Association‎ > ‎


This page explains how we are affected by the introduction of the European General Data Protection Regulation and what the association is doing to ensure we comply with this.

Please contact if you have any questions or comments on the information provided here.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. The GDPR brings in a much broader definition of personal data from previous legislation, increases the standard of consent needed and the obligations to protect and secure information under our control.

How are we are affected by this?

All organisations are required to have a legal basis for processing personal information and to adhere to the requirements for processing this data. We will need to ensure we have a valid consent from individuals whose data we hold and we have appropriate systems and controls in place to ensure that data is maintained and secured and individuals legal rights are protected.

Scope of personal information currently processed by the association

This section identifies the different ways the association processes personal information.
  • District and general membership records retained for processing subscriptions and membership administration
  • Contact details of individuals published on our website and in the tower directory
  • Numbers club membership records
  • Records maintained for the purposes of training events
  • Information recorded in association with young ringers participation in Surrey Association events
  • Member details published in the annual report
  • Names recorded in books of record for meetings and peals
  • Names and images of members published in our newsletter and on our blog and shared on social media 
  • Information captured by our websites for tracking and analytical purposes
  • Members names and email addresses retained when subscribing to an email group
  • District tower contact lists
--- work in progress, this list will be expanded as we identify sources of data.

Our action plan

It is proposed that the general committee form a working group to understand our obligations and advise the association on changes needed to comply with the regulations.  Further information can be published once this working group has conducted its review.

Links to resources

The full text of the regulations:

CCCBR interim guidance Jan 18 - see below.

Our current website privacy policy is here:

Useful information about GDPR

1. Consent

It is particularly important to understand the definition of consent as this provides the legal basis for the association to use personal information for anything beyond a legitimate interest.  The definition of consent is far stricter than under previous legislation and we cannot rely on any prior consent that does not meet the standards defined in the regulation.

The conditions that make a consent valid are defined in the regulations as "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.".

This article provides a detailed discussion of the definition and obligations relating to consent as a legal basis for processing personal data.

2. Exemption for religious non-profit organisations

Many church websites refer to an exemption relating to membership information held by religious non-profit organisations.  More information is needed to understand exactly what this exemption is and how it applies.

The exemption most likely refers to article 9 which refers to processing of special categories of data which will be prohibited except in specific circumstances.

Article 9 imposes additional responsibilities on organisations that hold "special category" data, which includes a person's religion.This is quite specific - if you hold information about a person's religion, you must use "appropriate safeguards" to ensure the data remains confidential.  However, if you do not hold specific data about a person's religion, then the article does not apply.   Since the Surrey Association does not maintain information about a persons religious beliefs we are not impacted by Article 9 and have no need to rely on the exemption from the prohibition of processing this.

The relevant text of Article 9 is:

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. 

The wording of the exemption is:

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects

3.  Individual rights

The GDPR is designed to strengthen the privacy rights of EU citizens. The Regulation introduces a range of new requirements. The rights to access, erasure, rectification and data portability all need careful consideration, along with the right to object to direct marketing, profiling and processing under legitimate interests.

Individuals also have a right to be informed about the processing of their data. In a move aimed at ending small print in privacy policies, the GDPR clearly stipulates this must be done in a concise, transparent, intelligible and easily accessible manner. It must be written in clear and plain language, particularly if addressed to a child and subject access must be free of charge.

It’s important for organisations to assess what new policies, processes and systems they require to manage these new and revised rights.

4. Data Protection by Design

Under the GDPR (Article 25), we have a general obligation to implement appropriate technical and organisational measures to show that we have considered and integrated data protection into our processing activities.  Our systems need to ensure that we:
  • only keep personal data which is absolutely necessary for the purpose. 
  • delete data that is no longer required.
  • secure data and ensure it is only accessible to those authorised to use it.
  • privacy is the default setting and we do not share data without the explicit consent of the individual.

5. Penalties

Surely it's only big companies that get fined for data protection offences?  Not true the ICO has prosecuted and fined numerous charities and voluntary organisations under the DPA.  

This link makes for sobering reading:

A regulator that is prepared to prosecute Battersea Dogs Home and Great Ormond Street Hospital will certainly fine bell ringers if they need to.

GDPR increases the level of fines the ICO can levy, raises the standards that organisations need to adhere to and gives individuals more rights to ensure their data is protected.

Surrey Bellringers,
2 Feb 2018, 12:12