The General Data Protection Regulation (GDPR) is a piece of EU legislation passed by the European Parliament in 2016. It is enforceable in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK has not needed to draw up new legislation – instead, GDPR will apply automatically. Punishing fines for data misuse and breaches are applicable.

The GDPR aims to make it simpler for people to control how companies use their personal details. There were two main factors behind the introduction of GDPR. The biggest one was the EU’s desire to bring data protection law in line with how people’s data is being used, especially considering that firms like Amazon, Google, Twitter and Facebook offer their services for free, for as long as people offer their data to these tech giants. The dangers of granting such vast permissions were well illustrated by the Cambridge Analytica scandal, where 50 million Facebook profiles were harvested to influence the 2016 US election.  Basically, the internet and the cloud allowed organisations to invent numerous methods to use (and abuse) people’s data, and GDPR aims to rectify this. The second driver was the EU’s desire to give organisations more clarity over the legal environment that dictates how they can behave. By making data protection law identical throughout member states, the EU believes this will collectively save companies €2.3 billion annually.

Strict rules mean companies will not be allowed to collect and use personal information without the person’s consent. Data includes things like a person’s name, email address and phone number, and also internet browsing habits collected by website cookies.

Firms must also report any data breaches – including cyber-attacks and accidental leaks – to authorities within 72 hours. Individuals can demand a copy of all data held about them, which must be supplied within 30 days, and in some cases they can ask for any data to be deleted in a formal “right to be forgotten” law.

‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing. It’s the Controller’s responsibility to ensure their Processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If Processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.

Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted. ’Lawful’ generally means as the result of permission having been given.

Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs. Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If a current model for obtaining consent doesn’t meet these new rules, it either has to be brought up to scratch or else stop collecting data under that model when the GDPR applies in 2018.

People can ask for access at “reasonable intervals”, and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it and must be clear (using plain language) in explaining these things to people. People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.  They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.

Individuals also have the right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. This is known as the ‘right to be forgotten’. Under this rule, they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed. The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.


The ICO helpline for small businesses and charities provided the following advice:

In setting out a policy and procedures, what is important is how the Society intends to use personal data where ’marketing’ is the operative word.

For shareholders in relation to everyday RVCBS matters, we do not need to request an opt-in to continue holding their personal data although we do need to inform them (once only) what personal data we do hold. However, for shareholders and external contacts alike, if we are likely to use any data we hold on them for marketing purposes, which could include future events or fund-raising, we require an opt-in.

We do need to refresh permissions periodically. In view of the simplicity of our activities, we have chosen four years as a reasonable period.


This statement explains how RVCBS (‘The Society’) intends to comply with the EU GDPR Regulation of 2016.

RVCBS holds personal information on individuals in five ways:

  1. An electronic list of RVCBS shareholders containing some or all of name, email address and postal address.
  2. Hard copies of applications for shares containing names, email and postal addresses, and a shareholder register with that information.
  3. The Society’s Treasurer holds password-protected information on people who have made donations or any other payments.
  4. An electronic list held for marketing purposes comprised of shareholders and many other individuals with whom we have had dealings since the Society’s formation in 2011.
  5. Within the Society’s website, a list of email addresses and usually the names of people who have signed up to receive automated news items when they are posted on the website.

Some individuals will be on two or more of these lists.

The purposes of maintaining these lists are:

  • to provide general news relating to RVCBS;
  • to inform of forthcoming events;
  • to seek help or advice;
  • to carry out financial transactions;
  • to raise funds

The information held in these five ways will never be shared with any other organisation or individual without permission.

The RVCBS and, in the case of its website,, are the Controllers. Any board member or person with delegated authority from the RVCBS board may act as a Processor.

Because the Society and its list of contacts are small, the reasons for contact straightforward, and occasions for contact not especially frequent, it will systematically seek permission from individuals whom we might contact for marketing purposes to retain their information once every four years, backed up by reminders if necessary. This process will commence during April/May 2018.

RVCBS aims to respond to all written/emailed requests from individuals about their personal data within seven working days and guarantees to respond within thirty days. It will carry out any deletions without query or delay.

This statement will be a permanent fixture on our website.