Gain consent

Example - Advertising for new members could include: events, email campaigns, canvassing.

What does this mean for GDPR?
It needs to be clear who you are marketing to and the lawful processing you are using as grounds to contact them. This needs to be evidenced as either:

• consent – they opted-in
• non-digital – physical event/canvassing
• legitimate interest – your use of the data is necessary and is not overridden by their interests or fundamental rights. On balance, it’s more positive for them than negative.

Example - A requirement of being an adult volunteer in Scouting is to keep young people, parents/guardians and other adult volunteers updated. These are updates about weekly meetings, upcoming events and general Scout Group, District, County/Area/Region or Country news.

What does this mean for GDPR?
Communication to the young people, parents/guardians or adult volunteers is essential for the effective operation of a Scout Group, District, County/Area/Region or Country. The GDPR recognises these types of communications and categorises them as necessary to fulfil your role. However, this communication should only be for the purposes of the Scout Group, District, County/Area/Region or Country and not for further advertising, unless the person receiving the communication has specifically opted-in.

In these cases, if you feel the activity warrants consent then this should be clearly presented to the person consenting at the point at which you gather their personal data, or as a separate form for completion, in both cases you need to consider the following, this is known as a privacy notice:

• Is the reason I want the consent, justified?
• Is the consent notice (privacy notice) clear and transparent as to the justification above?
• Do I give clear opt-in check boxes for ticking?
• Can I store the evidence of consent once I have gained it?
• Can I easily remove the consent if requested to do so?

In most cases consent is being asked for from the parent responsible for the Young Person. This is also true when gaining consent for nights away from the parents however this is consent for the attendance of the Young Person and not the on-going use of their data, this is very different.

Where consent is required by a data subject under the age of 18, parental consent must be obtained and cannot be provided by the young person.

As part of local Scouting, photography is common place to record events and publicise activities. As a photograph is considered Personal Data and isn’t really justified via another lawful basis, consent should be used, especially if the photograph is publicised with the individuals name. This consent should be captured at the time the data is collected, such as the attendance form for the event.

The GDPR builds on the 1998 Data Protection Act standard of consent in several areas and contains much more detail:

• keep your consent requests separate from other terms and conditions
• consent requires a positive opt-in. Use opt-in tick boxes or similar active opt-in methods.
• be specific and granular. Allow individuals to consent separately to different types of processing wherever appropriate
• Be clear and concise
• name your Scout Group and any specific third party organisations who will rely on this consent
• list why you want the data and what you will do with it
• keep records of what an individual has consented to, including what you told them, and when and how they consented
• tell individuals they can withdraw consent at any time and how to do this.
• Keep consent under review, and refresh it if anything changes.

You are not required to refresh all existing 1998 Data Protection Act consents in preparation for the GDPR. But if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.