ALDE VALLEY SUFFOLK FAMILY HISTORY GROUP and the GDPR ①
[There are two reasons: to demonstrate compliance to regulators and to inform members — the part of SFHS's doc that we have seen (pp.263-264) doesn't DEMONSTRATE compliance, but members don't need read these WHY, HOW or WHO pages (pages 1, 2 and 3). From the Membership webpage, they will initially be directed to the WHAT page (page 4), which is based on the SFHS policy document. ]
The EU General Data Protection Regulation (GDPR) aims primarily to give control to citizens and residents over their personal data, and became enforcable on 25th May 2018. It brings a new set of "digital rights" to EU citizens over their personal data, which comprises, according to the European Commission, "any information relating to an individual, … anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information or a computer's IP address".
The Data Protection Act 1998 and similar earlier UK data legislation broadly related only to computer and closely related systems. However, it is important to know that the new EU Regulation applies to ALL personal data held on others, including in paper-based systems.
The Regulation applies if the "data controller" (an organisation that collects data from EU residents), or the "processor" of data, or the "data subject" (person), is based in the EU. Data may not be processed unless there is at least one legal basis to do so. One of these bases is that the "data subject" has given consent to the processing of personal data for one or more specific purposes. If consent is used as the legal basis for processing, consent must be explicit for data collected and the purposes the data is used for. Data controllers must be able to prove "consent" (opt-in) and consent can be withdrawn by the data subject.
The Information Commissioner's Office (ICO) adds that "explicit consent requires a very clear and specific statement of consent, … separate consent for separate things. Vague or blanket consent is not enough. … Make it easy for people to withdraw consent and tell them how. Keep evidence of consent — who, when, how and what you told people. Avoid making consent to processing a precondition of a service."
Briefly, consent now needs to be "unambiguous and involve a clear affirmative action" by the person agreeing to their data being held.
Furthermore, the Regulation's "right of access" gives citizens the right to access to their personal data and information on how that data is being processed. A "right to be forgotten" was replaced by a less limited "right of erasure" in the version that was adopted by the European Parliament in March 2014.