GDPR and micro small health group

roytom · 5 December 2018 at 1:23PM

I’ve been asked to look into the implications, if any, of the GDPR regulations and whether these should be applied to a micro local group that supports people with a rare illness.

The group does have an email list to advice of meetings etc but the list is used for nothing else. The organisers of the group may be approached by any of the members to ask for advice from time to time. No subscriptions are charged and nothing is sold. The list is not disclosed to others.

Does this group need to fully comply with GDPR?
Could just a simple email to all members of the group asking if they wish to come off the list suffice or would this be unnecessary?

Thanks

[Deleted User] · 5 December 2018 at 1:38PM

The essence of GDPR is that you need to tell your members what data you are collecting and what you do with it. This would normally be done in a privacy policy at the time someone signs up/joins.

To cover yourself, I would send an email to all members telling them what data you collect, how you use it, who can access it and how they can correct/delete it. Have a look at Privacy Policy's from other websites if you want to make sure you cover it thoroughly.

If you have a website, stick it on there too and provide it to members as they join.

You're unlikely to ever get onto the ICO's website but it's good to have something to point to.

Pennywise · 5 December 2018 at 3:27PM

You also need to "audit" your systems to ensure that the personal data you hold (i.e. their names, addresses, emails etc) is protected and secure, i.e. by passwords and/or encryption if held on computer, or by a locked filing cabinet if anything is held on paper.

Undervalued · 5 December 2018 at 3:35PM

roytom wrote: »

I’ve been asked to look into the implications, if any, of the GDPR regulations and whether these should be applied to a micro local group that supports people with a rare illness.

The group does have an email list to advice of meetings etc but the list is used for nothing else. The organisers of the group may be approached by any of the members to ask for advice from time to time. No subscriptions are charged and nothing is sold. The list is not disclosed to others.

Does this group need to fully comply with GDPR?
Could just a simple email to all members of the group asking if they wish to come off the list suffice or would this be unnecessary?

Thanks

Short answer is yes you do.

An immediate concern that springs to mind relates to giving advice....

Are any records kept about what advice is requested and given?

Any records you keep in that respect would clearly contain highly personal and confidential material and certainly needs to be handled properly.

Just not keeping any records would be risky, as there could potentially be a claim against you if somebody felt they had suffered as a result of poor or negligent advice.

I have seen a small, probably well meaning but frankly badly run charity dig themselves into a big hole in this respect.

What is the structure of your group? Beware of the potential liabilities you are taking on.

Savvy_Sue · 5 December 2018 at 4:13PM

The other tricky thing is ensuring data kept is up to date. The way we manage that in our small walking group is to require renewal of membership each year: we tell you what information we hold, you confirm it's right, or you correct it.

If you don't renew your membership, we don't keep your data any more.

GDPR and micro small health group

Comments

Categories

Get our FREE Weekly email full of deals & guides - and it’s spam-free