General Data Protection Regulation

Preparing for the General Data Protection Regulation (GDPR):

The GDPR is Europe's new framework for data protection laws. It replaces the previous 1995 data protection directive, which current UK law is based upon. The new regulation starts on 25 May 2018 and it has been developed to stop your information being shared or misused without your permission. The Government has confirmed that the UK's decision to leave the European Union will not alter this.

The rules cover the following areas
1 Awareness
2 Information you hold
3 Communicating privacy information
4 Individuals’ rights
5 Subject access requests
6 Lawful basis for processing personal data
7 Consent
8 Children
9 Data breaches
10 Data Protection by Design and Data Protection Impact Assessments
11 Data Protection Officers

1 Awareness
It is necessary to make sure that decision makers and key people in IFEA are aware that the law is changing to the GDPR, and the need to appreciate the impact this is likely to have, and identify areas that could cause compliance problems under the GDPR.
All Committee Members have been briefed on the new Regulation.

2 Information we hold
The personal data we hold, where it came from and who we share it with should be documented. No data other than that provided on the initial registration form, plus any updates to this information, and membership subscription details is held.

3 Communicating privacy information
When personal data is collected it is currently necessary to give people certain information, such as the organisation’s identity and how the information will be used. Under the GDPR there are some additional things we will have to tell people. For example, we also need to explain our lawful basis for processing the data, our data retention periods and that you have a right to complain to the Information Commissioner’s Office (ICO) if you think there is a problem with the way we are handling your data.
IFEA’s constitution and aims are published on the IFEA website, www.ifea.org.uk. Personal date will be held until a member decides to leave the organization, in which case it will be deleted forthwith.
If you wish to complain to ICO they can be contacted at https://ico.org.uk/global/contact-us/

4 Individuals’ rights
The GDPR includes the following rights for individuals:
• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure;
• the right to restrict processing;
• the right to data portability;
• the right to object; and
• the right not to be subject to automated decision making including profiling.

Our procedures cover all these above rights, including how we would delete personal data.
In IFEA’s case the only personal data we hold is that which you have provided to us; whose processing is based on your consent.

5 Subject access requests
All members have access to their own membership details. No member can access the details of any other member (excepting the website administrator).

6 Lawful basis for processing personal data
Our lawful basis for our processing activity in the GDPR is the provision by our members of consent to be contacted.
The types of processing activity we carry out are restricted to information about IFEA events, important news/topics related to the examining activity and membership subscription information.

7 Consent
All existing members are being asked to give consent for the holding of their personal data and their preferred method of being contacting. The registration form will be changed to allow new members the same rights.
Consent must be freely given, specific, informed and unambiguous. There is a positive opt-in –consent cannot be inferred from silence, pre-ticked boxes or inactivity. If no positive consent is given members will not be contacted, other than for the provision of membership subscription information.

8 Children
The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
This clause is not relevant to IFEA as all examiners have to be over the minimum age.

9 Data breaches
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to your rights and freedoms – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to your rights and freedoms, we will also have to notify you directly in most cases.
All members are requested to immediately notify a member of the Committee if they become aware of a breach of their privacy.

10 Data Protection by Design and Data Protection Impact Assessments
It has always been good practice to adopt a ‘privacy by design’ approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
• where a new technology is being deployed;
• where a profiling operation is likely to significantly affect individuals; or
• where there is processing on a large scale of the special categories of data.
It is not felt that any of these situations will affect IFEA but, should this occur, a DPIA will be carried out.

11 Data Protection Officers
We have considered whether we are required to formally designate a Data Protection Officer (DPO). You must designate a DPO if you are:
• a public authority (except for courts acting in their judicial capacity);
• an organisation that carries out the regular and systematic monitoring of individuals on a large scale;
or
• an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions
None of these situations apply to IFEA so no DPO will be designated. Should we fall into one of these categories in the future, a DPO will be designated.