We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Member resources

GDPR Step 3: Appointing a data protection lead

Version 1, September 2018

Data protection can be complicated and does require some knowledge of the subject. It is advisable that the responsibility for leading the organisations data protection stance is an individual that can act as a data protection lead.

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) require several specific provisions to be in place for an organisation, which consider proactive and reactive data protection practices.

To assist an organisation in handling the responsibility for guidance and advice, emphasis has been placed on the Data Protection Officer (DPO) role. In some cases, this role is mandated by the Information Commissioner’s Office (ICO). This is when the data gathered and processed is sensitive in nature (special category) and ‘large scale’. Large scale is not defined but its implied to be more than 50% of the total data held. For local Scout Groups, Districts, Counties/Areas/Regions (Scotland) or Countries the consideration is the data gathered and processed for young people and more specifically the data for ethnicity, medical conditions and any disabilities.

If the requirement for a DPO does not apply, it is still advisable to align the proactive and reactive duties of the role to a data protection lead, either an internal or external resource:

Proactive

The proactive duties that should align to the GDPR and DPA 2018 legislation include:
• Keeping updated on data privacy legislation and any changes
• Informing the organisation and staff of updates to data privacy legislation
• Assessing risk for any significant projects/changes that may require Data Privacy Impact Assessments (DPIA)


Reactive

The data protection lead has a requirement to be available in a reactive capacity for situations such as:
• A breach incident, where a breach has occurred and needs to be assessed, managed and reported upon, including reporting to the ICO
• Subject Access Request (SAR), where a request has been received from a data subject to do something with the data you hold on them (disclose, delete, rectify, etc)

It is advisable that the individual who takes on the role;
• Be up to date with the GDPR and DPA 2018
• Be able to communicate with the organisation at the highest level
• Be independent and impartial with no conflict of interests with the organisation
• Have a good understanding of the organisations data processing activities

Due to the diverse skillset throughout the volunteer structure, it is advisable to look within the local Scout Groups, Districts, County’s/Areas/Regions (Scotland) for anybody that can fulfil this role.
 
The legislation allows organisations to outsource the role to an external provider. With a shortage of individuals trained to handle the responsibilities, outsourcing these tasks and duties can help your Group, District, County/Area/Region (Scotland) to address the compliance demands of the GDPR and DPA 2018 while staying focused on the delivery of Scouting.

The Scouts UK headquarters have engaged the services of Black Penny Consulting to act as Data Protection Officer.

To assist local Scout Groups, Districts, Counties/Areas/Regions (Scotland), Black Penny Consulting have constructed a Data Protection Support Service that offers DPO backed service desk. Local Scout Groups will benefit from:
• Online GDPR framework tooling
• Cost effective way to procure a Data Protection Officer backed support service
• Access to independent expertise and advice with cross sector experience
• No conflict of interest between a Data Protection Officer and the organisation
• Best practice guidance aligned to the GDPR and DPA 2018
• 24 hour response for data breach guidance

Further details on the service can be found here.

 

CEOP
© Copyright The Scout Association 2019. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW