Data protection law has been around since 1984. Personal data is more valuable and important than ever. A major update of data protection law - the new General Data Protection Regulation (GDPR) - came in to force on 25 May 2018.
It’s a very good moment for all Fairtrade groups to review how they collect and use data to ensure people’s personal information is handled correctly, and your group’s activities are compliant with new legislation.
The Regulation gives people more control over how their personal information is collected, used, and protected. It also places greater expectations on all organisations to demonstrate how they manage personal data, and to be more transparent with people about why and how their data is handled.
Fairtrade Steering Groups are legally independent and autonomous from the Foundation, and receive an award (Fairtrade status) from the Foundation after meeting the set goals. There is great diversity in the structure and ways of working of steering groups, from one or two very committed individuals who maintain Fairtrade status for their church or school, to formally constituted networks with dozens of individual and organisational memberships, and all manner of voluntary groups with mailing lists from dozens to thousands of individual contacts. For these reasons we don’t prescribe data or privacy policies for Fairtrade Groups, and it is the responsibility of each group to manage data it holds in a responsible and legal manner appropriate to the scale and nature of their activities.
Whilst this isn’t legal advice, we recommend considering these main principles of the new GDPR in the context of how your group use personal data:
- Consent. Individuals must give unambiguous and informed consent for you to use their data for electronic direct marketing e.g. sending emails and SMS messages promoting your events or sending e-newsletters. Only hold, and use personal contact information where you know that people have given you consent to contact them. Review all the ways you gather personal data and be sure you can show consent was clearly given at the point people give it to you (or sign up online/at an event).
- Transparency and information. In addition to getting opt-in consent for marketing activities, be clear with people why you are collecting their data and what you will do with it, at the point people give it to you. Aim not to surprise people.
- Changing preferences. It needs to be clear and easy for people to change their preferences on how you use their information, and have a simple and clear process for doing that, which includes no longer contacting them (i.e. maintain supression lists of those who opt-out (object) to direct marketing) and/or requests to delete their data completely.
- Security. Personal data should be stored securely and robustly – so that data is safe, and is updated correctly and comprehensively when changes happen. In a small voluntary group, a good way to manage this is to nominate one person responsible for maintaining a comprehensive mailing and contact list who ensures it is up to date, reflects the most recent updates to individual preferences (e.g. unsubscribe requests) and is password protected.
This isn't legal advice, but are intended as a guide to the key areas to think about to ensure you are GDPR compliant. If you have any concerns or questions about data protection and your Fairtrade Group’s activities, please don’t hesitate to get in touch.
The Information Commissioner’s Office (ICO) answer FAQs on GDPR here. Note that this is aimed towards larger organisations than most Fairtrade Town Steering Groups so not all the steps and advice will apply.
For more details on how the Fairtrade Foundation uses your data, see our privacy notice.