20 Feb 2023
The dos and don’ts of GDPR
This section outlines a practical guide for groups to follow. For more information and background on GDPR, please read the subsequent sections.
- Get clear, unambiguous consent from everyone before adding their contact details to your mailing lists. For example, a paper sign-up sheet at a market stall should clearly state that ticking an opt-in box means a person will receive emails.
- Respond immediately to any data deletion or data update requests, for example if a member on your contact list wishes to unsubscribe to your newsletter and emails.
- Be clear about the purpose for collecting their data and only use it for its intended purpose. For example, when building a mailing list be clear that you'll only email members about your campaign.
- Collect as little data as possible, for example if you want to create a mailing list, only collect names and email addresses. Identifiers such as birthday, gender or where they went to school aren't relevant.
- Hold all data securely, for example by putting a password on your Excel spreadsheet (if you use spreadsheets).
- Have a role for one person in your group to manage and protect all personal data held by your group.
- Brief new members on data security, protection and consent.
- Delete old data such as old phone numbers and old email addresses.
- Regularly check and update your group members’ data such as contact number, email and postcode.
- Read our GDPR glossary at the end of this page.
- Contact us via [email protected] if you have any questions or concerns about a potential data breach.
- Ignore "opt-out" or "unsubscribe" requests from group or community members. These must be acted on immediately and are straightforward to address. We recommend sending the person a follow-up email to let them know you've acted on their request.
- Use applications such as DropBox, Google Sheets or other third-party services to store personal data, unless you understand and use the security features provided. It's very easy to share this data with the entire internet if you're not careful. If you have any questions about using a particular platform, please contact us via [email protected]
- Share personal data with third parties without obtaining clear consent from group or community members beforehand. For example, if you're building an alliance with another group and plan to create a new mailing list, you must inform all members on your mailing list and seek permission from them before adding them to your joint list.
- Hold onto old paper sign-up or petition sheets, or old spreadsheets. Paper forms should be shredded early on, and old spreadsheets should be deleted and erased from your computer or shared drive. Access to old spreadsheets should be revoked.
- Be complacent about good data protection practices. Stay on top of GDPR guidance by revisiting this page from time to time, check the Information Commissioner’s Office (ICO) website for UK data protection guidelines, or ask Friends of the Earth staff such as your regional coordinator for help.
- Panic if you're accused of a data breach. We’re here to support you and the sooner you alert us, the easier it is to manage. Contact us via [email protected] immediately.
What's GDPR and what information does it apply to?
The GDPR is an EU-wide law that came into force on 25 May 2018 – it sets out how all organisations need to handle EU citizens’ personal data. It was written into UK law as the 2018 Data Protection Act and still applies post-Brexit.
The GDPR applies to personal data, which means any information that enables a person to be directly or indirectly identified. This includes names, postal or email addresses, phone numbers, reference numbers (eg National Insurance number) and even digital information such as IP addresses. While local action groups won’t need to hold all of these, even keeping one identifier on record means GDPR is applicable.
How are local action groups affected?
Because of the relationships that Friends of the Earth groups have with their members or local individuals, it's expected that they'll own and manage their own local records in support of those relationships. These records need to be held securely, and to be GDPR compliant. In simple terms, this means:
- Clear and unambiguous consent is needed from each member or local individual for the group to hold their personal data. This should be captured proactively at the earliest opportunity.
- Individuals’ personal data should be held securely. You need to protect any locally held digital record (eg Excel spreadsheets) with a password and securely lock away any physical lists (eg on paper).
- Anyone receiving communication from a local action group by any channel or channels (email, post etc) has the right to opt out of any communication at any stage. If consent to be contacted via a particular channel is withdrawn, communication via said channel must stop immediately. It can't be resumed until new consent is proactively given by that individual.
Not following these steps puts the group at risk of GDPR non-compliance. This means that the group will lose the right to contact the member or individual. Continued contact when consent hasn't been given would mean that the group is in breach of the GDPR regulations. This could result in a fine and significant damage to our good name both locally and nationally.
However, it isn’t all doom and gloom – this is a great opportunity to ensure you're holding correct information about your group members, and have considered how you communicate with them and what works best. Some groups use this as a chance to consolidate their database of members, removing records for those who've long since left and reaching out to those who've fallen out of touch recently.
What are the main things to focus on in relation to GDPR?
- Use any engagement opportunity to seek consent. There may not be many chances to contact your group members or supporters and seek their consent to be contacted by email/post/phone. Think about doing this right from the first interaction you have with potential new members, for example when getting someone’s details at a stall.
- Review your data. Check through the records that you hold. Are any out of date or duplicated? If so, guidance can be sought from [email protected] on how to update them securely and safely.
- Take ownership. Under GDPR the importance of data security and protection is greater than ever. Each group should appoint a person or group of people to be responsible for keeping the data secure (eg acting as the sole person or group who retains passwords, codes for safes etc).
- Record people’s preferences. When consent conversations or other communications (eg email) take place, record the preferences that the individual gives accurately and securely, and make sure to keep a track record of changing consents.
- Managing queries. Seek guidance if you’re not sure how to manage a query from an existing or new group member.
- Understand the risks. Take the time to make sure you're managing the personal data of group members and any other individual the group has contact with in a way that's GDPR compliant, and to understand the risks of non-compliance.
- Contacting group members. It's important you don't share personal data of members publicly. This means sending emails to your mailing list using "Bcc" so email addresses aren't visible to everyone on the list.
- Use the GDPR glossary (below) to build your understanding of the different elements and definitions.
- Recruiting new members. Should new people join the group who'll be handling or recording data, you must make sure they're fully briefed on data protection and GDPR compliance (as laid out in this guide).
- Collecting data at stalls and events. Prior to attending any events, make sure that everyone representing the group is aware of the most recent data compliance requirements, and that the most recent forms (with our current data protection statement) are used to capture both data and the individual’s consent.
- What to do with old data. When disposing of old data, common sense should be followed at all times, so give some thought to how you do this. Most data breaches result from inadvertent poor processing of redundant data. Personal data held on paper (such as old petition sheets) should be shredded and recycled. Files on laptops should be permanently deleted (including clearing out the desktop recycling box) and memory sticks should be put into a secure recycling facility.
- Take responsibility. Remember, data security and GDPR compliance are things your group needs to take responsibility for. You can't ignore this, and help is at hand if needed.
Photography and video
While not immediately apparent, photos and videos where a person’s face is clearly visible are considered personal data and should be protected. For best practice, especially for events, follow these steps to help protect your community:
- Brief people in advance about any photography or videography happening
- If possible, display signs highlighting that photography and/or videography is taking place
- Provide "no photography" badges or stickers for those who don't want to be in any photos or videos.
- If you want to use photos or videos where people are clearly identifiable, make sure you’ve gathered written consent using the template consent forms below, or record verbal consent including what and who they gave consent to, as well as how, where and when. Scan and save all consent forms and records.
- You must collect written consent for any photo or video content that includes children.
- Ensure people who’ve consented are aware their participation is voluntary and that they can withdraw their consent at any time.
- Ensure people who’ve consented are aware the photos/videos may be edited or altered, but that any substantial changes to their likeness require their consent.
- Record the date of your photo and video content and set an expiry date to 5 years after they were taken. Treat old content like old data and make every attempt to regain consent for older photos and videos. Also make it clear how people can reach out if they’d like their photo/video removed.
Check in with [email protected] if you have any questions.
Where can I get guidance or help?
Take a look at the ICO’s website where you can find lots of information about GDPR and data protection.
If you still need help, please contact [email protected]
- Consent – freely given, specific, informed and explicit consent by statement or action signifying a person’s agreement to the processing of their personal data.
- Data breach – the loss of data by an organisation, usually as a result of hacking or similar activities.
- Data controller – organisations that collect and manage personal data from EU or UK residents, eg a community group.
- Data portability – the requirement for controllers to provide the data subject with a copy of their data in a format that allows for easy use with another controller.
- Data processor – organisations that process data on behalf of data controllers, including third-party agencies.
- Data Protection Act 2018 – the legislation that implements GDPR in the UK, sometimes known as UK GDPR.
- Data Protection Officer – the person responsible within an organisation for ensuring it's compliant with data protection laws and regulations, and for controlling that organisation’s data protection policies and procedures.
- Data sharing – the process through which different parts of an organisation, or different organisations, share data with each other.
- Data subject – the person/EU citizen about whom data is collected or held.
- Encrypted data – personal data that's protected through technological measures to ensure that the data is only accessible/readable by those with specified access.
- GDPR – General Data Protection Regulation. The UK- and EU-wide data protection legislation that came into force on 25 May 2018.
- Information Commissioner’s Office (ICO) – the UK regulator responsible for data protection.
- Lawful processing – the means by which organisations collect and manage people’s data (see also "consent" and "legitimate interest").
- Legitimate interest – where GDPR-compliant consent has been given previously, and organisations have evidence of this, personal data can continue to be used without the need for refreshed consent, provided that the interests of the data subject aren't harmed.
- Personal data – any information related to a person or "data subject" that can be used to directly or indirectly identify the person.
- Privacy impact assessment – a tool used to identify and reduce the privacy risks of organisations by analysing the personal data that are processed and the policies in place to protect the data.
- Processing – any operation performed on personal data, whether or not by automated means, including collection, use, recording etc.
- Right to be forgotten – also known as "data erasure", it entitles the data subject to have the data controller erase their personal data, stop sharing their data, and potentially have third parties stop processing their data.
- Subject access right – also known as the "right to access", it entitles the data subject to have access to and information about the personal data that a controller has concerning them.