QUESTION
Our Charity was originally registered with the DP
commissioner but a while ago we were advised by the Data Protection Office that
we didn't need to be - so we no longer are. Will this change?
ANSWER
Simple Answer: YES. However there are some things to consider.
The Proposed new Data Protection Laws lodged in December is
a beefed-up version of the Jersey Data Protection Act 2005. But there are some
changes, including to the set-up of the Information Commission Office,
registration and fees.
Link to Data Protection Laws lodged in December
The draft law says this about registration and fees. So it
is likely you will need to pay fee, but
it may be very small, or very large depending on risk.
·
Article 17 makes
it an offence
for controllers and processors
of personal data
to process it
without being registered,
subject to any
exemptions made by
Regulations. The procedure for applying for registration is set out.
Article 18 provides for controllers and processors to pay charges if so provided for in Regulations
·
The recommendation is a risk - based tiered
administrative charge. With this option,
organisations acting as data processors or controllers would be assessed
and classified according to the risk of
their processing activities, then allocated to a tie red - band defined by their perceived risk. A flat
annual fee for this tier would be then be levied against the organisation.
QUESTION
The only data we hold is a register of members (names and
addresses) and a subset of members who are the actual charity volunteers in
which case we hold phone and email contacts. The data is held on word / excel
on a PC. We don't do anything with it other than use it to collect
subscriptions, send out mailings such as AGM notices and co-ordinate rotas.
ANSWER
There are a lot of similarities to a previous question I
have answered and you may want to read this.
In summary
You should have either a contract or consent to hold and use
people’s data. It is best if this is in writing.
If you use data for one purpose (AGM notices) then you
cannot use it for another purpose (fundraising) without agreement.
It is also important that you are clear about how you ensure
data is used, accurate, safe and secure. This should be in a Privacy Notice
which may be part of a contract or a page on a website.
If you have a PC it is wise to follow good principles around
access, passwords, encryption, backups etc., so that data is not lost or
stolen. The States of Jersey are moving toward requiring anyone who receives
States funding or doing business with the States to meet basic Cyber Essentials
standard.
http://www.cyberessentials.org/
QUESTION
Are we "processing data", what does
"notified" mean and are there any GDPR implications for us in your
view?
ANSWER
The new law means both “controllers” and “processors” must
be registered. In the example you have given, you are the controller since you
gather the data and have responsibility for it. A processor is someone who does
things with someone else’s data: for example doing payroll.
GDPR course Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our.
ReplyDeleteGDPR awareness course You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming.
ReplyDeleteAwesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better! Cheers, keep doing awesome! online gdpr training
ReplyDelete