Foundation trust membership and GDPR
In the last few weeks, we have received a number of enquiries from foundation trusts concerned about the implications of the new General Data Protection Regulations (GDPR) for their membership databases.
Together with solicitors Mills & Reeve LLP we have put together this briefing note to explain how GDPR applies to membership databases and the action trusts should be taking before GDPR goes live on 25 May 2018.
What should foundation trusts do now?:
- Appoint a Data Protection Officer who has the skills, experience and knowledge they will need for their role.
- Ensure that relevant personnel within their organisation understand the trust’s obligations under GDPR.
- Review the data they hold and consider whether they need it and why (and destroy any data they do not need).
- Review their member recruitment process, to ensure that prospective members are given the information required to comply with GDPR, explaining clearly what data will be used for and the legal basis for doing so (which may be different for different data sets).
- Notify existing members of the information the trust holds, the basis on which it is held and the legal justification for holding it.
- Ensure their systems are compliant and secure, including applying the latest software patches and that data is kept in a form that permits identification of data subjects for no longer than is necessary.
- Ensure that their contracts with data processors contain the mandatory provisions required by the GDPR.