Do we need to provide a privacy statement due to the changes, and does the SU have a sample statement to use?
We would suggest using the following as a basic privacy statement at the point of data collection:
By providing us with this data, you consent to us contacting you in regards to the activities stated. Once the events/activities have passed, your details will be securely destroyed and all communications from then on will be through our secure member database. In order to receive these updates, you must become a member of the society.
With photos for publicity, do we need permission from any person within the photo (past or present members) in order to use them?
You will need consent from any person who is the subject of a photograph – such as when the photo is of a single person, or a team photo where people are identified within the caption. People who are incidental – for example part of a large group and not identified individually, or in the background – do not need to give permission.
The SU system is where a lot of our personal data is held, especially regarding Next of Kin information for trips. This is in a protected area so should be fine - however, we do not have the ability to dispose of this information after it has been used so will the SU’s GDPR compliance changes take care of this?
Yes. The SU system’s record will be set to “expire” and delete all time-sensitive and personal data. You may be asked to specify the period for which data collected (through Ticketing customisation, for example) should be held, or default expiry dates may be set depending on the situation and type of data.
Are we required to ask our members whether they still wish to be contacted by us for regular updates, as I see this is a measure that many other organisations are taking?
This is not necessary for current members, as there is no change to the basis on which you hold their data – it was already compliant with the existing data protection legislation that GDPR updates and remains permissible under both consent and legitimate interests conditions.
When we collect personal data through the Ticketing system all of our Execs have access to the data – is this secure?
It is the individual and collective responsibility of your entire Exec to treat personal data properly and in accordance with GDPR legislation. You must ensure that everyone with access is aware of their obligations to your Members in protecting their personal data.
We use Google Docs for sign-ups and data collection. Is this okay under GDPR?
In this instance Google would be considered a third party data processor, which you would have to declare to your members (or anyone else involved in the process). All Clubs and Societies have licensed access to Office365 through the SU which has Microsoft Forms available for free and secure use – and this can perform the same functions you would use Google Docs for, without any GDPR consequences.
What do we do if we think we have had a data breach?
Immediately contact Jacqui Clements giving full details of what has happened. The SU's Information Security Manager will contact you and help you deal with the incident.
If your question isn't answered by any of the above please email brian.wilson@warwicksu.com and an answer will be found and added to this FAQ.