Step 7: Keep a record

Once the data in use and the processes for gathering the data are understood, there is a requirement to keep a record of these. The GDPR introduces a key principle for organisations to be accountable for their data processing activities. This means that it is essential to have this detail captured in a processing register.

The processing of personal data is the activity where you gather, transfer or do something with the data, such as events registration, passing this data to the event facility and contacting the registrants with detail of the event.

The Template Data Inventory is available for use by Trustee Boards to capture this detail.

When recording the processing activities, it is key to align each of these to a pre-defined justified purpose, known as the lawful basis for processing. There are 6 of these that align to personal data (name, address, email etc.) and eleven for sensitive (special category) data (ethic origin, medical conditions etc.).

There are a number of these, however it will usually materialise that only a few will be required. Here are some examples of these:

Personal data

• Consent of the data subject: Should be used for communications preferences or consent for the use of photographic images (however legitimate interest may also be appropriate for photography, check out further guidance).
• Processing is necessary for the performance of a contract: Should be used for the personal data gathered and processed as part of a member joining.
• Processing is necessary for compliance with a legal obligation: Should be used for the retention of records as part of accident reporting.
• Necessary for the purposes of legitimate interests pursued by the controller or a third party: Should be used for the passing of a waiting list from one local Scout Group to another, this is for personal data only (name, address, email etc.).
• Processing is necessary to protect the vital interests of the data subject or of another natural person: Should be used when passing personal data of a Scout member to paramedics, or other healthcare professional, when they are administering care to them, such as their name and address. This should be used in conjunction with the special category condition for vital interests. When sensitive data is also required to be disclosed, consent is not required.

Sensitive (special category data)

• Explicit consent of the data subject: Should be used if you are required to transfer the data to a third party, such as for an event.
• Processing is necessary to protect the vital interests of a data subject: Should be used in an emergency situation where you need to pass data to a medical professional.
• Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members: Should be used for the sensitive (special category) data gathered and processed as part of a joining member or event registration, where the data is not passed on to a third party.

When choosing the lawful basis behind the processing activity it is worth noting that consent allows the data subject to rescind their permission for the processing activity. In addition, if legitimate interest is chosen you should consider that the data subject can challenge your purpose and justification. It's good practice to offer a process for opting out of the activity, such as email communications. Check out the full list of lawful basis.

If legitimate interest is the chosen lawful basis for processing, then it is important to maintain a record of this activity. It is also important that the record shows how the decision was made and that the legitimate interest balances between the organisations purpose and the rights to freedom of the data subject. To assist, you can use our Legitimate Interest Assessment.

Photographs, film and audio recordings

Read our guidance regarding the use of photographs, film and audio recordings.