Small businesses, charities, clubs and voluntary organisations
The data is only subject to GDPR if it is personal data processed wholly or partly by automated means, or if not automated, that the data forms part of a relevant filing system.
What is GDPR?
It stands for General Data Protection Regulation, which is an EU law, adopted in the Isle of Man by an Order under the Data Protection Act 2018.
The Isle of Man had to implement the GDPR into its law so that it can continue to do business with EU countries.
New data protection provisions are in a set of regulations which set out all the data protection procedures and powers of the Information Commissioner, called the GDPR and LED Implementing Regulations 2018 which are in operation from 1 August 2018.
These provisions were previously in the Data Protection Act 2002.
What is processing and filing?
Processing includes any operation (whether or not by automated means), including collecting, recording, organising, structuring, storing or using data.
A filing system includes any structured set of data accessible according to specific criteria.
A charity or club holding data, for example, is likely to be storing data stored in an electronic system or non-automated (ie. handwritten) system which is organised and using it to contact its members or other stakeholders. As such, and in the absence of any declaration by a court, or a relevant exemption in the legislation, the protection of the data would be subject to the principles of GDPR.
If the small charity or club only keeps hand-written records of personal data, and does not hold or intend to place any records within a 'filing system' then GDPR would not apply.
Data for specific purposes
The GDPR rights and principles means that the organisation must:
- only collect data for a specific purpose
- keep it secure and up to date
- only hold what is needed for as long as it is needed and
- permit the data subject access to their information on request
Due to the scale of the processing, the GDPR requirements are likely to be far less burdensome than those upon an organisation which carries out large-scale processing, since data audit and information security will be easier to carry out and implement.
Data Protection Officer (DPO)
The GDPR makes the appointment of a DPO mandatory for public authorities and bodies, and also for organisations where there is regular and systematic monitoring on a large scale, or where core activities of an organisation consist of large scale processing of special categories of data, or criminal convictions and offences.
If this is not the case for the charity or voluntary organisation, there would not be a requirement to appoint a DPO.
Some organisations may choose to appoint a DPO as a matter of good practice.
Further details and information for small businesses, charities and voluntary organisations can be found on the website of the Information Commisioner.