GDPR and Management Groups...
Being a part of the committee group or a management/ BOM group can be a huge compliment and very rewarding. If you are starting off a new committee for a newly established group then you have a clean slate that you can set up the policies and procedures and make sure that you have all the correct practices in place.
If you are joining an existing committee this can be tricky and often cumbersome. Are you setting up a group every year or does it continue year on year? What information are you inheriting and what information are you deleting from the previous year? These are all questions that need to be considered by all members.
With most groups the committee members can leave, join, or be re-elected for each year.
With each appointment, there are different points to consider:
what information are they bringing with them when they leave? Are they sharing passwords and accesses to platforms they are on? Do you need to change passwords once they leave or rescind their access to emails etc? Have they been using their email address for communications? If so are they deleting all the information they hold? Are they members of Whatsapp groups? Do they need to pass over any admin control or be taken out of the group? Are they managing any social media accounts they need to be taken off? Are they storing any numbers/ email addresses/ paperwork that they no longer should have access to? These areas all need to be addressed BEFORE the person leaves as once they are gone communication can often prove to be difficult.
Joining- what email address will they be using? What groups do they need to be added to? Do they need to have access to all the information ie if they are on a committee for one group do they need the personal details of all the members? Do you need to set up an old email address for them? Do you need to notify anyone that their data will be shared with the new member? Does the new person need training in GDPR and data management?
Re-elected – what position are they holding this term? Do they need new access to other areas? Are they in a different role then they were previously, and do they need to have the same level of access to the same data or different? Do you need to review what information they previously has access to and what should they have?
It is always preferable to use the email addresses attached to that organisation or group. For example firstname.lastname@example.org. This prevents the data being lost if anyone leaves- there is a historic trail of all communication and a precedence of practices that have taken place already ie summer camps, awards, trips away etc.
Remember to manage access to what data you are storing- everything should be on a need-to-know basis and not open, so everyone has access to all the files. This is both careless and negligent in approach and management of data.
If you had a data breach how would you minimise it or record what information was shared in the breach if you didn’t know who had access to what information?
Roles & Managing GDPR
question the role that each member of the committee has in managing GDPR and data protection. Who is responsible for the correct implementation of the appropriate policies and procedures. Also make sure to regularly delete information that is no longer relevant – whose responsibility is this?
How is the information being transported and shared? Is it brought to every meeting in a box? Do you have online access to member’s names and phone numbers? What about attendee lists etc
Data & Roles
Remember at the end of each year/ committee term or group that you review the data you are storing? Are you closing some whatsapp groups and creating others? Do you need to get re-consents for new groups? Have some groups involving children been moved up a year and are they renamed or rejoined to a new group? If so do you have consents?
Remember that data does not disappear- if it is no longer needed for a legitimate purpose then it must be deleted and recorded in a data deletion form. If you are unsure if consent was provided then delete and start again.
Never assume consent from a parent, child, member, etc – always make sure they agree to their data being stored- do you have written intake forms? Do you have emails to track consents or stored text messages to confirm consent to store data?
All these are questions to need to ask in order to make sure that the data you are storing Is correct, accurate and adequate for the role it was intended for.