General Data Protection Regulations

General Data Protection Regulations

On 25th May 2018 the General Data Protection Regulations (more info) came into effect, replacing the Data Protection Act. The new regulations intend to strengthen and unify data protection for all individuals within the European Union, aiming to give control back to citizens and residents over their personal data.

SGWS takes your privacy seriously and never shares data with anyone outside Safety Groups UK. SGWS utilise 4 main systems for managing members information, these are email, email list management software, CRM software and accounts software. We have completed a privacy impact assessment to identify the personal data we hold.  Since 2010 we have used opt-in email software to ensure everyone we contact has given consent and can opt-out at anytime. As a paid up member of the group or involved in the health & safety community we consider you as someone who has a legitimate interest in the group’s activities. Under the General Data Protection Regulations, you have the right to ask for the data we hold and to be forgotten. This can be done by contacting the secretary.

Data Processor or Controller

We are a data controller, meaning we determine the purposes and means of the processing of personal data, such as name and email address for the purposes of sending information about meetings and membership renewal.

To comply with the General Data Protection Regulations, we have used the following six principles to guide our handling of personal data:

  1. Lawfulness, fairness and transparency

Lawful: Processing must meet the tests described in GDPR [article 5, clause 1(a)]. Fair: What is processed must match with how it has been described. Transparency: Tell the subject what data processing will be done.

  • We process personal data we collect in a fair, lawful and transparent manner; and in accordance with individuals’ rights.
  1. Purpose limitations

Personal data can only be obtained for “specified, explicit and legitimate purposes” [article 5, clause 1(b)]. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.

  • We will only collect personal data for specified, explicit and legitimate purposes. Data we collect will not be used for any other purposes other than what you as the data subject(s) have been made aware of.
  1. Data minimisation

Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” [article 5, clause 1(c)]. i.e. No more than the minimum amount of data should be kept for specific processing.

  • We will only collect personal data that is needed, adequate and relevant for the specific purpose.
  1. Accuracy

Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]. Data holders should build rectification processes into data management / archiving activities for subject data. 

  • We will ensure that personal data we collect is accurate, kept up to date and correct. You are responsible for ensuring that the data we hold is accurate and kept up to date by notifying us of changes or using the tools provide to update yourself e.g. email address in meeting notifications.
  1. Storage limitations

Regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary” [article 5, clause 1(e)]. Data no longer required should be removed.

  • We will only keep personal data we collect for as long as it is needed, and you have the right to request your individual data is permanently deleted.
  1. Integrity and confidentiality

Requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage” [article 5, clause 1(f)].

  • We will process all personal data we collect in a manner that protects it against unwanted modification, disclosure or unlawful processing.
  • We will use a risk-based approach to ensure our systems have the appropriate technical and organisational controls to safeguard the integrity and confidentiality of the personal data you give us.

You can view our privacy notice here