GDPR workbook

The new GDPR legislation has a very broad definition of ‘personal data’ so you could be processing more data than you think. In this section, you’ll find out about the guidelines that Scout Groups, Districts and Counties need to follow when it comes to controlling and processing people’s personal data.

There are some key terms at the heart of GDPR that help bring the purpose and impact of the legislation into focus.

GDPR takes a very wide view of what personal data means, defining it as “any information relating to an identified or identifiable natural person.”

This means that organisations now need to provide the same level of protection for digital information, such as data stored through websites, as they do for data such as names, addresses and contact details.

A data subject is the individual whom particular personal data is about. In Scouting this would include young people, parents/carers and adult volunteers. Deceased individuals or those who cannot be identified or distinguished from other individuals do not count as data subjects.

A data controller decides how personal data will be used, and often processes this information. A data processor, on the other hand, processes personal data on behalf of a controller under specific written instructions.

A Scout Group, District or County is a data controller, with the responsibility resting with the relevant Executive Committee to ensure alignment with GDPR is maintained. Another organisation or individual instructed to process (rather than just collect) data by a Scout Group, District or County is a data processor.

The Information Commissioner’s Office (ICO) guides, advises and educates organisations on how to align with GDPR. It also has the power to issue penalties and fines for non-alignment. The Scout Association is registered with the ICO.