News & Blogs

Working with personal data? Are you ready for GDPR?

Thu 17th May 2018 - News

Abi Cornwall, Development Officer for Learning for Sustainability Scotland, has been working through various guides to get us ready for the upcoming changes to data legislation (GDPR). Here she outlines the main themes of the compliance and asks:

With the deadline for compliance fast approaching, how ready are you? 

As a member network we take your data very seriously and it’s been informative reading up on the process to comply with the new legislation. There is a lot of information out there, and it can be overwhelming so now that we’ve worked through the steps and are putting the finishing touches to our new strategies, we thought it would be useful to share some of our learning to help you through the process.

Disclaimer: This blog post is in no way legal advice. If you require specific legal help, please contact a professional.

What is the GDPR & Do I need to get involved? 

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.

If you collect any kind of information from customers or members and store it on a system such as a spreadsheet or in a mailing list, then yes – you have to comply with GDPR. No matter how small your organisation is, or how minimal the data you collect, you are classed as a ‘Data Controller’ and are responsible for the information.

GDPR is about making sure you treat the data you collect from members / customers with respect and care.

What is ‘personal data’? 

Personal data is any information that can make someone identifiable. Email addresses, names, phone numbers, locations & IP addresses all count. Generic email addresses (such as: are not classed as personal data, because they can’t define a specific person – but it falls into the relevant category if additional data (such as date of birth, location, company name, or full name) is collected at the same time.

What are the main steps to complying?

  • First – acquire consent from everybody on your list – ensure you can demonstrate they have granted permission to contact them beyond May 25th. Please note – silence or inactivity does not constitute consent (more info on that point here:
  • Work out a transparency strategy – those who are consenting should have a clear idea of what you plan to send them, and what they give permission for.
  • People are allowed to change their mind about the consent they give – a clear and straightforward process needs to be in place so people can do so.
  • Protect the data you hold – for example – encrypting spreadsheets with passwords and make sure any external hosts comply with the measures.
  • Take full responsibility for any breaches of data privacy and inform individuals.

What happens if I don’t comply?

  • The legislation stipulates that significant financial penalties will be in place for organisations who do not comply. As outlined in this blog from the Scottish Government, fines for breaches could run up to €10-20 million or 2%-4% of turnover, whichever is largest. It’s just not worth it!


There are many great resources out there (including videos on YouTube), but here are a few that we have found particularly useful.

Can we contact you after the 25th May? 

We are no different – as a member organisation, we need your consent to keep in touch with you beyond the deadline. If you’ve already updated your details – thank you. But if you’re yet to do it, please click on this link to update your membership details now.