Skip to main content

Step 1: What do I need to know about GDPR?

Step 1: What do I need to know about GDPR?

Twenty years ago, the world was a very different place. The reach of technology was limited, and the way organisations used and processed your personal data was very different to how they use it today.

The changes that have happened over the last two decades have forced the European Union (EU) to review the old data legislation and bring it up to speed with the modern era. The EU’s General Data Protection Regulation (GDPR) raises the standards for processing personal data, to strengthen and unify protection for individuals across the EU. The new legislation came into force in the UK on 25 May 2018 and will exist post-Brexit. In addition, the regulation has been nationalised into UK law and is known as the Data Protection Act 2018.

Scout Groups, Districts, Counties/Areas/Regions (Scotland), Countries and the Scouts UK headquarters collect and process lots of personal data on the young people, adult volunteers and staff. This could be anything from names, addresses, telephone numbers right through to more sensitive data such as religion, ethnicity and disabilities. As a result, it’s important that all Scout Groups, Districts, Counties/Areas/Regions (Scotland) and Countries are aware of the new legislation and comply with it.

Duty of care for the security of data lies with everybody that gathers, handles or receives personal data. The Scout Group, District, County/Area/Region (Scotland) or Country Executive Committee has overall responsibility for making sure that they comply with legal requirements, including data protection legislation.

There are many key terms that are in the GDPR and used throughout this guidance:

Personal data

Any information that can be used to identify an individual. This information could be names, addresses, telephone numbers or more sensitive information such as religion, ethnicity and disabilities.

Data subject

This is an individual. For Scout Groups, Districts, Counties/Areas/Regions (Scotland) and Countries this could be young people, adult volunteers, parents and guardians and any staff employed locally.

Data controller

This is the owner and user of the gathered personal data. This is anybody gathering and retaining personal data, such as the Scout Group, District, County/Area/Region (Scotland) or Country.

Data processor

This is a company or individual who processes the information on behalf of the data controller. This could be the provider of a membership platform, cloud service provider or event organiser.

Lawful processing

The justified reason for holding and processing personal data, such as it being necessary to contact members about Scout affairs.

Subject Access Request (SAR)

This is a request from an individual to the Scout Group, District, County/Area/Region (Scotland) or Country to find out what information you hold on them. They also have the right to request that you change or permanently remove any details that you hold on them.


This is the loss of information. This could come from a hacker or physically losing files/folders.

Data Protection Officer (DPO)

Representative for data protection duties. An e-learning module is also available to support members.

The below examples are scenarios that may exist at local scouting level, these scenarios have been used to demonstrate some of the key terms in action:


Advertising for new members could include: events, email campaigns, canvassing.

Want to join

Potential new members and/or their parents or guardians communicate with you via:

  • email or other electronic means
  • face-to-face

Information Forms

The Young Person/Adult Information Form is used to capture information about a young person or adult volunteer in order to begin the joining/appointment process, this could be via:

  • email
  • web form
  • paper form


The young person, parent/guardian or adult volunteer are now active within the Scout Group, District, County/Area/Region (Scotland) or Country.


Scouting events are held frequently involving young people and adult volunteers. These can be:

  • sectional activities in a meeting place
  • events or nights away

These events can require further data gathering, such as activity or nights away information and health forms completed by parents/guardians and adult volunteers.

Collection of sensitive (special category) data

Young person and adult volunteer information may be collected as part of the joiners process. This may include:

  • religion
  • ethnicity


At every meeting or event, the leader in charge is obliged for safety reasons to take a register of those attending the session.


A requirement of being an adult volunteer in Scouting is to keep young people, parents/guardians and other adult volunteers updated.

These are updates about weekly meetings, upcoming events and general Scout Group, District, County/Area/Region (Scotland) or Country news.

Moving on

When a young person gets to a certain age, they go through the Moving On process to the next section. In most situations, they will have a new section leader. The young person can also leave Scouting at any point.

Data breach

It may occur that personal data is disclosed externally accidently or removed from the Scout Group, District, County/Area/Region (Scotland) or Country via malicious means. Members and parents/guardians may exercise the rights they have over their data.

Subject Access Request

In the event that a member or parent/guardian asks for their data to be deleted, updated or disclosed, the data controller has 30 days to complete the request if it is not deemed excessive.

This is covered further in Step 4: Understanding data subjects’ rights.