New GDPR guidance issued by the NFWI

(NEXT STEPS SECTION HALFWAY DOWN PAGE)

Data protection law is changing – get your WI ready by 25 May 2018. The following is from NFWI MyWI:
 
Today, more personal information is held digitally than ever before and it travels with ease across borders. The General Data Protection Regulation (GDPR) was created by the European Union to protect and empower EU citizens’ data privacy and to reshape the way organisations across the region approach this issue. The regulation will apply in the UK from 25 May 2018The GDPR replaces the Data Protection Act (1998).   Recently, the UK Government also introduced a Data Protection Bill to make provisions for how GDPR applies in the UK. This document should be read in tandem with the GDPR.   

 

How does the GDPR apply to your WI?

WIs process personal data about individuals in order to provide membership services and to operate efficiently. Personal data is information that identifies an individual such as: a name, postal address, telephone number, financial details and any opinions expressed about the individual. A photo or a video recordingcan also constitute personal information.  Special categories of personal information may include racial or ethnic originpolitical opinions, religious beliefs, trade union activities, physical or mental health and sexual life. Personal data can be stored electronically in a file or database (e.g. the MCS) but it can also be physically stored in a drawer or cupboard (e.g. WI member details form). The current Data Protection Act (1998) allows WIs to use personal data in line with eight data protection principles. They require that any personal data shall be:

  1. used fairly and lawfully
  2. used for limited, specifically stated purposes
  3. used in a way that is adequate, relevant and not excessive
  4. accurate
  5. kept for no longer than is absolutely necessary
  6. handled according to people’s data protection rights
  7. kept safe and secure
  8. not transferred outside the European Economic Area without adequate protection
 

In many ways, the GDPR is similar to the Data Protection Act (1998). They are both founded on principles that your WI must interpret based on the type of personal data you handle, the level of sensitivity of that information and the level of risk you are willing to take. The biggest change with the GDPR is about transparency and accountability.  

In other words: Can your WI demonstrate that it understands how it is collecting, handling, using and justifying personal information? 

To be genuinely transparent your WI needs to know:
  • what personal information you hold, where it came from and who has access to it
  • why you are collecting the personal information, by identifying the lawful basis for the processing. The three most relevant conditions for processing for WIs would be: consent, performance of a contract and legitimate interest.
  • how long you are going to retain it for
  • who you share it with
  • to inform the individual of the above (and make sure this is recorded)
 
To be genuinely accountable your WI needs to demonstrate how you comply with the GDPR. One of the most fundamental changes with the GDPR is stricter requirements for personal data that is collected based on consent. For example if a member gives consent for her photo to be taken, this needs to be recorded, managed and updated.
 
Individuals also have eight fundamental rights under the GDPR. These are:
  1. to be informed – what data is held, how it is used, why it is used etc.
  2. access – the data you hold on that individual
  3. rectification – the ability to correct incorrect information
  4. erasure – the right to be forgotten
  5. restrict processing
  6. data portability – to receive information from a data controller in a commonly used format, (i.e. a Word or Excel file)
  7. object; and
  8. not to be subject to automated decision-making including profiling
Other changes
If your WI receives a request from a member to see their personal information (a subject access request) you need to provide this information to the member within new timescales and requirements. When you carry out a new project you need to make an assessment of the risks involved with using personal information in that project.  You should make sure you have the right procedures in place to detect, report and investigate a data breach. A data breach occurs if personal data is accidentally accessed by an unauthorised person, or if a significant set of personal data is altered, disclosed, destroyed or lost. For example an attendance list that is lost on a train or a member’s email address that is shared with a non-member without their consent. The penalty fines for organisations that do not comply with the GDPR could reach an upper limit of €20 million or 4% of annual global turnover (whichever is higher). There will be no requirement for organisations to register with the ICO, but they will need to pay annual fee. The payment structure is yet to be determined. WIs are generally exempt from registration and the payment of the annual fee.
 
What is the NFWI doing?

The NFWI will support WIs in your work to ensure compliance to the GDPR. They strongly encourage your WI to go through the resources below to get an overview of the GDPR and what you need to do to prepare for the changes. As always NFWI staff are on hand to try and help with any queries and concerns.

 

On 25 May the General Data Protection Regulation (GDPR), the new EU-wide privacy legislation, comes into force. Here are the next steps for your WI or federation to take.

The GDPR will replace the Data Protection Act (1998). Find out more about what the legislation means for your WI.

The next steps for the NFWI to take:

  • The July & August edition of WI Life will contain a letter to all WI members explaining how their personal information is used.
  • The June 2018 mailing will contain guidance for WI secretaries.
  • WI Training course, available to all members, is being produced and will be launched in June. We will let you know once this is live.
  • Data Privacy Code of Conduct is being finalised, which will govern the use of personal data held in the MCS. This will be made available shortly.
  • Keep WIs and federations informed of any additional guidance published by the Information Commissioner’s Office (ICO).
  • Ensure MCS access is restricted across the organisation: at WI level this means restricting access to the WI’s MCS Rep; at federation and NFWI level this means restricting access only to staff and trustees that require access to discharge their roles.

The next steps for the federations to take:

  • Read and understand the information provided by the NFWI.
  • Use NFWI tools (Data Mapping, Legitimate Interest Assessment etc.) to help understand and document federation data processingactivities.
  • Use these, along with NFWI guidelines and policies, to work towards federation GDPR compliance.
  • Help WIs with their implementation where possible, and guide them to the resources available on My WI or to support from the NFWI if necessary.

The next steps for WIs to take:

  • Ensure NFWI, federation and WI privacy information is cascaded to all members.
  • Read and understand the information provided by the NFWI and if applicable their federation.
  • Use NFWI tools (Data Mapping, Legitimate Interest Assessment etc.) to help understand and document WI data processing activities.
  • Use these, along with NFWI guidelines and policies to work towards WI GDPR compliance.
  • Get help from their federation or the NFWI if required.

New member registration form

In order to comply with the regulations, we have created a new member registration form for WIs to use – available to download below.

Who can I speak to about GDPR/data protection?

If you have any concerns or queries, you can email dataprotection@nfwi.org.uk or call the NFWI on 020 7371 9300.

Your guide to the GDPR & Helpful Documents

General Data Protection Regulation

The Information Commissioner’s Office (ICO) is a UK independent authority that regulates privacy laws in the UK. They are continuously developing helpful guidance on Data Protection and the forthcoming GDPR. Somehelpful resources include:

Guide to Data Protection

Electronic Marketing

Getting ready for the GDPR

Data Protection Bill

Follow our advice for sharing photos and videos of individuals on social media… >

 
11.05.2018

An explanation of what consent and other lawful bases mean.Download >

11.05.2018

Practical advice and examples for federations and WIs to comply with the GDPR.Download 

11.05.2018

A checklist to help you assess whether there is a legitimate interest behind the processing.Download >

11.05.2018

A record of processing activities to help your WI comply with the GDPR.Download >

11.05.2018

This document will help prepare your federation or WI for the General Data Protection Regulation..Download >

11.05.2018

In order to comply with the GDPR, we have created a new member registration form..Download >

11.05.2018

As a WI Secretary we are asking for your assistance in communicating the changes to..Download >

11.05.2018

This privacy notice provides information about the different types of personal information that we collect..Download >

05.06.2017

Data protection guidance for all WIs (published February 2017).pdfDownload >

08.08.2017

Download >