What information or experience can anyone advise on GDPR data record keeping about visitors information at events.
It’s interesting to hear you’re looking to collect data about visitors. What kind of info are you hoping to record?
We can’t provide legal advice here, but we can share some experience.
But the specifics really depend on the answers to questions like these:
- What kind of data do you want to collect from/about visitors?
- How do you intend to collect, store & manage this data? (And who will have access to it?)
- How do you intend to use this data?
How would you answer those?
P.s. I moved this discussion to the Community Repair category as it fits here better than the Repair Data category
Hi, how are you today.
Here are the answers
What kind of data do you want to collect from/about visitors?
We record the visitors name email and mobile in case theres Follow up needed on the repair
How do you intend to collect, store & manage this data? (And who will have access to it?)
We collect the visitors name email and mobile on a registration sheet
The sheets are stored for recording the waste data on restarters.net web page
Only 2 organisers access the information
How do you intend to use this data?
We may Follow up if needed on the repair
and advise them about the next event
So by our view this means any similar repair cafe event will be subject to gdpr regulations
What is your opinion
Market Harborough Fixers
Any update on the gdpr conclusion I came to please. we are quite concerned we and other repair cafe events are not contravening the regulations
Just to confirm & expand what James said…
Firstly, I Am Not a Lawyer, but I have done work professionally on IT systems which were designed to be GDPR compliant and I have talked to a lawyer about them.
If you want a legal opinion that will stand up in court, consult a lawyer.
OK, bearing that in mind, here’s my opinion, given in a personal capacity.
- You are storing & processing personally identitifiable information (“PII”) so you are subject to GDPR (well, specifically the Data Protection Act 2018 (“DPA”) which incorporates the GDPR into UK law).
- The people whose data you are storing & processing need to give “informed consent”.
In other words you have to explain exactly what you’re going to do with their data before they hand it over.
Typically this means having a box which they tick to agree, probably referring them to a separate sheet with all the details of your data storage&processing policy on it or a link to a web page with all the details.
- Do not put any PII into the Fixometer data as that data is shared openly: this includes, for instance, any links to photos with identifiable faces on them as well as the more obvious names & contact details.
- You need to allow people to see what data you have stored about them (“Subject Access Request”).
- You need to remove that data on request (“Right to be Forgotten”)
All of the above needs to be written down in your data storage&processing policy, including the contact details of your “Data Protection Officer” (the person responsible for enforcing the policy).
This isn’t as onerous as it sounds & many organisations have done it all without too much effort. There are some templates around on the web so you don’t have to do all the work yourselves. @james do Restart have anything that could help here?
re your today’s email
That’s clear and understandable.
we’ll take that on board and make sure we comply with gdpr when needed
Best Regards and
Market Harborough Fixers
Hi Steve, apologies for the slow response! And thanks Dave for that - pretty much exactly what I would have said too
As Dave said, we can’t offer legal advice here but it’s great that you’re looking for guidance around GDPR; it is important to make sure you’re handling people’s personal data in a responsible and considered way.
There are 6 +1 core principles outlined in the regulation that you should consider when collecting and handling people’s personal data:
1. Personal information shall be processed lawfully, fairly and in a transparent manner
2. Personal information shall be collected for specified, explicit and legitimate purposes
Make sure people know what you will use their data for. It’s helpful to make this as simple and clear as possible (e.g. ‘We’ll send you the latest news and upcoming parties once a month’)
3. Personal information shall be adequate, relevant, and limited to what is necessary
Only collect the data you absolutely need (and no more) - e.g. an email address is probably ok for your purposes, but date of birth probably isn’t.
4. Personal information shall be accurate and, where necessary, kept up-to-date
5. Personal information shall be retained only for as long as necessary
Don’t keep personal data indefinitely - get rid of it when you don’t need it any more.
6. Personal information shall be processed in an appropriate manner to maintain security
Keep it safe! Make sure no one can access the data who shouldn’t be able to
+1. Accountability and liability
If someone asks you what data you have about them, you need to make sure that you can tell them, get rid of it if they ask and prove you have done so.
A good search around the internet should yield more detailed guidance too.
As I mentioned, this isn’t legal advice, just some things we’ve learnt from our own experience
Hope it helps!