Exploring the key principles of GDPR
Guiding
Conversations
Exploring the key principles of GDPR • Version 1 (November 2018) © Girlguiding 2018 Registered charity number 306016 1
Introduction
The General Data Protection Regulation, known as GDPR,
came into effect on 25 May 2018. The Regulation has been
incorporated into the Data Protection Act 2018, which has
replaced the UK Data Protection Act 1998. It gives you
more control over how your data is used and how you’re
contacted. It also means that organisations like us, at
Girlguiding, had to make some changes to how we manage
your personal data and, in turn, how you manage girls’ or
volunteers’ data. It affects everyone, from volunteers and
staff at a national level, to all volunteers’ involvement at a
local level.
How to use this Guiding Conversation
As a commissioner, you can use this practical tool to:
Explore your leaders’ understanding of what GDPR is and
how they can embed it within their role.
TellthemwheretheycanndinformationonGDPRand
where to go if they have a question.
Help them identify if there is anything they need to
be doing now to be GDPR compliant and how to go
about this.
This document includes different scenarios related to
GDPR practice, which you can use to start a discussion
at district or division meetings. Simply choose one or
more topics (broken down as the seven principles of
GDPR) most relevant to the volunteers present and use
the talking points (key questions) after each scenario to
getaconversationowing.You’relikelytogetmostout
of these types of conversations if you have them after
volunteers have completed the Keeping Information Safe
online e-learning module. But, this isn’t essential, as the
conversation is more about drawing their attention to the
topic and getting them to think about the part they play
regarding GDPR.
A range of training resources on GDPR and data protection
are available for Girlguiding trainers. So, when coming to
the end of your conversation, think about whether or not it
would be helpful to arrange a follow-up training session on
GDPR and data protection
The seven GDPR principles
As part of GDPR, there are seven key principles surrounding
the use of personal data to ensure data is collected,
kept and disposed of safely and securely. These are the
core actions we must take to comply with the law. All
Girlguiding volunteers have a responsibility to comply
with these principles by being vigilant, understanding the
policies and following the processes.
Each principle is outlined below, framed through
Girlguiding scenarios and key follow-up questions provided
to start a discussion. Below each principle is a link to
whereyoucanndmoreinformationaboutthistopicon
the Girlguiding GDPR webpages.
We need a lawful basis to collect, hold and use any
personal data. We must let people know what we’re
holding about them and how we plan to use it, as well as if
we’re going to share it and how long we will keep it. GDPR
means that we need to be more ‘transparent’ and give
people more information on how we’re going to use their
personal data. The Privacy notice on the website explains
how we can use personal data for legitimate interests when
a member or volunteer registers with Girlguiding.
The seven GDPR principles
Processed lawfully, fairly and in
a transparent manner.
Collected for specied, explicit and
legitimate purposes.
Adequate, relevant and limited to what
is necessary for the purpose for which it
was collected.
Accurate and, where necessary,
kept up-to-date.
Not kept for longer than
is necessary.
Processed in accordance with the
rights of the data subject.
Compliant with the data security
principles set out in the updated GDPR
legislation.
1
Processed lawfully, fairly and in
a transparent manner.
1
2
3
4
6
5
7
Exploring the key principles of GDPR
Guiding
Conversations
Exploring the key principles of GDPR • Version 1 (November 2018) © Girlguiding 2018 Registered charity number 306016 2
Legitimate interest
Legitimate interest means Girlguiding being able to use
an individual’s personal data for guiding purposes, which
is necessary for their participation within Girlguiding – for
example, texting all parents/carers that a meeting is
cancelled due to a problem with the venue. Legitimate
interest is also relevant to Girlguiding when emailing
members with essential information. For example,
regarding your role, as commissioner, in guiding, such as an
update on Girlguiding policies and procedures, providing
volunteer care and support, managing guiding activities,
and making sure the right care is in place for activities.
Our Privacy notice explains what Girlguiding does with
this information. It tells members and volunteers how we
gather, use, disclose and manage their personal data. Non-
essential use of data requires additional written consent.
Gaining consent for sending marketing information is
managed via the preference centre within GO.
Scenarios
As a volunteer, you have regularly been sending
out e-newsletters to parents/carers, members and
volunteers, which contain information on offers
available to members, information about local events
and other information on what the unit is doing over
the coming weeks.
AND/OR
You have consent to collect and use photo for all
of the girls in your unit, except one, through their
Starting forms. Therefore, when your unit goes on
outings and does activities, you ensure all photos taken
don’t include this girl. The unit will soon be attending
a county event, and you are concerned photos may be
taken that will include this girl. What are your options?
What should you be aware of?
Key questions
Is this OK? If yes, why and what should you be aware of?
If no, why?
In what ways can you use personal data based on
‘legitimate interest’?
What do you do if a parent/carer comes to you and
wants to change the consent for her daughter (for
example, to withdraw photo consent?
Collectedforspecied,explicitandlegitimatepurposes
and will not be used for any other purpose. This means we
can’t collect members’ or volunteers’ personal information
for one reason, and then use it for something else. When
members and volunteers join Girlguiding, we tell them that
the data they give us is for administration and managing
their membership through our Privacy notice. We can’t use
it for anything else, unless we tell them about this new
purpose. That means no marketing or fundraising emails,
unless they decide to change their opt-in preferences
through their GO account settings.
Consent
We must gather written ‘consent’ for things like trips and
events – for example, to take girls on a residential or a trip
to a local attraction.
We ask for consent to collect and use media content at a
unit level when members and volunteers join Girlguiding.
We must be explicit about how we plan to use the data
– for example, using photos for Girlguiding publicity or
sharing them with news outlets.
Finally, we must have consent to communicate anything
electronically about marketing and fundraising – members
and volunteers control this by setting their preferences on
GO. Marketing refers to things like letting members know
about a discount offer or non-essential event (for example,
Big Gig). We don’t need consent when communicating
in person verbally or for printed communications (for
example, letters/newsletters).
Scenarios
You belong to several unofcial Facebook groups for
guiding where you chat, share details on event and
discount offers related to guiding with members,
parents/carers and other volunteers. You also use
WhatsApp with other leaders and parents/carers to
discuss guiding activities.
Collected for specied, explicit and
legitimate purposes.
2
Links to further information
Privacy notice
Exploring the key principles of GDPR
Guiding
Conversations
Exploring the key principles of GDPR • Version 1 (November 2018) © Girlguiding 2018 Registered charity number 306016 3
AND/OR
You have a great group photo of some of your girls on
a summer camp. You collected permission from all of
them at the time to use the image on a recruitment
leaet. Since then, you’ve received a request from
one of the girls’ parents/carers to no longer use any
images of her.
AND/OR
Your unit is preparing to go on a residential camp
and the venue has asked for a list of all the girls
and volunteers who will be attending. It has also
asked if there are any specic accessibility or dietary
requirements.
Key questions
Is this OK? Do you need to do anything? If yes, why and
what should you be aware of? If no, why?
What other things should you be aware of in terms of
gathering content?
What electronic communications do you currently send
out, which are considered marketing or fundraising and
would therefore require consent?
Links to further information
Privacy notice
Information And Consent For Event/Activity form
FAQs on consent
Adequate, relevant and limited to what
is necessary for the purpose for which it
was collected.
3
We must only collect the minimum amount of personal
information necessary for the reason we require it. This is
why all our forms are carefully designed, so that we only
capture the right data for each situation.
As long as you’re using the right form, it’s easy to comply
with this principle. To make sure you’re using the right
forms, always download them from the website. This is
because they may have been updated since the last time
you used them.
Scenarios
As a Guide leader, you collect and use a generic
activity/event notication and consent form for all
girls at the start of each year to cover all smaller
events, such as visits to the park, for your unit. You
do this as it saves on time and ensures it’s easy to nd
and save in one place.
AND/OR
You tend to collect feedback from attendees/
volunteers at events/training events you organise
locally to help identify what went well and what
could be improved. You do this in a variety of ways –
for example, through SurveyMonkey, emails or using
physical forms, sometimes including the collection of
personal data.
Key questions
Is this OK? Do you need to do anything differently? If yes,
why and what should you be aware of? If no, why?
What information is available from Girlguiding for you
on this?
What do you need to be aware of in terms of collecting
personal data?
Link to further information
Handling Personal Data - Collecting Personal Data
Accurate and, where necessary,
kept up-to-date.
4
Any personal data we collect must be checked regularly to
make sure it’s not wrong or out of date. GO is the one and
only place to store personal information about members
and young members. It’s important to update it regularly,
so you should prompt parents/carers at least once a year
to tell you if anything has changed.
Storing data
Personal data ideally should all be stored on GO. If you
must download or print personal data (for example, for
a trip), ensure it’s kept securely. This simply means it’s
kept where it can’t be seen by people who shouldn’t
have access to it – for example, in a lockable cupboard
Exploring the key principles of GDPR
Guiding
Conversations
Exploring the key principles of GDPR • Version 1 (November 2018) © Girlguiding 2018 Registered charity number 306016 4
orclosedfolderinyourbagwhenyou’retravelling.You
need to know where it is at all times – if not, this would be
considered a breach.
Disposing of data
Becauseformsaredesignedforaspecicpurpose,when
thatpurposeisnishedyoumustsecurelydestroytheform
by shredding or tearing it up so that it can’t be put back
togetherandread.Youmustn’tputwholedocumentsinto
your bin, as this isn’t secure.
Disposing of electronic data means ensuring the data has
been erased permanently from anywhere where it exists.
So, be aware of where it might be backed up, such as the
trash folder, your download folder or iCloud.
When must I keep a form/data, and NOT
destroy it?
If there’s an accident or incident at an event or activity,
you must copy the relevant documents (accident/incident
form, health form, risk assessment form, for example)
and send the originals to the Insurance department at
Girlguiding HQ:
insurancesupport@girlguiding.org.uk
YouwillneedtokeepacopyoftheformsuntilGirlguiding
HQconrmsthatthey’vereceivedtheoriginals.Then
destroy your copies.
If there’s a safeguarding allegation, disclosure or concern,
you must send the relevant documents (witness forms,
photographs, handwritten notes, for example) to the
Safeguarding team at Girlguiding HQ immediately.
Scenario
You have a large amount of data you are storing as an
archive to keep a record of your unit (for example of
its 10-year anniversary celebration event). You don’t
currently hold written consent for a lot of this.
Key questions
Is this OK? Do you need to do anything?
If yes, why and what should you be aware of?
If not, why?
What else should you be aware of in terms of
archiving?
AND/OR
During an event you held with your unit last weekend,
one of the girls took a nasty bang to the head and
had to go to hospital. Now that it’s over, you and the
other volunteers are sorting through all of the
paperwork.
Key questions
What paperwork from the event will you keep?
What will you destroy, and when?
How should you destroy personal data?
What information is available from Girlguiding for you
on this?
Links to further information
FAQs including on archiving and storage
Destroying data
Not kept for longer than
is necessary.
5
We can only keep data for as long as we need it. No longer.
Forexample,aconsentformlledinbyaparent/carerfor
an activity doesn’t need to be kept once that activity is
complete because the form has served its purpose.
Retention
We only keep data for as long as we need it. Most
Girlguidingformsareusedforaspecicpurpose,like
parental/carer consent for a trip to the zoo. Once the trip
is over, the document should be destroyed by tearing it up
or putting it through a shredder.
However, there are a few types of data that, by law, we
must keep for longer.
Scenarios
A Brownie slipped and fell on a weekend trip away
and has minor grazing. She had rst-aid treatment at
the time and is ne now. As the unit leader, you now
have all the event paperwork, including the completed
incident/accident form.
Exploring the key principles of GDPR
Guiding
Conversations
Exploring the key principles of GDPR • Version 1 (November 2018) © Girlguiding 2018 Registered charity number 306016 5
AND/OR
You have returned from a county event you helped
organise and run on Saturday. The event included
volunteer training, activities for members and a
Girlguiding shop. It was a successful event and there
were no accidents or incidents.
Key questions
What paperwork/data should you keep? For how long
and in what manner?
What paperwork/data should you dispose of? When and
in what manner?
What are the key things to be aware of in terms of
data retention?
Links for further information
Retention And Destroying Data
Processed in accordance with the
rights of the data subject.
6
We all have legal rights, which we can use to limit, restrict
or prevent organisations using our personal data. This
means that if someone acts on one of these rights, we must
have procedures in place to respond.
Rights of the individual
Show me! Weallhavetherighttondoutwhat
information an organisation is holding about us. This is
known as a subject access request or SAR. If someone makes
thisrequest,wehavetoconrmwhatdataweareholding
and using about them and provide copies of the information
we hold about them (subject to a few exceptions) within
30 calendar days. If you receive such a request, contact the
Data Protection team right away and they’ll take care of it.
Update it! It’s important to keep all the data we hold up
to date and correct. We have a legal responsibility to keep
personal data updated and ensure it’s correct.
Delete it! Sometimes, people may want us to delete
their data. If you get a request like this, seek advice from
the Data Protection team. Not all requests are valid –
sometimes, we have to keep data for legal reasons.*
Limit it! Some people may want to restrict how their data
is used. They might be happy to sign up as a member, but
choose to opt in or out of receiving marketing/fundraising
emails at any time. Volunteers can change this whenever
they like through their GO account, but parents/carers and
members will also need to contact Girlguiding HQ.*
Move it! People can also ask to transfer their data
from one organisation to another, but only when certain
conditions apply. If you receive any request like this, you
need to refer it to Girlguiding HQ.*
Scenarios
A parent/carer in your unit asks to see what medical
information we’re holding about her daughter. She
suspects it’s out-of-date. The parent is the named
primary contact on GO for the girl.
AND/OR
A volunteer explains they’d like you to give them the
data Girlguiding has on them and then to delete it from
Girlguiding’s records. They explain that this is their right
and would like this done as soon as possible.
Key questions
What action do you take (if any)?
What information is available from Girlguiding for you
on this?
What might the impact be if you do/don’t take action?
Links to further information
Personal Data Requests procedure
Personal Data Request forms
Compliant with the data security
principles set out in the updated GDPR
legislation.
7
The law states we must keep members’ and volunteers’
information secure while it’s under our control. We must
keep all the data we hold secure. That’s one reason why
we suggest you don’t print out anything unless you really
*These rights have exemptions allowing Girlguiding to refuse the request
if certain circumstances apply.
Exploring the key principles of GDPR
Guiding
Conversations
Exploring the key principles of GDPR • Version 1 (November 2018) © Girlguiding 2018 Registered charity number 306016 6
have to. It applies to all data, including online data
and information you print out. If you lose anything that
contains personal data, whether it’s a phone, laptop or a
printout of your unit’s contact details, report it as soon as
possible because it could lead to a data breach.
Data breaches
From time to time, mistakes can happen. A ‘data breach’
is when personal data has been lost, stolen or shared
inappropriately. It’s important you act quickly. So, if
you identify a possible breach, report it to the Data
Protection team at Girlguiding HQ immediately, but within
a maximum of 48 hours.
If in doubt, report it! Complete a data breach report form
from the GDPR webpages and email it to Girlguiding HQ at
dataprotection@girlguiding.org.uk.Ifyoucan’tnd
the form, email or call the Data Protection team
(020 7834 6242, extension 3060).
Scenarios
You’re a busy leader, and well into your 30-minute
drive home from Rainbows when you remember that
you absent-mindedly left the unit register (with
girls’ names and emergency contact details) in the
church hall in the unit equipment box. You return to
the church to retrieve it and notice that the hall is
now lled with another evening’s community group
meeting.
AND/OR
You have had your bag stolen with your phone in it,
which has the phone numbers for other volunteers.
You have password protected your phone.
Key questions
Is this a breach and do you need to report it?
Is there anything else you should do?
How can you report the breach? And, how quickly do you
have to do it?
Links to further information
Reporting a Data Breach procedure
Remember...
data protection is simple. It’s about taking these small
steps, which are often just common sense. They help
ensure the personal data of all volunteers and members is
kept safe and secure, and handled with care. It’s about all
of us being mindful about what we do with data, who we
share it with and knowing when to ask for help. There is a
lot of information out there, so if you have any questions,
get in touch with Girlguiding HQ.
Top tip
What if you are unsure about how to answer a
question, or an issue raised during a discussion?
Provide a ‘question box’ for participants to use.
This will allow you time to respond accurately and
appropriately to any queries. It could also help you
to identify any training needs for your area.
Further information
The most up-to-date information on GDPR is on the
Girlguiding website, including:
GDPR resources (including policies and procedures
andtheKeepingInformationSafeleaet).
FAQs on GDPR
GDPR trainer resources (including scenarios and
answer sheet).
Keeping Information Safe online e-learning module.
Email your questions to
dataprotection@girlguiding.org.uk
Exploring the key principles of GDPR
Guiding
Conversations
Exploring the key principles of GDPR • Version 1 (November 2018) © Girlguiding 2018 Registered charity number 306016 7