GDPR is coming on 25 May 2018… are you ready?

21 May 2018

General Data Protection Regulation (GDPR) is a new, Europe-wide law that sets out requirements for how organisations will need to handle personal data from 25 May 2018.

We know that charities are getting ready for this and may have a number of questions. Here are some useful sources of information:

The Information Commissioner’s office (ICO) has guidance on the requirements applicable to all sectors.
The ICO has a webpage specifically aimed at charities. They also have a helpline for small organisations (including charities) on preparing for GDPR.
OSCR has a series of blogs from Alison Johnston from the ICOs Scotland Office about GDPR.
The Institute of Fundraising has a suite of guidance on GDPR.
SCVO and the ICO are running a data protection awareness campaign for the sector in Scotland.

We’ve also had some queries about how a SCIO’s register of trustees and register of members are affected by GDPR and the answers to these queries are below:

Do I need to redact (black out) personal information from a SCIO’s register of trustees and register of members?

Generally both registers should be available to anyone on request. However, where a request is made by someone who is not a trustee of the SCIO, if the safety or security of any person or premises could be jeopardised by releasing information about charity trustees the name and address can be redacted. In the case of the members register only addresses can be redacted.

What should my charity’s privacy statement say when asking for information for a register of trustees or a register of members?

When collecting personal information you should always be clear with the individual about what information you will be holding and why. The SCIO has a legal duty to hold information about members and trustees and this should be made clear to the individuals before their information is collected.

Rather than giving information to potential members or trustees in a privacy statement (which is usually a public statement) you might want to give them an information pack about the charity which includes details of what the register(s) contain and SCIO duties.

How long do I have to keep details of members and trustees after they have left?

Information from the register of members and the register of trustees must be kept for 6 years after the person ceased to be a member or trustee. The information that needs to be kept is the person’s name, the date they stopped being a member or trustee, and in the case of former trustees any office they held within the SCIO, such as chair or treasurer.