1. What Is GDPR?
A: GDPR, also known as the General Data Protection Regulations, are a piece of EU data protection legislation that came into force on Friday 25th May 2018. They were enshrined in British law as the Data Protection Act 2018.
2. We’ve left the EU now is GDPR still relevant?
A: Yes, you must ensure you continue to follow GDPR, for now it is business as usual however there will be some important changes at the end of the year, please look out for further announcements online and in the Data Protection newsletter.
3. How does GDPR affect the way we can collect and use data?
A: The GDPR is based on 7 principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These principles guide the way that any organisation can use personal data. In order to make it easier to ensure that everyone is handling personal data in a compliant way we have written the Liberal Democrats Data Protection Rules, available to read at: www.libdems.org.uk/gdpr-data-protection-rules. These rules form part of the party’s membership rules and must be followed at all times. Failure to follow these rules may lead to a data breach and a breach of the membership rules.
4. What are the penalties for mishandling personal data?
A: The Information Commissioner’s Office (ICO) has the power to fine organisations who handle personal data negligently. Under GDPR the maximum fine for a data breach is EUR 20 million (approx. £17 million) or 4% of global profits, whichever is larger. Although fines of this magnitude are rare, we as a political party are entrusted with handling large quantities of personal data. If the party is found to be negligent in its handling of personal data, it is possible that we could receive a very significant fine.
5. Is there a threat of personal liability if a breach of data protection happens on my watch doing Party business?
A: No there is no threat for individuals, as fines/ICO action are directed at the named Data Controller, who for all Party business is the Chief Executive on behalf of the Federal Party. However, there is provision in the constitution for fines resulting from local party activities to be recouped from the local party in question.
6. Is it true that we can only use certain third party suppliers for processing personal data?
A: Yes. Under GDPR we are legally required to have contracts with all providers that state they are GDPR compliant and will only use the information we provide in a specific way. All contracts must be created/approved by the Data Controller (the Federal Party). As a result, we have a list of Approved Suppliers/Providers available on the website here: www.libdems.org.uk/approved-suppliers. These are the only suppliers that can be used to process personal data.
For printing companies, if you are using unaddressed leaflets or mail, then these do not need to be on the Approved Supplier List. If you are sharing names and addresses with a printer for targeted mail, then the printer does need to be on the Approved Supplier List. They will need to complete a simple due diligence audit to confirm they are handling our data in a GDPR compliant way.
7. Can We use WhatsApp?
Yes, however you must follow the WhatsApp rules. They are available to read here: www.libdems.org.uk/gdpr-data-protection-rules.
8. How can we send bulk emails in a compliant way?
You must use an approved bulk email supplier when sending emails to mailing lists of more than 15 people. The approved bulk email providers are Mailchimp, Nationbuilder and Prater Raines. If you are using Mailchimp you must add [email protected] as an admin. For more information about Mailchimp please see: www.libdems.org.uk/mailchimp-authorisation.
9. Am I allowed to Download Data?
You should only download personal data from the Lib Dems systems if it is absolutely necessary. If it is necessary, you must follow Download – Use -Delete. i.e. Download the data, use it and then delete it as soon as you no longer need it.
10. Can I share data?
You must never share personal data outside of the Liberal Democrats except for our approved third-party suppliers for administrative/transactional purposes.
If you need to share personal data by electronic means with other volunteers you must encrypt the data with a password. You must send the password by a different method than the data was sent. For more information on encryption please read the data security page: www.libdems.org.uk/gdpr-data-security.
11. How can I collect personal data in a compliant way?
It is essential that the individual knows the purpose you will use the data for. We cannot use the data for any other purpose.
You must not add email addresses/phone numbers to your contact list unless the individual gave explicit consent for you to do so.
12. Can I access Lib Dem Data abroad?
Only if you are going to a country within the EU/EEA or a country that has been given an adequacy decision. If a country has been given an adequacy decision it means that the European Commission is satisfied that this country has adequate data protection standards. The list of countries that have been given an adequacy rating can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers.
You cannot access Lib Dem data from a country that is not in the EU/EEA and has not been given an adequacy rating.
13. What do I do if someone wants to exercise the legal rights they have over their data?
Under the GDPR, individuals have certain rights over their data, these are
- The right to be informed about how their data is used.
- The right of access to their data.
- The right to rectification of their data.
- The right to erasure of their data.
- The right to restrict processing of their data
- The right to data portability
- The right to object to their data being processed
- Rights in relation to automated decision making and profiling.
If someone contacts you asking to exercise one of these rights it is essential that you forward them to [email protected] as soon as you receive them. Please do not attempt to process the request yourself. We only have 1 calendar month under law to process such a request, so it is very important that you forward the request to us straight away. More information on data subject rights can be found here: www.libdems.org.uk/dpm-breach-rights-processes.
14. What should I do if I think there has been a data breach?
Information about data breaches can be found here: www.libdems.org.uk/dpm-breach-rights-processes.
If you think a breach has occurred it is essential that you email [email protected] immediately. In some circumstances, where the breach may cause harm to others, we must report the data breach to the ICO. We only have 72 hours to report a data breach to the ICO once we become aware of it.
15. How can I keep my social media pages and website GDPR compliant?
You cannot collect personal data from social media pages without explicit consent from individuals and you must include an FPN on your website and social media page. For more information on keeping your website and social media page GDPR compliant, visit this page: www.libdems.org.uk/gdpr-website-social-media.
16. How do I know if my local party has taken the right steps to be GDPR compliant?
We have a GDPR checklist on the website which should be used by local parties to review their level of GDPR compliance and identify areas that need improvement. The Data Officer should be responsible for reviewing this checklist. The checklist can be found here: www.libdems.org.uk/gpdr-dp-checklist.
17. How can I keep up to date with data protection guidance?
We will be sending a monthly Data Protection Newsletter to Local Party Officers. The newsletter will contain important information and updates about data protection.
18. Are there training opportunities available?
Yes, we will advertise training opportunities in the Data Protection Newsletter.
19. We have volunteers who are not members. Can they process personal data?
Any non-member volunteers who process Lib Dem data must sign a Data Non-Disclosure Agreement (NDA). You can download the NDA and read more information about NDAs here: www.libdems.org.uk/dpm-volunteer-nda.
20. What do I do if I have any queries about data protection compliance?
You can email [email protected].