General Data Protection Regulation (GDPR)
Ensure key people in CRUG are aware of the changes to GDPR. A paper form, or email note, has been sent to all members.
2. Information held
What CRUG holds relating to personal data (not necessarily every field is supplied):
· name of individual or group
· phone number
· email address
· a marker to indicate whether a person has paid their subscription for the current year, and whether they pay automatically or not.
· approximate date of joining.
We do not generate any other information. We do not share information outside the group.
We also hold email addresses of those other people and organisations that have expressed a desire to receive minutes and other communications.
Information is shared electronically with members who have provided an email address, and this is done via blind carbon copy. Knowledge of email addresses is confined to those on the committee, and sometimes other members directly involved in the group’s work. Otherwise, all information is confidential, and not shared outside the group.
The consent form, sent to all members, covers all the relevant matters – of what data is stored and why, and also the fact that data is not passed on to third parties.
4. Individual rights
CRUG recognises the rights of individuals, but we do not process data in the sense of deriving additional information. The only rights that apply in the case of CRUG is the right to have an individual’s data corrected or deleted – this has been and will continue to be complied with.
5. Subject access requests
The only requests that can be complied will be for the requesting individual to have their data entry either corrected or deleted.
6. Lawful basis for processing personal data.
The basis for holding personal data on members is
· to contact members with information about CRUG or related matters. This may also include non-members who have requested to be kept similarly informed.
· to allow processing of address labels where appropriate.
· the data is also used to contact individuals to inform them that their subscriptions are due, or remind them that they are overdue.
Currently our membership application form does not mention GDPR – this needs to be changed.
We do not accept children into the group. We should include confirmation that new members are aged 18 or over in our application form.
9. Data breaches
No data is held on-line about CRUG members. The data is only held on password protected files. If a data breach is reported, there is currently no system in place to cover it.
Considering the fact that CRUG does not hold personally sensitive data on members, and improper access to the data is not likely, it is considered that planning what to in the case of a data breach is not justified.
10. Data protection by design and data protection impact assessments
The membership database is currently on the membership secretary’s computer, which is password protected, and also protected by the usual access blocking software imposed by an internet firewall, plus malware and virus checking software. Downloaded subsets of data are periodically passed to the secretary and treasurer.
11. Data protection officers
This is taken to be the CRUG committee as a whole.
Not applicable to CRUG.