From May 2018 the new General Data Protection Regulations (GDPR) will be in place, replacing the current Data Protection Act. The new regulations will apply to all types of organisations – including small charities and leisure time music groups – and so it is something you should be aware of and may mean making some changes.
Exactly what those changes are will depend on what you currently do.
- If you are compliant with the current (Pre May 2018) data regulations and your general approach to how you handle and use data is fair, reasonable and secure then it is likely the impact will be fairly small.
- If data protection is something you have not considered too carefully in the past or perhaps you have let your procedures and processes slip a little, then the impact may be greater.
In either case GDPR represents a good opportunity for you to review your policies and approach to data and make sure your organisation is responsible in handling data.
So what has actually changed?
GDPR does bring quite a few changes – but they won’t all be relevant for our members. We have listed what we think you will need to be aware of below. We also have more detailed guidance including practical steps you need to take.
The definition of what is personal data has been expanded. It now includes almost anything that can be used to identify an individual – so this could be personal contact details, a membership number or a photo. You need to consider the data as a whole. A name alone could be enough to identify someone. A common name might not be enough – but with an email or postal address it might be. Likewise some bank details next to an ID number might not be enough – but if the ID number can be linked to a name/address it becomes identifiable.
Impact: to be aware of all the data you hold on someone – not just the traditional things like name and address. Photos are an interesting one – the key thing is identifiable – we will cover this in more detail in our GDPR toolkit.
Reason, consent and legitimate interests
The key thing with all data is not that you have it as such – but that you have a good reason to have it and that you have consent to use it.
- Reason: under GDPR you should not be collecting data for no good reason. Unless you have a genuine reason for having and using data then don’t ask for it. This is common sense really – and good practice. All it will do is take up digital or physical space - and if you have no use for it, it essentially exists only as a risk for you – so why have it all?
- Impact: look at the data you currently hold and decide if you need it. Look at what data you collect from people you work with as standard – and decide if there is good reason.
- Consent: this will perhaps be the biggest change for our members. Previously consent could be implied by inaction or silence – it’s the pre-ticked box or ‘unless you tell us otherwise we will email you’ approach. Under GDPR consent will have to be positive – an individual will have to take definite action to say ‘you can have and use my data’ – so they tick the box rather then it being pre-ticked. They should also have access to a clear and specific privacy statement that explains what the data they are providing will be used for. It shouldn’t be a general catchall for all data and all use – it has to be specific to the data they are providing at the time.
- Impact: to potentially change how you ask for consent. There is also an issue around how to treat historical opt-ins where positive consent was not given – we will look at this in our audit guidance, part of our GDPR toolkit. Additionally you may have to develop a few different privacy statements.
- Legitimate interests - there will be situations where you don’t need positive consent as use of data is implied in the activity the individual is taking part in. For example emailing a member of your group about a rehearsal change or subscription fee reminder is legitimate interest and implied by being a member. Whilst positive consent might not be needed they should still have access to clear and simple information about how the data will be used.
- Impact: have privacy statements available for when someone provides data that will be used under legitimate interest
Under GDPR you might have to be more vigilant in how long you keep data. If you don’t need it anymore then you shouldn’t have it. The ‘need’ element of this will mean different things for different types of data.
Impact: to regularly review (e.g. every two years) the data you hold to decide if it is still relevant to your organisation.
Rights of individuals
Individuals currently (pre May 2018) have rights over their data. These have been extended and made more prominent in GDPR. For example, having the right to access and update their data and object to use (opt-out).
Impact: you do need to be aware of these but as long as you are storing information well and have decent processes in place then it shouldn’t be too much of a problem.
Secure storage of data
- Rules around how you store data have not necessarily changed too much. But it’s always useful to have a reminder:
- Any electronically held data should be in a password-protected, secure environment, and those passwords should be changed regularly, and when access permissions change (e.g. someone steps down from the committee).
- It can be easy to focus on digital/electronic data for GDPR. Physically held data should be kept locked and secure too. Keys should be kept track of and combination lock codes changed regularly and when access permissions change (e.g. someone steps down from the committee).
- Under GPDR how your data is stored by third parties is something you need to consider. It is your responsibility to ensure they are compliant with GDPR. This might be cloud or email services such as Google docs or Mail Chimp. Generally the bigger more well-known organisations will have bases in the EU and will be GDPR compliant. Smaller organisations could be storing data outside the EU which makes things more complicated.
Impact: review your own storages policies as a matter of good practice. Think about which third parties you use. A quick internet search will tell you if they are aware of and on top of GDPR.
Documentation and processes
There is a shift in emphasis with GDPR to be able to show that you are compliant. So having policies, processes and privacy statements in place to show that you are treating data responsibly is important, as is having evidence of consent being given.
Impact: review, update and possibly add to your current documentation. We have templates to help with this, and although it is a bit of work now it will help you run your group and gives you a clear set of rules about what to do – so is worth investing a bit of time in now.
How we can help
We are developing a GDPR toolkit that will help you to think and plan any changes you need to make:
- Audit tool: this will help you do a data audit of your organisation including the different types of data you hold and use, and your policies and procedures. It will also include possible actions to take around legitimate use and consent. Available next week.
- Guidance: reviewing and retaining data. Available next week.
- Template: GDPR compliant Data protection policy. Available soon
- Template: Privacy statements. Available soon
Does all this really apply to us?
From a music group leader/committee member point of view GDPR might seem overly regulatory and just more work for you to do. But GDPR does apply to all organisations, from multi-national banks to local community organisations.
It is worth taking some time to think about why GDPR exists. You probably care about how organisations use your data; that it is safe and used in a fair way. Most people do - and for good reason. GDPR is there to protect individuals and to make sure organisations are acting responsibly. We expect our banks to be compliant, and a data breach can cause reputational damage. Whilst a music group is clearly different to a bank, people still have the right to expect that their data is well looked after, and a breach can still impact your reputation – arguably more significantly in a smaller community.
So GDPR can be a good thing for your group. Most of it is common sense and you don’t need to get bogged down in the regulation. Some of the changes, whilst they do technically apply to you, will not affect you. Rules around automatic processing of data (where decisions are taken based on data processing without any human interaction) are unlikely to affect our groups, for example.
But some of it does affect you and there will be things you should and shouldn’t do, and some work for you to do in the next few months. But bear three things in mind:
- The work done now will help your group in the long run. Setting up policies and rules about how to handle data can make your group more efficient and responsible in how it works. This can help with a huge range of things from reputation to committee recruitment and your long term sustainability
- May Day: GDPR takes effect from May 2018. If you are not fully compliant by then the world will not end. Some things should be in place, such as positive consent mailing list sign up. But if you are still doing some background work on internal policies and practices then that should be fine – as long as you are moving in the right direction.
- The spirit of GDPR: The overarching aim and spirit of GDPR is that individuals’ data is treated fairly, reasonably and transparently. You may be faced with a situation where there is a choice for you to make between the absolute letter of the law, and acting within the spirit of GDPR and the best interests of your group. We are not saying ignore GDPR – in fact we think you should embrace it and use it as an opportunity to improve your organisation. But at the same time there are different approaches with relative merits and risks. It can be easy to get bogged down in the detail when a common sense approach and a bigger picture view could be taken.
Finally – what about Brexit?
GDPR is EU regulation – and will be the regulation for data protection in the UK as of May 2018. Once the UK has left the EU changes to the GDPR framework will be possible. But the principles of data protection set out in GDPR, and the way you should handle data, are very unlikely to change. So GDPR will be here from May 2018 and in all practical senses will continue to be the rules you should follow for a good while after that. So, keep calm and GDPR on!
We hope you find this Making Music resource useful. If you have any comments or suggestions about the guidance please contact us. Whilst every effort is made to ensure that the content of this guidance is accurate and up to date, Making Music do not warrant, nor accept any liability or responsibility for the completeness or accuracy of the content, or for any loss which may arise from reliance on the information contained in it.