The majority of the guide is basic common sense. Treat other peoples information the way that you would expect yours to be treated, so in other words, keep it secure, don’t share it without permission and only collect what you need for that specific purpose.
So here goes:
- Only collect what you need – If you need to collect information from an individual for a particular purpose make sure that you only collect what you need (name, address, email, phone, payment details etc.). Do not collect unnecessary data such as nationality, religion etc. unless you need to.
- Accuracy and relevance – Make sure the data collected is recorded correctly and free of mistakes and errors as under GDPR an individual has the right to have incorrect data rectified within one month.
- Up to date – on a reasonable time scale make sure that your records are updated so that you are not keeping old data on file. For example send out a quick email or letter every couple of years checking that nothing has changed or alternatively if there is an instance where perhaps a membership or application is made, you could use that opportunity to cross check your accuracy and amend if appropriate.
- Don’t share it – People have a right to know how their data will be used. If they have provided information to you for one specific purpose then that is what it should be used for. Do not share the information with others without consent
- Draft a simple basic retention schedule – Think about what documents you hold and then apply a reasonable retention period to them. This stops you for keeping things forever and is a requirement of the law. For example Applications – 2 years, membership – 1 month after termination, complaints – 3 years etc.
- Disposal – When the time comes to destroy paperwork, do it safely. Shred it or burn it. Don’t just throw it in a bin in case it is seen by others. For electronic data make sure data is reviewed and deleted in line with your retention schedule.
- Individuals have the right to be forgotten, which means that they can withdraw the use of their data and walk away if they wish.
- Individuals have the right to be have any mistakes or corrections rectified within one month of notifying you
- Individuals have the right to object and complain about the service. Be sure to have a procedure in place to handle complaints.
The GDPR (General Data Protection Regulations) merely beef up the existing Data Protection Act. Remember to treat other people’s data the way that you would expect yours to be handled.