As we are writing this article, organisations are preparing for GDPR compliance which comes into force on May 25th 2018.
Parish Councils may be as confused as most other organisations as to what they need to do to become compliant. The information provided by the ICO is vague and is leaving many organisations and businesses unsure of how to achieve compliance.
We’ve seen many good publications that are specific to Parish Councils and GDPR compliance. NALC have issued a GDPR toolkit for their members that should enable most Parish Councils to work through their responsibilities including the appointment of a Data Protection Officer which in itself is causing some distress. See this article published recently about NALC Chairman Sue Baxter who has written to the Secretary Of State for clarification.
What is GDPR In A Nutshell?
GDPR (General Data Protection Regulations) is a whole system of regulations, systems, rights and principles that aims to protect the personal data of every EU citizen. It comes into effect on the 25th May. The GDPR legislation documents are huge and set out to give a person more rights over the data that an organisation holds on them, but in a nutshell, the main points are as follows:
- A person can request to see all the details that you hold on them both in human and machine readable format.
- A person can request that you delete all the personal data that is held by an organisation
- You need to state a valid reason for gathering and processing their data
- You need to ask for consent when you gather data
- You need to provide people with a way of withdrawing that consent at any time.
- You need to take precautions to protect personal data that you have gathered
GDPR Compliance For Websites
As we specialise in providing transparency compliant websites for parish councils, this article sets out to explain how to ensure that your online presence can comply with the new GDPR regulations.
The GDPR regulations state that consent for cookies must be given and not assumed. Furthermore, any cookie that tracks the user must be deactivated until consent is given. Cookies such as those from Google Analytics are capable of tracking and so must be deactivated until consent is obtained.
Consent must be granular and if consent is not given then the user should be expected to have the same experience as someone who has given consent. Also, consent must be able to be withdrawn at any time.
You can read more about this here.
The ICO website gives some guidance on creating your privacy notice. Some of the briefs tips that the ICO give include.
- use clear, straightforward language;
- adopt a simple style that your audience will find easy to understand;
- not assume that everybody has the same level of understanding as you;
- avoid confusing terminology or legalistic language;
- draw on research about features of effective privacy notices when developing your own;
- align to your house style. Using expertise, for example in-house copywriters can help it fit with the style and approach your customers expect;
- align with your organisation’s values and principles. Doing so means that people will be more inclined to read privacy notices, understand them and trust your handling of their information;
- be truthful. Don’t offer people choices that are counter-intuitive or misleading;
- follow any specific sectoral rules as well as complying with data protection law, for example in advertising or financial services sectors; and
- ensure your privacy notices are consistent across multiple platforms and enable rapid updates to them all when needed.
Example GDPR Privacy Notice
The Anytown Parish Council will be referred to as the ‘Controller’ of the personal data you provide to us. We will only collect basic data which does not include any special types of information or location based information. This can however include name, address, email, phone number.
Why we collect your data
We need to know basic data in order to provide a service. We will not collect any personal data from you we do not need in order to provide and oversee this service to you.
What we may do with your data
All the personal data we process is processed by our officers for the purpose of Parish Council business. This information is located on servers within the European Union. No 3rd parties have access to your personal data unless the law allows them to do so.
We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. More information on this framework can be found on our website.
How long we keep your data
We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information.
What we would also like to do with your data
If you have contacted us via email or contact form then we will use the data you have provided to process your request. If you have subscribed to website updates or newsletters then you will receive those until you unsubscribe.
What are your rights
If you believe the information we may have is inaccurate then you can request to see this information and ask to have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact us and request that we investigate. DPOemail@anytownparishcouncil If you are not satisfied with our response or believe we are processing your data improperly then you can complain to the Information Commissioner’s Office https://ico.org.uk/
Having an SSL certificate ensures that the data passed between the users computer and your website is secure. This is necessary even if you just have a contact form or if visitors are able to subscribe to your updates. The major browsers such as Google Chrome and Safari are already rolling out warnings to visitors who are visiting non https websites so it makes sense to go down the SSL route anyway. Our premium package comes with an SSL certificate as standard.
Details Of DPO
A DPO or Data Protection Officer must be nominated by any public authority or body who is processing data. Therefore it is our understanding that Parish Councils fall under this ruling.
A DPO can be an existing member or officer of the Parish Council and is responsible for ensuring GDPR compliance, both on and offline. The guidelines state that a DPO can be an existing staff member as long as there is no conflict of interest. The ICO determine a conflict of interest as follows:
Conflict of interest means a conflict with possible other tasks and duties. This means the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data
*NB – Since this article was published, we understand that a proposal has been put forward to the house of Lords that would exempt Parish Councils from having to appoint a DPO. We’ll update this article should the bill pass.
A Simple Compliance Solution For GDPR For Parish Councils
We realise that the regulations are difficult to navigate and that an organisations website is often the main point of data collection, with that in mind, we’ve created a GDPR website compliance package that we are able to install and configure on your behalf.
The GDPR package includes:
- SSL certificate installed and configured. This ensures that any data passed between the user and the website is encrypted.
- Additional functionality to allow data subjects (users) to automatically download and delete any personal data (email subscribers, newsletter subscribers etc.)
- GDPR compliant cookie consent function to allow the visitor to grant and withdraw access in compliance with GDPR regulations.
Please note that we are offering two packages for existing customers depending on which plan you are currently on. You may also upgrade plans if preferred.