1 / 29

Understanding GDPR Compliance in Local Societies

Stay informed about General Data Protection Regulation (GDPR) guidelines, data controller responsibilities, and compliance procedures for local society events. Learn how GDPR may apply post-Brexit for UK organizations.

andrewe
Download Presentation

Understanding GDPR Compliance in Local Societies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Update to Local Society Forum 27 March 2019 Dr Nuna Staniaszek FIMMM Director of Communications, IOM3 GDPR

  2. GDPR

  3. General Data Protection Regulation

  4. GDPR became enforceable by law on 25 May 2018 • The rules relate to the data of all EU citizens • Applies to all organisations wishing to operate within the EU, wherever they operate from GDPR

  5. Will the GDPR still apply if we leave the EU without a deal? • The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK if we leave the EU without a deal. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law when we exit the EU – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR. GDPR

  6. What will the UK data protection law be if we leave without a deal? • The Data Protection Act 2018 (DPA 2018), which currently supplements and tailors the GDPR within the UK, will continue to apply. • The provisions of the GDPR will be incorporated directly into UK law if we leave the EU without a deal, to sit alongside the DPA 2018. • New DP exit regulations have been passed which will make technical amendments to the GDPR so that it works in a UK-only context from exit day. GDPR

  7. Who does the GDPR apply to? Applies to data ‘controllers’ and ‘processors’. • The controllersays how and why personal data is processed • The processor acts on the controller’s behalf GDPR

  8. What do we need to do in order to comply with GDPR? GDPR

  9. IOM3 and Affiliated Societies • IOM3 is a data controller for data on members of IOM3 stored on its own member database. • IOM3 is a data controller for data about attendees at Local Society events for purposes of grant allocation. GDPR

  10. Local Societies are data controllers for • Data collected on attendees at lectures • Data of registered delegates at any events organised by a Local Society • Data of people who sign up directly as “members” of the Local Society GDPR

  11. Paper/online forms collecting personal data • Must be clear who is collecting the data and for what purpose • What will happen to that data? Will it be passed on? • Anyone wanting to join IOM3 must do so on an IOM3 form (paper/online) • Local societies collecting personal data for their own purposes must have clear forms with their own details and data protection statements. • Relevant consents should be included. GDPR

  12. Attendance sheet – requirement of IOM3 and GDPR Reason for data collection and who keeps/processes the data is clearly stated on the form Privacy information: NAME OF LOCAL SOCIETY is an Affiliated Society of the Institute of Materials, Minerals and Mining (IOM3) and is required to submit lists of attendees at our meetings to qualify for grant funding from IOM3 for society activities. Attendance sheets will be used by IOM3 to assess funding grants and retained for audit purposes in line with statutory requirements. If you have ticked either of the columns giving consent to be contacted, your contact details will be passed on to the IOM3 membership department and processed according to IOM3 guidelines and Data Protection law. IOM3 is a registered charity no 269275, www.iom3.org. A copy of this attendance sheet will also be retained by NAME OF LOCAL SOCIETY GDPR

  13. GDPR Checklist • Person responsible for Data Protection • Review documents collecting/containing personal data. • Privacy notice/statement – IOM3 notice is at www.iom3.org/privacy-notice • Review data protection and data retention policies: where, in what format and for how long do you keep data? • Review your technical and organisational measures to keep personal data safe. Data and system security and staff training. • Ensure that you have processes in place to collect valid consent where needed. • Check contracts and arrangements with suppliers and third parties, if relevant. • Ensure you have mechanisms in place to comply with enhanced subject access rights. • Provide data protection guidance/training for volunteers if they are handling personal data. • Make sure you keep records of processing and maintain an accurate paper trail. GDPR

  14. Do we need to register with ICO? Do we need to appoint a Data Protection Officer? GDPR

  15. PECR • Read the Guide to Privacy and Electronic Communications Regulations • ow.ly/A5M150obERA  ICO • Refer to the ICO website for guidance and information • https://ico.org.uk/for-organisations/ • Dedicated advice line for small organisations GDPR

  16. ICO Enforcement Action GDPR

  17. Recent ICO Enforcement • The Information Commissioner’s Office (ICO) has fined Vote Leave Limited £40,000 for sending out thousands of unsolicited text messages in the run up to the 2016 EU referendum. • Eldon Insurance Services Limited (trading as GoSkippy Insurance) has been fined £60,000 for instigating the sending of unsolicited direct marketing emails without the required consent. GDPR

  18. Recent ICO Enforcement • A former administrator at Heart of England NHS Foundation Trust (HEFT) has been prosecuted for accessing medical records without authorisation. FC had inappropriately accessed the medical records of seven family members and seven children known to her without any business need to do so. • A former senior local government officer has been prosecuted for passing the personal information of rival job applicants to his partner who had applied for a job at the Council.    KB accessed the authority’s recruitment system and emailed the personal information of nine rival shortlisted candidates to his partner’s Hotmail account. GDPR

  19. Recent ICO Enforcement • A former administration assistant at a used car dealership has been prosecuted for unlawfully obtaining the personal data of customers and other employees. JMD forwarded several work emails containing personal data of customers and colleagues to her personal email account weeks before resigning from her role. • MagnacrestLimited pleaded guilty to an offence under section 47(1) of the Data Protection Act 1998. The organisation had failed to comply with an Enforcement Notice which had been served by the ICO in relation to a failed subject access request made by a member of the public. GDPR

  20. Organising events with registration GDPR

  21. EVENT ORGANISATION Who is collecting delegate registration data? Where will that data be held? Who does data belong to? What happens to data after the event? Do we need to collect consent/opt in? GDPR

  22. EVENT ORGANISATION Guidance from IOM Communications Ltd events team Melanie Boyce, Head of Events Promotion through IOM3 media channels GDPR

  23. Guidelines for volunteers GDPR

  24. Always give priority to protection of personal data. If you hold any personal data of any sort about other people, it must be kept secure at all times. Do not share it with anyone else. Do not keep data for longer than required to carry out your task. Delete it or shred documents as soon as your task is complete. GDPR

  25. On your computer/digital files: Keep your antivirus software up to date and use the latest versions of browsers and software Have strong passwords Never share logins or accounts Do not store data on portable devices (USB sticks, laptops) Take note of guidelines on digital/online safety GDPR

  26. Keep your own personal IOM3 member data updated via your website profile Don’t share contact details without the person’s permission Data must not be used for any other purpose than the one for which it was provided Maintain confidentiality – do not discuss or refer to any personal data or information outside your committee/board or panel GDPR

  27. Delete files and emails and destroy paper copies securely when your task is complete, unless you have a valid reason to keep them (‘nice to have’ is not a valid reason!) IOM3 is putting together a code of conduct for volunteers which will include Data Protection. GDPR

  28. GOOD DATA PROTECTION PRACTICES Transparency of processes Better security More reliable/ up to date data Improve member/customer engagement and trust Improve reputation GDPR

  29. GDPR

More Related