David Fletcher examines your personal data in detail
The GDPR was introduced in May 2018. NABO has to comply (as do all organisations that hold ‘personal data’), as we hold information about people for a ‘business or other non-household purpose’. At the June Council meeting, the team took time out to review our current position one year in, to see how far we have got and what more needs to be done. We must regularly review our processing and, where necessary, update our documentation and our privacy information for individuals. We must also review and update our accountability measures at ‘appropriate’ intervals.
We implement security measures on our web systems through our internet service provider, including up-to-date software, Captcha, Hypertext Transfer Protocol Secure (HTTPS— used for secure communication), and minimum requirements for passwords. We monitor false logins all the time, but we know that these are mostly members who mistype their passwords.
The Information Commissioners Office is the Government body that deals with this, and they have good checklists to guide us. They are generic and apply to mega-corporations as well as us, so they need some interpretation. We have worked through these lists again to identify best practice for small organisations like ourselves. This is considerably simplified because we are not trading and only communicate with members who are providing consent.
Out of all of this, the Council identified a workplan for the next year:
- Continue with initiatives to complete agreement by the membership;
- Write to life members and share the data we hold (at annual renewal);
- Document the responsibilities of officers and approve these in the Council;
- Document the data that we hold, including the archives; say why we keep these and address actions from this review with a view to disposal;
- Write some simple procedures and approve them in the Council;
- Carry out a risk assessment and impact assessment on data loss, and address actions from it.
So we have made a good start, but there is consolidation work to do, and we have to keep an open mind on best practices for small organisations.
What can you do? When you get a membership renewal or other correspondence from us, please read it. If you are asked to respond, please do so. If you have an account on the website, keep your password secure. If you have expertise or experience of GDPR with other clubs, please do get in touch. We are happy to learn or share best practice.