UKIP Website & Social Media Guidelines Banner

Buttle paperwork
General Data Protection Regulation (GDPR) Introduction.

On Friday 25th May 2018, the EU's "Great Data Protection Regulation" (GDPR) came into effect. All affected countries have been liaising on this, and the UK's representative advisor is the Office of the Information Commissioner (ICO). Here are two links where more guidance can be found:

What data do we currently store?

We currently store the following (not exhaustive) categories of data.

Types of user.

There are two types of user:

Note that in many cases the controller will also be the processor, and processing can be outsourced, e.g. when we print and mail "Independence News" or electronic voting.

Documenting our data.

Going forward, we are required to document what data we hold, how we process it, and under what legal basis said processing occurs. We will need to share this with the data subjects in some form (privacy statement?) There are 6 legal ways we can hold data for processing, and all are equally valid - providing they apply to the usage concerned - no one reason is more important than another. For example:

Data Item Lawful Basis for Processing Comment
Date of joining Legitimate Interests Members expect us to handle renewals etc.
Donations this quarter Legal Obligation Reporting requirements under law.
Twitter handle Consent We have explicit agreement the data can be used, e.g. for vetting candidates.


Special Categories 1: Children.

Children under 13 (need to check - default if 16 if local country doesn't designate) need parental consent for us to process their data.

Special Categories 2: Sensitive data.

Some examples are given above. Note that in addition to having a lawful basis for processing under article 6, we will also need an additional reason under article 9. The possibly relevant ones are listed here:

Special Categories 3: Candidate vetting.

In addition to having a lawful use for storing criminal data, we probably need to comply with article 10:

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Sending data outside the EU.

If we use, say, Simply Voting, based in Canada, and therefore outside the EU, or maintain an Overseas Regional Organiser based abroad, we will need consent.

Consent.

Where consent is required, e.g. as above, it must be informed, aided by a "privacy notice", and cannot be catch-all, opt-out by default, or "uncheck box if you disagree".

Here are some of the items we need to take into account:

This will have a significant impact on paper-based and electronic membership forms. And this impacts overseas users where their data is shared with a regional organiser outside the UK.

What rights are conferred?

People whose data we store and process (electronically, or paper), will now have the following rights:

In particular, once consent is withdrawn, we will need to delete consent based data, and we should not hold data longer than necessary.

Passing on changes?

UKIP central are obligated to pass on corrected data through the chain, e.g. Regional Organisers and branches etc.

What if we screw-up?

Data breaches need to be notified, both to regulatory authority and in some cases the individuals.

Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.