General Data Protection Regulations (GDPR)
GDPR has now been in place since May 2018. At times it can seem a daunting and complex matter. Below is guidance on two important GDPR requirements.
- GDPR Training
TSA has produced a GDPR e learning which is a mandatory module for all adult members. It covers the basic information that individual’s need to know in relation to the GDPR, what this means for their role and for Scouting, and how to effectively align with it. Topics covered are:
- Personal Data
- Individuals’ rights
- Accountability & Governance
GDPR training is only available as e-learning. Link. This module now produces a certificate at the end of the learning. The learner will need to send this to a Training Advisor who will then be able to validate the module on Compass.
Please ensure you:
- complete your e learning
- and advise your training advisor who will update your compass records.
- E Mails
E mail is a valuable communication tool but if not used properly can cause GDPR problems. Please be aware that both scout specific e mail addresses and personal e mail addresses could be subject to investigation if a Subject Access Request (SAR) is received.
- Use a scout specific e mail address, not a personal e mail address for your scout duties. Most districts/groups are using office 365 so are able to generate a scout specific e email address. Contact your chair/secretary for help.
- Register for Compass on TSA website. The compass registration process is straightforward and can be found on the compass site on TSA website.
- Check, and update, your personal details on TSA compass site to ensure they are correct. Ensure your scout email address is shown in the Scouting Enquiries (main) field. This address is the default download address for compass searches.
- If you change role you may need to update your compass details as some addresses are role specific and transfer with change of appointments.
- Take care beforeusing the ‘to’ and ‘cc’ address boxes when sending mass circulation e mails especially if they contain private e mail addresses. Use the ‘bcc’ address box instead.
- Delete old emails. Do you really need to keep all e mails that are one/two years or even older?
- Tidy up your inbox and sent box and then review them monthly to keep them manageable.
- Archive important e mails.
- You can mass delate old e mails by:
- In outlook-choose File>Clean up tools > mail box clean up. Type in number of days you wish to search back to, select any email to highlight, Ctrl A and right click to find delete option.
- In gmail- typing “older_than:1y”, into search box. This will find all emails older than 1 year (in all your boxes- in, sent, archived etc) ready for you to mass delete. Alternatively use 12m for 12 months.
- Groups/Districts are small charitable concerns, so are not required to appoint a Data Protection Officer. Instead, they should appoint a ‘Data Protection Lead’ who will be the initial contact for all internal and external GDPR enquiries.
- Review the policy annually.
4. Retention Policy
- The retention policy will show:
- A description of the data held
- What personal data is held
- What format the data is stored in
- The retention period of the data
- The responsible Group/District Officer