[last updated – 10/5/18]
Guidance for Quiet Garden Hosts on how to comply with the new General Data Protection Regulation (GDPR), including actions that Hosts with local contacts lists need to take.
GDPR applies to Hosts in the UK and EU countries, as well as any Hosts dealing with personal data of people in the UK and EU. It is, however, relevant to ALL Hosts and provides a good opportunity to update your mailing lists and comply with best practice.
What is GDPR and what information does it apply to?
The General Data Protection Regulation (GDPR) is a new, EU-wide law that sets out new requirements for how all organisations will need to handle EU citizens’ personal data from 25 May 2018. It gives people greater control and rights over their personal data that organisations hold about them, and applies to organisations in UK and EU countries, as well as any organisation dealing with personal data of people in the UK and EU.
The GDPR applies to personal data, which means any information that enables a person to be directly or indirectly identified. This includes names, postal or email addresses and telephone numbers. Whilst Quiet Garden Hosts won’t hold all of these, even keeping one identifier on record means GDPR is applicable.
How will local Quiet Gardens groups be affected?
The Quiet Garden Trust has data privacy policies and practices in place for our own database and website (see www.quietgarden.org/privacy). Some Quiet Garden Hosts, and their support teams, will hold lists of local people who visit their garden, are part of a local Quiet Garden group, or with whom they share details about their Quiet Garden activities and events. If you keep such lists and data you as the Host have a responsibility to comply with GDPR.
- Clear and unambiguous consent is needed from each person on your contact list. This should be captured proactively at the earliest opportunity.
- Individual’s personal data should be held securely. You will need to protect any data records on your computer with a password and securely lock away any physical lists (e.g. on paper).
- Anyone receiving communication from you has the right to opt out of any communication at any stage.
I keep a list of interested people – what should I do?
- Update how you sign people up to your mailing list so that it includes recording consent. Add some way of recording consent to be on your list at the point of sign-up and keep a secure record of this. This could be a tick box on your signup form stating that the person gives consent to be contacted through the channels stated eg email/telephone/post.
- Review your list and data. Check through the records that you currently hold. If you do not have a record of consent ask people on your list for their consent to be contacted by you by the channels you use. If they do not give consent / opt-in before 25 May 2018 then delete them from your database.
- Record people’s preferences. When consent is given from existing or new contacts record the preferences that the individual gives and save it securely, and only contact them using the preferences they have given.
- What to do with old data. Many data breaches result from inadvertent poor processing of redundant data. When disposing of old data ensure you do this fully and securely. Personal data held on paper should be shredded and recycled or burnt. Files on computers should be permanently deleted (including clearing out the computer trash/recycling box).
- Take responsibility. Remember, data security and GDPR compliance is something you need to take responsibility for. You cannot ignore this, and help is at hand if needed.
Where can I get guidance or help?
The Quiet Garden Trust is not responsible for data held by local Quiet Gardens, but we are happy to share the above guidance and offer advice. If you have any questions please do contact us.