Staying within the law – holding member and financial data

Print This Page

What is GDPR and how does it impact me?

General Data Protection Regulation came into effect on 25 May 2018 across the EU replacing the Data Protection Act.

It aims to protect the privacy and rights of an individual by requiring organisations to ensure their data is:

  • – kept securely
  • – accurate
  • – limited to what is necessary in relation to why the data is held
  • – is not held for longer than necessary

What data does GDPR cover?

GDPR covers all personal data, this includes a member’s name, phone number, email address, postal address and photo. It relates to all data that is stored, whether it is on old papers locked up in a cabinet in someone’s house, on a computer or within emails.

What do I need to get permission for, and how should I gather it?

When a member joins NWR they agree to our privacy policy that enables NWR staff to use their data to provide the membership services they have subscribed to. This enables staff to inform the LO/Treasurer of their name and contact details.

Many groups share their contact details with each other in the form of group emails and WhatsApp groups to make organising meetings easier and in order to connect with each other.

It is the responsibility of the LO to ensure that she has permission from the member for their contact details (for example, email address and/or phone number) to be shared with other members. This permission could be given verbally or written. It is important to keep a record of the date the permission is given and to get into the habit of checking annually that members are still happy for their details to be shared.

Dos and Don’ts for GDPR Compliance

  • – Keep all NWR documentation that is in an electronic format securely. For example on a password protected computer.
  • – If you need to print out member details ensure that they are kept safely, are not kept for longer than necessary and destroyed when no longer required. Destroy them as soon as any data is incorrect.
  • – When sending emails always blind copy email addresses unless you have received consent (this could be verbal or written) from each member that they are happy for their email address to be shared. Perhaps you could include that in a check-list of things to ask a new member and make a point of checking with all members once a year that they are happy to have their email shared?
  • – If organising an event/project with other members, do not share more personal information about other members than is strictly necessary for the job that is being undertaken. When emailing, be aware of potential personal information held in the email trails, for example email addresses and names of previous recipients.  Delete if not relevant.
  • – Ensure that personal data is kept up to date. Always discard out of date data.
  • – Delete/destroy information about former members.
  • – Photos are classed as personal data.
  • – Ensure that old programmes containing personal information are destroyed.

Financial information

If your group holds a bank account, please note that legally bank statements and receipts should be kept for seven years plus the current year.

This webpage was published in March 2023