Step 7: Keep a record
Contents
- Introduction
- Step 1: What do I need to know about GDPR?
- Step 2: Who is responsible for what?
- Step 3: Appointing a data protection lead
- Step 4: Understanding data subjects
- Step 5: Gathering data
- Step 6: Data discovery
- Step 7: Keep a record
- Step 8: Check your security
- Step 9: Third parties
- Step 10: Publish your privacy stance
- Step 11: Delete and destroy
- Step 12: Responding to a breach
Step 7: Keep a record
The GDPR Data Inventory is available for use by Executive Committees to capture this detail.
When recording the processing activities, it is key to align each of these to a pre-defined justified purpose, known as the lawful basis for processing. There are 6 of these that align to personal data (name, address, email etc…) and eleven for sensitive (special category) data (ethic origin, medical conditions etc…).
There are a number of these, however it will usually materialise that only a few will be required, examples of these are highlighted below;
Personal data
- Consent of the data subject – Should be used for communications preferences or consent for the use of photographic images (however legitimate interest may also be appropriate for photography, further guidance can be found here.
- Processing is necessary for the performance of a contract – Should be used for the personal data gathered and processed as part of a member joining
- Processing is necessary for compliance with a legal obligation – Should be used for the retention of records as part of accident reporting
- Necessary for the purposes of legitimate interests pursued by the controller or a third party – Should be used for the passing of a waiting list from one local Scout Group to another, this is for personal data only (name, address, email etc…)
Sensitive (special category data)
- Explicit consent of the data subject – Should be used if you are required to transfer the data to a third party, such as for an event
- Processing is necessary to protect the vital interests of a data subject – Should be used in an emergency situation where you need to pass data to a medical professional
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members – Should be used for the sensitive (special category) data gathered and processed as part of a joining member or event registration, where the data is not passed on to a third party.
When choosing the lawful basis behind the processing activity its worth noting that both legitimate interest and consent allow the data subject to rescind their permission for the processing activity, if you are able to do so. The full list of lawful basis can be downloaded here.
If legitimate interest is the chosen lawful basis for processing, then it is important to maintain a record of this activity. It is also important that the record shows how the decision was made that legitimate interest balances. To assist you can use the Legitimate Interest Assessment Tool.
Photographs, film and audio recordings
Useful resources