New GDPR guidance issued by the NFWI
(NEXT STEPS SECTION HALFWAY DOWN PAGE)
How does the GDPR apply to your WI?
WIs process personal data about individuals in order to provide membership services and to operate efficiently. Personal data is information that identifies an individual such as: a name, postal address, telephone number, financial details and any opinions expressed about the individual. A photo or a video recordingcan also constitute personal information. Special categories of personal information may include racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health and sexual life. Personal data can be stored electronically in a file or database (e.g. the MCS) but it can also be physically stored in a drawer or cupboard (e.g. WI member details form). The current Data Protection Act (1998) allows WIs to use personal data in line with eight data protection principles. They require that any personal data shall be:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
In many ways, the GDPR is similar to the Data Protection Act (1998). They are both founded on principles that your WI must interpret based on the type of personal data you handle, the level of sensitivity of that information and the level of risk you are willing to take. The biggest change with the GDPR is about transparency and accountability.
In other words: Can your WI demonstrate that it understands how it is collecting, handling, using and justifying personal information?
- what personal information you hold, where it came from and who has access to it
- why you are collecting the personal information, by identifying the lawful basis for the processing. The three most relevant conditions for processing for WIs would be: consent, performance of a contract and legitimate interest.
- how long you are going to retain it for
- who you share it with
- to inform the individual of the above (and make sure this is recorded)
- to be informed – what data is held, how it is used, why it is used etc.
- access – the data you hold on that individual
- rectification – the ability to correct incorrect information
- erasure – the right to be forgotten
- restrict processing
- data portability – to receive information from a data controller in a commonly used format, (i.e. a Word or Excel file)
- object; and
- not to be subject to automated decision-making including profiling
The NFWI will support WIs in your work to ensure compliance to the GDPR. They strongly encourage your WI to go through the resources below to get an overview of the GDPR and what you need to do to prepare for the changes. As always NFWI staff are on hand to try and help with any queries and concerns.
On 25 May the General Data Protection Regulation (GDPR), the new EU-wide privacy legislation, comes into force. Here are the next steps for your WI or federation to take.
The GDPR will replace the Data Protection Act (1998). Find out more about what the legislation means for your WI.
The next steps for the NFWI to take:
- The July & August edition of WI Life will contain a letter to all WI members explaining how their personal information is used.
- The June 2018 mailing will contain guidance for WI secretaries.
- A WI Training course, available to all members, is being produced and will be launched in June. We will let you know once this is live.
- A Data Privacy Code of Conduct is being finalised, which will govern the use of personal data held in the MCS. This will be made available shortly.
- Keep WIs and federations informed of any additional guidance published by the Information Commissioner’s Office (ICO).
- Ensure MCS access is restricted across the organisation: at WI level this means restricting access to the WI’s MCS Rep; at federation and NFWI level this means restricting access only to staff and trustees that require access to discharge their roles.
The next steps for the federations to take:
- Read and understand the information provided by the NFWI.
- Use NFWI tools (Data Mapping, Legitimate Interest Assessment etc.) to help understand and document federation data processingactivities.
- Use these, along with NFWI guidelines and policies, to work towards federation GDPR compliance.
- Help WIs with their implementation where possible, and guide them to the resources available on My WI or to support from the NFWI if necessary.
The next steps for WIs to take:
- Ensure NFWI, federation and WI privacy information is cascaded to all members.
- Read and understand the information provided by the NFWI and if applicable their federation.
- Use NFWI tools (Data Mapping, Legitimate Interest Assessment etc.) to help understand and document WI data processing activities.
- Use these, along with NFWI guidelines and policies to work towards WI GDPR compliance.
- Get help from their federation or the NFWI if required.
New member registration form
In order to comply with the regulations, we have created a new member registration form for WIs to use – available to download below.
Who can I speak to about GDPR/data protection?
If you have any concerns or queries, you can email email@example.com or call the NFWI on 020 7371 9300.
Your guide to the GDPR & Helpful Documents
General Data Protection Regulation
The Information Commissioner’s Office (ICO) is a UK independent authority that regulates privacy laws in the UK. They are continuously developing helpful guidance on Data Protection and the forthcoming GDPR. Somehelpful resources include:
An explanation of what consent and other lawful bases mean.Download >
Practical advice and examples for federations and WIs to comply with the GDPR.Download
A checklist to help you assess whether there is a legitimate interest behind the processing.Download >
A record of processing activities to help your WI comply with the GDPR.Download >
This document will help prepare your federation or WI for the General Data Protection Regulation..Download >
In order to comply with the GDPR, we have created a new member registration form..Download >
As a WI Secretary we are asking for your assistance in communicating the changes to..Download >
This privacy notice provides information about the different types of personal information that we collect..Download >
Data protection guidance for all WIs (published February 2017).pdfDownload >