A lot of the GDPR legislation is very similar to the previous Data Protection Act. It is in place to ensure that organisations respect and take care of people’s personal data and do not keep any information that they do not need.
Personal data is information about a person which is identifiable as being about them, including names and addresses, as well as more sensitive information. It can be held on paper or electronically.
It is important to make the distinction between personal data that belongs to your forum and contact details that belong to you personally. If you met a person and received their information through your involvement with the forum, the data belongs to the forum and should not be used for personal reasons without consent.
Your forum needs to have a clear purpose for collecting and storing personal data. For example, if you need to send information to all your members about upcoming meetings, you will need their names and addresses or email addresses. However, you do not need other information about people, such as their marital status or gender.
According to the GDPR legislation, your forum should only collect, store and use personal data if you are doing so for one of the following reasons:
- To serve your forum’s ‘legitimate interests’
- You obtain explicit consent from the person whose data it is
- To fulfil a contract with the person whose data it is
- To meet a legal obligation
- To protect someone’s life
- To perform a public task
Legitimate interests means that you can use data in ways that are necessary in order to run your forum. You should only keep and use the minimum amount of data that you need and you should give people the option of having their data removed from your records.
For example, if your forum needs to contact local over 50s about meetings that all are entitled to attend, it is in the forum’s legitimate interests to send them a letter or email with information about the forum and its meetings. This should include contact details for the forum and clear information explaining that they can ask to be removed from the mailing list if they do not want to continue receiving information.
‘Cold’ contacting, such as general mailings, are acceptable as long as they meet legitimate interests and the recipient is full informed as to why the contact was made and how to have their data removed from your records.
Your forum can use personal data if you have explicit recorded consent. Consent is only valid for the particular purpose it was gained. For example, if you have consent to send someone a newsletter, it doesn’t mean you have consent to send any other information. Consent must be given by signing or ticking a box – it cannot be an opt-out option. Records need to show when and how consent was given, and the specific purpose.
When your forum collects personal data, you should provide them with a privacy notice which tells them why you need or have their data. It should include:
- The name of your forum
- What the data will be used for
- Which basis you have for using the data
- How long the data will be kept
- Whether the data will be shared with a third party
- That individuals can ask to have their data removed at any time
All personal data must be kept securely. If you use electronic storage, your computer should be password protected and have up-to-date virus software. If your forum stores data on paper, it should be filed securely. All reasonable steps must be taken to protect personal data.
You should request explicit consent if you want to share personal data with a third party. This might be another organisation, but it could also be members of your own group. For example, if you send a group email, make sure that the email addresses are typed into the Bcc field to ensure that all email addresses are hidden.
Once you have finished using personal data for the purpose it was collected, it should be deleted.
Your forum should have a Data Protection Policy. There are many sources to help you write a policy, so please get in touch if you need help.
“Data protection for community groups” is a resource that Forums can use to deal with their data protection responsibilities, including how to comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This includes sample Data Protection policies and procedures that can be utilised.
You can download a copy of this text HERE.