General Data Protection Regulation (GDPR)

Convenors need to be familiar with Data Protection and aware of their own obligations to comply with the law, specifically the laws concerning General Data Protection Regulation. 

As a minimum, any Convenor who holds any contact details for any members who attend their group, or any other personal information about group members/attendees, must:

  1. Ensure that only information that is genuinely necessary is held.  Information which is not necessary in order for the member/attendee to be able to participate in the group, should not be held. 
  2. Ensure that any information that is held is accurate and up to date.  Convenors are advised to review the information they hold annually, in April, after members have renewed.  Any information about group members/attendees, such as contact details or other personal information, must be deleted or destroyed when the person ceases to attend the group, or on request from the member concerned. 
  3. Keep information, including paper lists, securely.  If information is held on a computer, use strong passwords on files. 
  4. Not share the information with anyone else, nor use it for any purpose other than the running of the group.  If it should be necessary to supply members’/attendees’ information to another member of the group (for example in order to arrange a particular activity of the group) then the information must be shared in a secure format, such as a password-protected Excel or Word file.  When emailing group members/attendees, the ‘blind copy’ option should always be used, so that email addresses are not visible to all recipients.

If you cease to be a Convenor (or deputy) then all the information that you have been holding relating to group members should be offered to your successor as convenor/deputy.  Any copies of such information or any other details not required by your successor must be deleted or destroyed.

Previous:    Finance and record keeping      Next:   Health and Safety