General Data Protection Regulation Debate
Full Debate: Read Full DebateLord Brabazon of Tara
Main Page: Lord Brabazon of Tara (Conservative - Excepted Hereditary)Department Debates - View all Lord Brabazon of Tara's debates with the Department for Digital, Culture, Media & Sport
(6 years, 5 months ago)
Lords ChamberTo ask Her Majesty’s Government for what purpose small clubs and charities have to comply with the General Data Protection Regulation, which came into force on 25 May.
My Lords, clubs and charities which handle personal data will need to comply with the general data protection regulation in the Data Protection Act 2018 because people have the right to expect organisations of all sizes to keep their data safe and secure and not to misuse it. Small clubs and charities may also process sensitive personal data, such as medical records or children’s data. It is especially important that this is kept safe and secure and used appropriately. To assist smaller organisations, which may have more limited access to legal resources, the Information Commissioner’s Office has published a range of user-friendly material on the GDPR on its website and set up a dedicated phone line for small businesses and charities.
I am grateful to my noble friend for that reply. He has confirmed that any club, however small, that keeps a record of its membership must register, and not just register but renew and pay up every year. I will not ask my noble friend to give an estimate of the numbers involved, because it must be many thousands and I do not know who on earth is going to keep track of it all. I doubt whether anybody knows the numbers. But can my noble friend tell me what these organisations are doing wrong at the moment? What ill is being done that is going to be cured by making them involve themselves in this process?
My Lords, I am glad that my noble friend realises that it is very important to pay the fee that is required, as agreed by this House last month, in order to fund the ICO. All this is clearly explained on the ICO website under the heading, “The Data Protection Fee: A Guide for Controllers”. As for ills, it is not that any organisation, or even individual, has committed any sin, or that there is an ill to be cured; this is about individual data subjects’ rights. As far as an individual data subject is concerned, if his or her sensitive personal data is misused—for example, by not being kept securely—the damage done to that person or organisation is the same whether it is by a large or a small organisation. That is why the GDPR requires all data controllers, unless they are using it just for personal or household matters, to be clearer with people how their data is going to be used, to process it where it is lawful to do so, and, very importantly, to make sure it is held securely.