GDPR can seem like confusing legislation. However, it is important to make sure your student group committee is aware of how to avoid breaching any GDPR legal requirements and the seriousness of the issues that can arise if you are responsible for any such action. Please review the attached document below this article for everything you need to know about GDPR as a student group.
What is GDPR?
On the 25th of May 2018, strict data protection laws were enforced. This requires the Students’ Union employees and volunteers handling personal data about our members to do so within the law and take particular care of this data. Both the Students’ Union and individuals handling data are subject to significant fines for breaching data protection law and risking member data - as a result, Students’ Union takes data protection incredibly seriously. This means that when collecting registrations of interest as a student group, you must also strictly abide by these laws.
What do I have to Do?
Committee members, representatives, and other student volunteers may handle personal data to administer their activities and services. Students handling such data are required to have completed the data protection and information security training course prior to receiving permission to handle any personal data (including names, addresses, telephone numbers, and email addresses) related to Students’ Union activities and services. Committee members do not have to complete this every year if they are a returning committee member, however it is mandatory for any committee member that is responsible for collecting other students' data and we would advise all committee members to complete it. When handling personal data students are required to follow the guidance set out in the data protection and information security handbook including the reporting of data breaches, respecting the rights of individuals and secure processing procedures.
Details of the training course and handbook can be found at www.upsu.net/privacy.
What are the Penalties for Breaching GDPR
Breaching GDPR could incur serious fines within the £10,000s for both an organisation and any individuals that are found to be at fault.
What to do if your Committee Thinks there has been a Breach
For any GDPR concerns, you must immediately notify the Student Groups Team on firstname.lastname@example.org, making sure to copy in email@example.com. The GDPR requires any actual breaches to be resolved within 72 hours of discovering a data breach. You must do your best to provide any and all relevant information to the case so that any potential issues can be resolved efficiently and swiftly. If you do notify UPSU of a potential breach, it is important that you make sure that you continue to keep in regular contact with the Groups Team and any other relevant staff members until the issue has been fully resolved.
GPDR App at the Freshers' Fayre
It is important to remember that you cannot take down anyone's details in any other format at the Freshers' Fayre than via the specifically designed Data Collection App. This App ensures that all requirements of GDPR are met.
Please make sure you are familiar with how to use this App to gain registration of interest sign-ups before the day you use it. If you have problems you will not be able to use anything else to replace it. Watch this guide on how to use the app here.
Note that if any group is caught attempting to take down paper sign-ups there will be drastic and immediate consequences.