General Data Protection Regulation (GDPR)

1.     Awareness

Ensure key people in CRUG are aware of the changes to GDPR. A paper form, or email note, has been sent to all members.

2. Information held

What CRUG holds relating to personal data (not necessarily every field is supplied):

·       name of individual or group

·       address

·       phone number

·       email address

·       a marker to indicate whether a person has paid their subscription for the current year, and whether they pay automatically or not.

·       approximate date of joining.

We do not generate any other information. We do not share information outside the group.

We also hold email addresses of those other people and organisations that have expressed a desire to receive minutes and other communications.

Information is shared electronically with members who have provided an email address, and this is done via blind carbon copy. Knowledge of email addresses is confined to those on the committee, and sometimes other members directly involved in the group’s work. Otherwise, all information is confidential, and not shared outside the group.

 3. Privacy policy 

The consent form, sent to all members, covers all the relevant matters – of what data is stored and why, and also the fact that data is not passed on to third parties.

 4. Individual rights

CRUG recognises the rights of individuals, but we do not process data in the sense of deriving additional information. The only rights that apply in the case of CRUG is the right to have an individual’s data corrected or deleted – this has been and will continue to be complied with.

 5. Subject access requests

The only requests that can be complied will be for the requesting individual to have their data entry either corrected or deleted.

 6. Lawful basis for processing personal data.

The basis for holding personal data on members is

·       to contact members with information about CRUG or related matters. This may also include non-members who have requested to be kept similarly informed.

·       to allow processing of address labels where appropriate.

·       the data is also used to contact individuals to inform them that their subscriptions are due, or remind them that they are overdue.

 7. Consent

Currently our membership application form does not mention GDPR – this needs to be changed.

 8. Children

We do not accept children into the group. We should include confirmation that new members are aged 18 or over in our application form.

 9. Data breaches

No data is held on-line about CRUG members. The data is only held on password protected files. If a data breach is reported, there is currently no system in place to cover it.

Considering the fact that CRUG does not hold personally sensitive data on members, and improper access to the data is not likely, it is considered that planning what to in the case of a data breach is not justified.

 10. Data protection by design and data protection impact assessments

The membership database is currently on the membership secretary’s computer, which is password protected, and also protected by the usual access blocking software imposed by an internet firewall, plus malware and virus checking software. Downloaded subsets of data are periodically passed to the secretary and treasurer.

 11. Data protection officers

This is taken to be the CRUG committee as a whole.

 12. International

Not applicable to CRUG.