We have developed a template Data Protection and Retention policy for use by our member groups. It has been designed in line with General Data Protection Regulation (GDPR) and can be used as it is - with just your specific details (e.g. group name) added in, or taken as a starting point with changes made to suit your specific activities and circumstance.
To help you understand, use and adapt the policy we have provided some brief notes on key areas. We also recommend that you use read the guidance in our GDPR Toolkit before using the template policy.
Notes on using the policy
General: all parts in [square brackets] need to be adjusted to suit you group’s needs.
Overview and Roles and Responsibilities Sections
Generally speaking we do not anticipate that groups will need to change much in this section. The main things to consider are:
- the lists of people you work with and that the policy applies to
- types of data you will be collecting
We do not recommend removing anything from these lists – even if they are not currently relevant to your group they will not do any harm being in the policy. But you might want to add extra examples particular to your group that are not included.
Data protection principles section
‘We fairly and lawfully process personal data in a transparent way’ and b) ‘We only collect and use personal data for specific, explicit and legitimate purposes and will only use the data for those specified purposes’.
You may need to make adjustments in these sections to reflect the specific activities of your group. The key thing is that you detail when you will collect data, what data will be collected from individuals and how that data will be used.
Lawful basis of processing: under GDPR you should have a valid lawful reason for collecting and using data. In some circumstances you may not need the person’s consent to use it, as there might be another lawful basis for processing it. Your policy should state the lawful basis of processing. We think our groups will have two main bases:
- Contract: collecting and using data in relation to the way you are working with an individual will probably fall under the lawful process of ‘Contract’ (i.e. you need to do so to fulfil a contractual obligation), so no specific consent is needed. A physical contract does not necessarily have to be in place if the contractual obligation is implied in the activity, such as signing up for membership. Examples:
- Collecting and using member’s data for contact regarding membership subscriptions and group activities is fine.
- If someone books a ticket it is OK to collect and use the data in relation to that booking (e.g. confirmation and a reminder email).
- Consent: where you will be collecting and using information for marketing and to promote your activities specific consent is usually needed. You may collect data from an individual where you can use it under the lawful basis of Contract, this does not mean you can also use it for marketing without consent.
- For example: if someone books a ticket it is OK to collect and use the data in relation to that booking (e.g. confirmation). It would not be OK to use that data to promote another concert 3 weeks later – unless they have expressly given consent for this.
Privacy statements: whatever the lawful basis of processing you should provide a simple and specific privacy statement at the point of collecting the data so the individual knows why it is being collected and how it will be used.
We ensure data is not kept longer than necessary
See the separate guidance for more information on data retention.
Transfer to countries outside the EEA
Under GDPR it is your responsibility to make sure any third party services you use are compliant with GDPR. This includes things like cloud services and email services (e,g. MailChimp).
Most well known companies will be compliant – so this should not pose a problem. A quick internet search will often give you the info you need, if not you should contact them for information. If you are looking to use a less well known company for these types of services, where their credibility is less clear and/or they are housed in a country with less well established data rights for individuals you should ask yourself if you can really guarantee the data is protected.
Under GDPR requests by individuals about their data should be responded to within one month, or two months for complex queries, although complex queries are unlikely for our groups. You could shorten the standard period to less than a month if you want but we don’t recommend making it longer.
Right to object and erasure: with these rights it’s important to note that the request has to be considered but not necessarily actioned. However, there would have to a clear and reasonable reason for refusing the objection. For example:
- A former member asks to have their details removed:
- If they still have membership fees owing it would be fair to keep the details.
- If they have paid all their fees and want no further involvement with the group it would be hard to justify keeping their details
- There may be other statutory regulations that you should follow. For example Gift Aid declarations should be kept for 6 years.
- A current member asks that you stop contacting them by email
- If email is your chosen method of communication it would be fair to say you need to contact them about key administrative issues – e.g. rehearsal schedules.
- But it might be acceptable for them to request other types of use to stop – such as promoting an optional social event.
‘Right to data portability’ and ‘Right related to automated decision making’: we think both of these are unlikly to impact our groups. But they are rights under GDPR so it sensible to be aware of them and reference it in your policy
- Portability - this about giving individuals their data to use for their own purposes, in a usable format. An example is a bank providing data on your account usage so you can upload it to a comparison site to find a better deal.
- Automated decision – this relates to decisions being taken based on an individual’s data without any human interaction. An example is applying for a personal loan online and the website using algorithms and auto credit searching to provide an immediate yes/no decision on the application.
Charitable membership bodies are encouraged to facilitate members contacting each other. This part of the policy sets out that any requests for data from members will be dealt with as and when they arise – with permission being given on a case by case basis.
You could consider detailing a policy where members give prior consent (e.g. when they first join) for their details to be shared with other members. If you do this you must include the option for members to subsequently remove their prior consent.
How we get consent
This section sets out the key things you should be doing in relation to collecting and using email data for Direct Marketing.
We suggest you also read the ICO’s best-practice guidance and The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) – especially if you are taking part in any other type of direct marketing (e.g. telephone).
Cookies on your website
We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.