The General Data Protection Regulation (GDPR)

We have had a few enquiries recently about the new data protection regulations –GDPR– due to take effect from May 2018. It is good to know that groups are thinking about this.

Most people like to know that any data someone holds on them is safe, and used in a fair way. If you are running a music group it is reasonable that anyone you work with would expect the same of the data you hold on them.

So considering how you collect and use data is a good thing to be doing in general - and GDPR is an excellent opportunity to review your practices.

We will of course help with this. We are digesting the new guidance at the moment and will be providing more information in the New Year.

As it stands we think the new regulations will mean at least some small changes in how you work with data – the nature and extent of the changes will vary from group to group.

However, our initial assessment is that if you are following current data protection guidelines and acting in a fair and reasonable way, the impact of GDPR will not be significant – so no need to man the panic stations.

We will keep you updated as we produce more guidance but there are some things you can be doing now to help minimise the impact come May 2018. We have updated our current guidance to explain more about this. 

Comments's picture

As we move closer to May (2 months on from this article being published) is there any update on this?

We're in the process of finalising some new guidance assets on GDPR, and hope to publish soon.

In the meantime, if you haven't already, now is the time to conduct a data audit of your group to identify and categorise all the sources/locations/uses of data in your group that may be effected by GDPR.

You can find more details about this at the bottom of the Data Protection resource page here:

I have a question regarding the removal of a person's contact details after they leave the choir. It's easy to remove from Google Groups or address lists etc., but an email address is also stored in every email that has been sent to that person. It is not possible to edit this out and if the email was sent to many people, I don't want to delete the email. What am I supposed to do?

There's no obligation to immediately delete all data on a person when they leave the group. The key thing is whether you have a legitimate need/right to retain any parts of it.

The ICO gives the following example:

The individual may be a customer who no longer does business with you. When the relationship ends, you must decide what personal data to retain and what to delete.

You may not need to delete all personal data when the relationship ends. You may need to keep some information so that you can confirm that the relationship existed – and that it has ended – as well as some of its details.

So  there are circumstances where retaining some of an ex-members' data is appropriate.

Certainly those things you point out (removing them from any mailing lists/address books/Google Groups) are likely to be required, since there's usually no good reason to keep their data for these purposes, unless they explicitly ask to e.g. remain on a mailing list.

It may be, however, that you retain some data on the person (a name, for example) in order to have a record of their having been a member, while deleting any other data (since you don't need their phone number, emergency contact, info on allergies, etc. to record simply that they were a member).

Another case the ICO describes is that of data needed for regulatory purposes:

There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.

So where you need to keep some data on that person (e.g. a record of dates and amoutns of subs payments) to meet legal requirements (e.g. for your group's accounting) there would be a legitimate reason for retaining it. 

When it comes to historic emails (I'm assuming you're have good security in place to protect your email account generally - strong password that is regularly changed, etc.) it would probably be over-zealous (not to mention impractical) to have to review an entire email history and delete any email that includes their email address. 

While you should delete any email that contains data that is unecessary, especially if the kind of data in it is sensitive (e.g. where they mention a medical condition or financial details), deleting historic emails simply because their email address is included among the addressees would not usually be necessary. 

When will the templates for a Privacy Statement and for a GDPR compliant Data Protection Policy be available please?

Hi Sue,

We're hoping that both of these will be up on the website this week.



Hi Sue,

Some new items that we've published today:

We hold a music & arts festival for 10 days each year. We currently have no Health & Safety policy. Do you have a template that could help us with this.
We are already looking at Data Protection so just Health & Safety is required

Hi Jennie,

Yes - here's a template (there's also some guidance linked to from this page that would be worth perusing):

Is it acceptable to hold next of kin details? Specifically a telephone number to be used in case of emergency. We have certainly had need of these on occasion when a member became ill during a rehearsal.

Hi Rachel,

Yes - asking members for an emergency contact (or next of kin) would be usually appropriate, and justified under the 'legitimate interests' condition (that is, it's fair to assume that it's in the emergency contact's best interest for you to have their name and phone number in case of emergency).

Of course, as with any other data (but especially because this is being given to you by the member and not the emergency contact themselves) it's important to make sure that access to the data is kept secure and restricted to only those that need it.

we allow trustees to have copies of the full membership list (containing all relevant personal details). We are now about to ask members to agree to this (as per new GDPR guidelines). We also sent letters to former trustees to ask them to delete/destroy their copies of this and to sign a formal confirmation to say they had done so (on advice from an outside GDPR expert). What is our next step if we fail to get the confirmation?