeking, obtaining and recording consent and whether you need to make any changes. Consent must be freely given, specific, informed and unambiguous, and a positive affirmation of the individual’s agreement. That’s a high standard. This will likely be relevant for any contact preferences you may have set up with parents and alumni, perhaps for school fundraising purposes.
Children - You should start thinking now about whether you will need to gather parental or guardian consent for the data processing you carry out. For the first time, the GDPR will bring in special protection for children’s personal data, particularly (ONLY) in the context of commercial internet services such as social networking. If you arrange for children in your school to sign up for apps in the classroom, or for homework, you’ll need to think about how consent can be obtained.
Data breaches - You should make sure you have the right procedures in place to detect, report and investigate a personal data breach – for example if you lose some personal data or disclose data to the wrong recipient. The GDPR will bring in a breach notification duty for all organisations. Not all breaches will have to be notified to the ICO – only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. If you do need to report it you’ll have to do it within 72 hours of the breach being discovered.
You should start now to make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments – When your school is considering using data in new and innovative ways, or considering implementing new technology to monitor pupils in some way, it’s currently good practice to carry out a privacy impact assessment. This will become a legal requirement in some circumstances under the GDPR. You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. You should start to assess the situations where it will be necessary to conduct a DPIA.
It has always been good practice to adopt a privacy by design approach and the ICO has recommended organisations use privacy impact assessments for some time now. However the GDPR will make this a legal requirement for some projects.
Data Protection Officers – Many schools will need to designate a Data Protection Officer. You’ll need to decide who this will be - or at least identify someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. The GDPR will require some organisations to designate a Data Protection Officer – all public authorities must so many schools will require one.

13. Where to start? Information asset audit: What data do we process?
For what purposes do we use the data?
What legal basis do we use the data?
Who do we share data with?

14. Secure the Data

15. What organisational measures are you going to need…
Data Protection Policy and/or Statement
Website Cookies must meet the regulation
Privacy Notices – introduction of a more prescriptive framework
Access Requests - dealt with more quickly
Right to be Forgotten Individuals can require data to be erased

16. Next Steps
Do you have questions or need support, please contact the UK Youth Membership Team who can let you know about the UK Youth Safe Spaces Mark which will help you meet the GDPR regulation or go to the Information Commissioner's Office

17. UK Youth Membership Team - membership@ukyouth.org
Thank You
UK Youth Membership Team -