GDPR – What it means for the Mammal Society and Local Mammal Groups
To see the Mammal Society’s Data Protection Policy in full, click here.
What is GDPR?
On 25thMay, 2018, new data protection legislation comes in to force in the UK (The EU General Data Protection Regulation, GDPR). Essentially it is designed to give individuals more control over the personal data that organisations hold on them. The Government has confirmed that the legislation will still apply post-Brexit. All organisations, including charities, are required to comply: no distinction is made between a not-for-profit entity and a direct marketing company.
How will it affect Mammal Society members, local group members and others interested in mammal conservation?
It will no longer be possible for the Mammal Society or local groups to contact any of these people, without explicit consent. This means that the Mammal Society and Local Groups will only able to send out standard mailings or email communication such as newsletters, updates, or information about events to people who have stated that they wish to receive this material. Similarly, people who have attended events (e.g. a training session) or responded to questionnaires (such as the HogWatch Survey) can only be contacted subsequently if they have opted into further contact.
The Mammal Society is strongly in favour of networking, and this is something that our members often tell us they appreciate. We will therefore be asking all attendees at events to allow us to share their contact details with other attendees, and to allow us to contact them in the future with relevant information. We recommend that Local Groups also use this approach.
What about membership reminders and bank details?
We will still be able to hold the bank details of members as this information is needed for membership payments. We are also able to send out reminders for membership renewal.
The Mammal Society never shares information with third parties and ensures that personal details are kept secure.
We are contacting all those listed on our mailing lists and asking them to ‘opt in’ to future communications by ticking a box on our website. The website will include an explanation of what the information will be used for, and we will maintain a record of who has opted into each form of contact. We recommend that Local Groups do likewise. It is important to note that the concept of ‘implied consent’ (from pre-ticked boxes or inactivity) are no longer considered consent. Therefore all consent requests must be prominent, non-ambiguous and not form part of general terms and conditions. If you do want to receive information in the future it is vital that you respond to these emails: otherwise we will only be able to contact you about membership renewal.
Procedures for deleting data and providing information on the data held
The new legislation also requires that data are deleted if an individual requests it, using an easy one-step process: records cannot just be supressed. We will include information on our website asking individuals to email our membership officer if they wish their data to be deleted. Similarly, individuals can request information on the data held about them by emailing our membership officer.
Data security and compliance
A written plan on compliance is needed. This document will be shared with Local Groups. Mammal Society data are already kept securely. However in future we will also use encryption to help reduce the risk of hacking or accidental leakage of personal information. In addition, we need to ensure that all staff and volunteers are aware of their responsibilities under GDPR. If there is a breach of compliance or data security, it could have serious consequences for organisations under the GDPR. Members need to inform the members affected of the nature of the data breach and recommend what actions they should take to mitigate the negative impact. If the breach is serious then the Charity Commission and the Information Commissioner should be informed.
It is not necessary for the Mammal Society or Local Groups to register with the Information Commissioner’s Office (ICO) (this applies only to membership organisations employing more than 250 people and/or fulfilling other criteria).