West Kent Federation
My WI
Search West Kent
  1. Home
  2. Downloads
  3. GDPR

GDPR

Data Protection Law is changing - get your WI ready.

Today more personal information is held digitally than ever before and it travels with ease across borders. The GDPR (General Data Protection Regulation) was created by the European Union to protect and empower EU citizens' data privacy and to reshape the way organisations across the region approach this issue. The regulation will apply in the UK from 25 May 2018 and replaces the Data Protection Act (1998).

Recently the government introduced a Data Protection Bill to make provisions for how GDPR applies in the UK. This document should be read in tandem with the GDPR.

How does the GDPR apply to your WI?

WIs process personal data about individuals in order to provide membership services and operate efficiently. Personal data is information that identifies an individual such as: name, postal address, telephone number, financial details and any opinions expressed about that individual. A photo or a video recording can also constitutes personal information.

Special categories of personal information may include racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health and sexual life.

Personal data can be stored electronically in a file or database (e.g. the MCS) but it can also be physically stored in a drawer or cupboard (e.g. WI member details form).

The current Data Protection Act (1998) allows WIs to use personal data in line with eight data protection principles, They require that any personal data shall be:

  1. used fairly and lawfully
  2. used for limited, specifically stated purposes
  3. used in a way that is adequate, relevant and not excessive
  4. accurate
  5. kept for no longer than is absolutely necessary
  6. handled according to people's data protection rights
  7. kept safe and secure
  8. not transferred outside the European Economic Area without adequate protection

in many ways the GDPR is similar to the Data Protection Act (1998). They are both founded on principles that your WI must interpret based on the type of personal data you handle, the level of sensitivity of that information and the level of risk you are willing to take. The biggest change with the GDPR is about transparency and accountability. In other words: Can your WI demonstrate that it understands how it is collecting, handling, using and justifying personal information?

To be genuinely transparent your WI needs to know:

  • what personal information you hold, where it came from and who has access to it
  • why you are collecting the personal information, by identifying the lawful basis for the processing. The three most relevant conditions for processing for WIs would be: consent, performance of a contract and legitimate interest.
  • how long you are going to retain it for
  • who you share it with
  • to inform the individual of the above (and make sure this is recorded)

To be genuinely accountable your WI needs to demonstrate how you comply with the GDPR.

One of the fundamental changes with the GDPR is stricter requirements for personal data that is collected based on consent. For example if a member gives consent for her photo to be taken this needs to be recorded, managed and updated.

Individuals also have eight fundamental rights under the GDPR. These are:

  1. to be informed - what data is held, how it is used, why it is used etc.
  2. access - the data that you hold on that individual
  3. rectification - the ability to correct incorrect information
  4. erasure - the right to be forgotten
  5. restrict processing
  6. data portability
  7. object; and
  8. not to be subjected to automated decision making including profiling

Other changes

If your WI receives a request from a member to see their personal information ( a subject access request) you need to provide this information to the member within new timescales and requirements.

When you carry out a new project you need to make an assessment of the risks involved with using personal information in that project.

You should make sure you have the right procedures in place to detect, report and investigate a data breach. A data breach occurs if personal data is accidentally accessed by an unauthorised person, or if a significant set of personal data is altered, disclosed, destroyed or lost. For example an attendance list that is lost on a train or a member's email address that is shared with a non-member without their consent.

The penalty fines for organisations that do not comply with the GDPR could reach an upper limit of €20 million or 4% of annual global turnover (whichever is higher).

There will be no requirement for organisations to register with the ICO, but they will need to pay an annual fee. The payment structure is yet to be determined. WIs are generally exempt from registration and the payment of the annual fee.

What is the NFWI doing?

The NFWI is here to support WIs in your work to ensure compliance to the GDPR. We strongly encourage your WI to go through the resources available to get an overview of the GDPR and what you need to do to prepare for the changes. As always NFWI staff are on hand to try and help with any queries and concerns.

Your guide to the GDPR, General Data Protection Regulation

The Information Commissioner's Office (ICO) is an independent authority that regulates privacy laws in the UK. They are continuously developing helpful guidance on Data Protection and the forthcoming GDPR.