Further key steps to alignment with GDPR
Further key steps to alignment with GDPR
As well as following the new rules on data breaches, data protection and Privacy Impact Assessments, there are other key steps members should take to help make GDPR-alignment part of the fabric of their local Scout Group, District and County.
In Scouting there are many policies and procedures that are the responsibility of your local Executive Committee. By either integrating GDPR requirements into existing policy or creating new policies, your Executive Committee will be able to demonstrate to the Information Commissioner’s Office that it takes its responsibilities seriously.
Being able to demonstrate that adult volunteers within your Scout Group, District or County have been made aware of their responsibilities through this training is also an important part of being able to demonstrate GDPR alignment. A record that this training has been completed should be kept.
If a data controller uses a third party data processor, for example a local Scout Group, District or County using an external online management system, GDPR requires the controller to make sure that the processor has adequate written instructions about what is expected of them in terms of GDPR.
This means having sufficient technical and operational safeguards in place to protect the information they will process. Contractual terms and conditions are a good place to embed these requirements.
Controllers and processors must keep a record of all their processing activities. For most organisations, details such as the purpose for processing personal data, categories of individuals and the different types of data held must be kept.
In some cases personal data is accidentally disclosed externally or removed from the Scout Group, District or County via malicious means. In either of these events, the data controller is obligated to report the breach according to the breach reporting process defined by the Executive Committee.
The duty of care for the security of personal data lies with everybody involved in gathering, handling or receiving this data. The Scout Group, District and County Executive Committee has the overall responsibility for making sure that they align with legal requirements, including data protection legislation.
- Under GDPR, it is mandatory for certain data controllers to designate a Data Protection Officer
- Personal data breaches should be reported to the Information Commissioner’s Office, unless the breach is unlikely to result in a risk for the rights and freedoms of individuals
- Data protection considerations need to be included into daily activities, so taking a ‘Privacy by Design’ approach and completing Data Protection Impact Assessments (DPIAs) are essential
- Local Scout Groups, Districts and Counties can make GDPR alignment part of the fabric of Scouting by playing close attention to their policy and procedures, volunteer training records, contractual terms and conditions and through keeping records of all their processing activities.