DD: GDPR

Introduction.

On Friday 25th May 2018, the EU's "Great Data Protection Regulation" (GDPR) came into effect. All affected countries have been liaising on this, and the UK's representative advisor is the Office of the Information Commissioner (ICO). Here are two links where more guidance can be found:

• Bird & Bird Guide to the GDPR for Dummies
• ICO GDPR Guides



What data do we currently store?

We currently store the following (not exhaustive) categories of data.

• Electoral register data for candidates and their teams.
• "Special Category" - extra sensitive e.g
• Canvassing results - how they intend voting
• Are they a member of UKIP LGBT
• "Criminal Offence" data - candidate vetting etc.
• Members/ ex-members/supporters contact details at central, regional and branch etc. level
• Overseas membership details
• Financial donation etc. records
• Mailshot lists
• Children - YI members under 16 (maybe under 13)?



Types of user.

There are two types of user:

• "Data Controller": who specifies what is done with the data and when, e.g. "Send membership renewals to all who expired in last 6 months"
• "Data Processor": Person who carries out the above. We will need a contract with them in all cases.

Note that in many cases the controller will also be the processor, and processing can be outsourced, e.g. when we print and mail "Independence News".



Documenting our data.

Going forward, we are required to document what data we hold, how we process it, and under what legal basis said processing occurs. We will need to share this with the data subjects in some form (privacy statement?) There are 6 legal ways we can hold data for processing, and all are equally valid - providing they apply to the usage concerned - no one reason is more important than another. For example:





Special Categories 1: Children.

Children under 13 (need to check - default if 16 if local country doesn't designate) need parental consent for us to process their data.



Special Categories 2: Sensitive data.

Some examples are given above. Note that in addition to having a lawful basis for processing under article 6, we will also need an additional reason under article 9. The possibly relevant ones are listed here:

• (a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
• (b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• (c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• (d) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
• (e) Processing relates to personal data which are manifestly made public by the data subject;
• (f) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• (j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.



Special Categories 3: Candidate vetting.

In addition to having a lawful use for storing criminal data, we probably need to comply with article 10:

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Sending data outside the EU.

If we, say, maintain an Overseas Regional Organiser based abroad, we will need consent.



Consent.

Where consent is required, e.g. as above, it must be informed, aided by a "privacy notice", and cannot be catch-all, opt-out by default, or "uncheck box if you disagree".



Here are some of the items we need to take into account:

• Consent requires a positive opt-in. Don't use pre-ticked boxes or any other method of default consent.
• Explicit consent requires a very clear and specific statement of consent.
• Keep your consent requests separate from other terms and conditions.
• Be specific and 'granular' so that you get separate consent for separate things. Vague or blanket consent is not enough.
• Name any third party controllers who will rely on the consent.
• Make it easy for people to withdraw consent and tell them how.
• Keep evidence of consent - who, when, how, and what you told people.
• Avoid making consent to processing a precondition of a service.



This will have a significant impact on paper-based and electronic membership forms. And this impacts overseas users where their data is shared with a regional organiser outside the UK.



What rights are conferred?

People whose data we store and process (electronically, or paper), will now have the following rights:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision making including profiling



In particular, once consent is withdrawn, we will need to delete consent based data, and we should not hold data longer than necessary.



Passing on changes?

UKIP central are obligated to pass on corrected data through the chain, e.g. Regional Organisers and branches etc.



What if we screw-up?

Data breaches need to be notified, both to regulatory authority and in some cases the individuals.



Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.