About

As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Thursday 18 January 2018

How will GDPR effect our register of members (names and addresses) ?



QUESTION

Our Charity was originally registered with the DP commissioner but a while ago we were advised by the Data Protection Office that we didn't need to be - so we no longer are. Will this change?

ANSWER

Simple Answer: YES. However there are some things to consider. 
The Proposed new Data Protection Laws lodged in December is a beefed-up version of the Jersey Data Protection Act 2005. But there are some changes, including to the set-up of the Information Commission Office, registration and fees.

Link to Data Protection Laws lodged in December

The draft law says this about registration and fees. So it is likely you will need to pay  fee, but it may be very small, or very large depending on risk.

·        Article 17 makes  it  an  offence  for controllers  and  processors  of  personal  data  to  process  it  without  being  registered,  subject  to  any  exemptions  made  by  Regulations. The procedure for applying for registration is set out. Article 18 provides for controllers and processors to pay  charges if so provided for in  Regulations

·        The recommendation is a risk - based tiered administrative charge. With this option,  organisations acting as data processors or controllers would be assessed and classified  according to the risk of their processing activities, then allocated to a tie red - band  defined by their perceived risk. A flat annual fee for this tier would be then be levied  against the organisation.
           
QUESTION

The only data we hold is a register of members (names and addresses) and a subset of members who are the actual charity volunteers in which case we hold phone and email contacts. The data is held on word / excel on a PC. We don't do anything with it other than use it to collect subscriptions, send out mailings such as AGM notices and co-ordinate rotas.

ANSWER

There are a lot of similarities to a previous question I have answered and you may want to read this.


In summary

You should have either a contract or consent to hold and use people’s data. It is best if this is in writing.

If you use data for one purpose (AGM notices) then you cannot use it for another purpose (fundraising) without agreement.

It is also important that you are clear about how you ensure data is used, accurate, safe and secure. This should be in a Privacy Notice which may be part of a contract or a page on a website.

If you have a PC it is wise to follow good principles around access, passwords, encryption, backups etc., so that data is not lost or stolen. The States of Jersey are moving toward requiring anyone who receives States funding or doing business with the States to meet basic Cyber Essentials standard.

http://www.cyberessentials.org/

QUESTION

Are we "processing data", what does "notified" mean and are there any GDPR implications for us in your view?

ANSWER

The new law means both “controllers” and “processors” must be registered. In the example you have given, you are the controller since you gather the data and have responsibility for it. A processor is someone who does things with someone else’s data: for example doing payroll.


3 comments:

  1. GDPR course Thank you because you have been willing to share information with us. we will always appreciate all you have done here because I know you are very concerned with our.

    ReplyDelete
  2. GDPR awareness course You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming.

    ReplyDelete
  3. Awesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better! Cheers, keep doing awesome! online gdpr training

    ReplyDelete