David Fletcher examines your personal data in detail
The GDPR was introduced in May 2018. NABO has to comply (as do all organiĀsations that hold āpersonal dataā), as we hold information about people for a ābusiness or other non-household purposeā. At the June Council meeting, the team took time out to review our current position one year in, to see how far we have got and what more needs to be done. We must regularly review our processing and, where necessary, update our documentaĀtion and our privacy information for individuals. We must also review and update our accountĀability measures at āappropriateā intervals.
Personal data means information about a parĀticular living individual. This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public ofĀficial or member of the public. It doesnāt need to be āprivateā informationāeven information which is public knowledge, or is about someoneās professional life, or the colour of your boat can be āpersonalā data. Almost anything we do with data counts as processing; including collecting, recording, storing, using, analysing, combinĀing, disclosing or deleting it. This applies to all members, even if they have no internet access or email. It would still apply if we kept the details in a box in the corner. We operate on the basis of āconsentā by members and we ask members to confirm their agreement to our Privacy Policy.
We have a policy in place and there have been no challenges to it and there are no plans to make changes at this time. But we remain open to suggestions from members. That said, 13% of members have not responded to requests to agree to our Privacy Policy. Everybody who has not agreed is reminded at membership renewal time as to their position. Some members continĀue not to respond. Do they object on reasonable grounds? Do they not understand? Do they just not read this stuff we send? We just donāt know. We can address any of the above, but no response is very hard to deal with.
We implement security measures on our web systems through our internet service proĀvider, including up-to-date software, Captcha, Hypertext Transfer Protocol Secure (HTTPSā used for secure communication), and minimum requirements for passwords. We monitor false logins all the time, but we know that these are mostly members who mistype their passwords.
The Information Commissioners Office is the Government body that deals with this, and they have good checklists to guide us. They are generic and apply to mega-corporations as well as us, so they need some interpretation. We have worked through these lists again to identify best practice for small organisations like ourselves. This is considerably simplified because we are not trading and only communicate with memĀbers who are providing consent.
Out of all of this, the Council identified a workplan for the next year:
- Continue with initiatives to complete agreeĀment by the membership;
- Write to life members and share the data we hold (at annual renewal);
- Document the responsibilities of officers and approve these in the Council;
- Document the data that we hold, including the archives; say why we keep these and adĀdress actions from this review with a view to disposal;
- Write some simple procedures and approve them in the Council;
- Carry out a risk assessment and impact asĀsessment on data loss, and address actions from it.
So we have made a good start, but there is conĀsolidation work to do, and we have to keep an open mind on best practices for small organisaĀtions.
What can you do? When you get a memberĀship renewal or other correspondence from us, please read it. If you are asked to respond, please do so. If you have an account on the website, keep your password secure. If you have expertise or experience of GDPR with other clubs, please do get in touch. We are happy to learn or share best practice.