GDPR – Bitesize Tips


General Data Protection Regulations (GDPR)

GDPR has now been in place since May 2018.  At times it can seem a daunting and complex matter.  Below is guidance on two important GDPR requirements.

  1. GDPR Training

Background information:

TSA has produced a GDPR e learning which is a mandatory module for all adult members. It covers the basic information that individual’s need to know in relation to the GDPR, what this means for their role and for Scouting, and how to effectively align with it. Topics covered are:

  • Personal Data
  • Individuals’ rights
  • Consent
  • Accountability & Governance

GDPR training is only available as e-learning. Link. This module now produces a certificate at the end of the learning.  The learner will need to send this to a Training Advisor who will then be able to validate the module on Compass.


Please ensure you:

  • complete your e learning
  • and advise your training advisor who will update your compass records.
  • E Mails

Background information:

E mail is a valuable communication tool but if not used properly can cause GDPR problems. Please be aware that both scout specific e mail addresses and personal e mail addresses could be subject to investigation if a Subject Access Request (SAR) is received.


  • Use a scout specific e mail address, not a personal e mail address for your scout duties.  Most districts/groups are using office 365 so are able to generate a scout specific e email address. Contact your chair/secretary for help.
  • Register for Compass on TSA website. The compass registration process is straightforward and can be found on the compass site on TSA website.
  • Check, and update, your personal details on TSA compass site to ensure they are correct. Ensure your scout email address is shown in the Scouting Enquiries (main) field.  This address is the default download address for compass searches.
  • If you change role you may need to update your compass details as some addresses are role specific and transfer with change of appointments.
  • Take care beforeusing the ‘to’ and ‘cc’ address boxes when sending mass circulation e mails especially if they contain private e mail addresses.  Use the ‘bcc’ address box instead.
  • Delete old emails. Do you really need to keep all e mails that are one/two years or even older? 
    • Tidy up your inbox and sent box and then review them monthly to keep them manageable.
    •  Archive important e mails.  
    • You can mass delate old e mails by:
      • In outlook-choose File>Clean up tools > mail box clean up. Type in number of days you wish to search back to, select any email to highlight, Ctrl A and right click to find delete option.
      • In gmail- typing “older_than:1y”, into search box. This will find all emails older than 1 year (in all your boxes- in, sent, archived etc) ready for you to mass delete. Alternatively use 12m for 12 months.

3. GDPR Privacy Policy

Background information:

  • Each individual group/district must have a Privacy Policy which ideally should be displayed on its website and/or must be freely available to view.  ESUs and ASUs are covered by the relevant district/county policy.
  • It is the collective responsibility of the group/district executive to write, review, update and display a Privacy Policy.
  • A Privacy Policy template is available from TSA website or follow the link……… Use of TSA template ensures you provide all the information that is legally required to comply with current legislation. County has copied and edited TSA template and its version can be viewed on the County website
  • Groups/Districts are small charitable concerns, so are not required to appoint a Data Protection Officer. Instead, they should appoint a ‘Data Protection Lead’ who will be the initial contact for all internal and external GDPR enquiries.


  • Create and publish a group/district privacy policy. This is not optional but a legal requirement and requires your immediate attention if you do not already have a policy in place.
  • Appoint a Data Protection Lead and ensure their contact details are shown in the Privacy Policy.
  • Review the policy annually.

4. Retention Policy

Background information:

  • One element of the Privacy Policy is to give details of the retention (of documents/data) policy. The County Privacy Policy has a link to its retention policy and you are encouraged to view/copy the document on the website.
  • The retention policy will show:
    • A description of the data held
    • What personal data is held
    • What format the data is stored in
    • The retention period of the data
    • The responsible Group/District Officer


  • In conjunction with producing your Privacy Policy, Groups/Districts should produce a retention policy using the County and/or TSA templates.