GDPR – one year in

David Fletcher examines your personal data in detail

The GDPR was introduced in May 2018. NABO has to comply (as do all organi­sations that hold ‘personal data’), as we hold information about people for a ‘business or other non-household purpose’. At the June Council meeting, the team took time out to review our current position one year in, to see how far we have got and what more needs to be done. We must regularly review our processing and, where necessary, update our documenta­tion and our privacy information for individuals. We must also review and update our account­ability measures at ‘appropriate’ intervals.

Personal data means information about a par­ticular living individual. This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public of­ficial or member of the public. It doesn’t need to be ‘private’ information—even information which is public knowledge, or is about someone’s professional life, or the colour of your boat can be ‘personal’ data. Almost anything we do with data counts as processing; including collecting, recording, storing, using, analysing, combin­ing, disclosing or deleting it. This applies to all members, even if they have no internet access or email. It would still apply if we kept the details in a box in the corner. We operate on the basis of ‘consent’ by members and we ask members to confirm their agreement to our Privacy Policy.

We have a policy in place and there have been no challenges to it and there are no plans to make changes at this time. But we remain open to suggestions from members. That said, 13% of members have not responded to requests to agree to our Privacy Policy. Everybody who has not agreed is reminded at membership renewal time as to their position. Some members contin­ue not to respond. Do they object on reasonable grounds? Do they not understand? Do they just not read this stuff we send? We just don’t know. We can address any of the above, but no response is very hard to deal with.

We implement security measures on our web systems through our internet service pro­vider, including up-to-date software, Captcha, Hypertext Transfer Protocol Secure (HTTPS— used for secure communication), and minimum requirements for passwords. We monitor false logins all the time, but we know that these are mostly members who mistype their passwords.

The Information Commissioners Office is the Government body that deals with this, and they have good checklists to guide us. They are generic and apply to mega-corporations as well as us, so they need some interpretation. We have worked through these lists again to identify best practice for small organisations like ourselves. This is considerably simplified because we are not trading and only communicate with mem­bers who are providing consent.

Out of all of this, the Council identified a workplan for the next year:

  • Continue with initiatives to complete agree­ment by the membership;
  • Write to life members and share the data we hold (at annual renewal);
  • Document the responsibilities of officers and approve these in the Council;
  • Document the data that we hold, including the archives; say why we keep these and ad­dress actions from this review with a view to disposal;
  • Write some simple procedures and approve them in the Council;
  • Carry out a risk assessment and impact as­sessment on data loss, and address actions from it.


So we have made a good start, but there is con­solidation work to do, and we have to keep an open mind on best practices for small organisa­tions.

What can you do? When you get a member­ship renewal or other correspondence from us, please read it. If you are asked to respond, please do so. If you have an account on the website, keep your password secure. If you have expertise or experience of GDPR with other clubs, please do get in touch. We are happy to learn or share best practice.