Step 2: Who is responsible for what?
Contents
- Introduction
- Step 1: What do I need to know about data protection?
- Step 2: Who is responsible for what?
- Step 3: Appointing a Data Lead
- Step 4: Understanding data subjects' rights
- Step 5: Gathering data
- Step 6: Data discovery
- Step 7: Keep a record
- Step 8: Check your security
- Step 9: Third parties
- Step 10: Publish your privacy stance
- Step 11: Delete and destroy
- Step 12: Responding to a breach
Step 2: Who is responsible for what?
Scout Groups, Districts, Counties/Areas/Regions (Scotland) (each known as ‘Scout Units’) are separate charities as is the Scouts UK Headquarters (‘UK HQ’), as a national charity, with each accountable for their own compliance with the GDPR.
Responsibility to be compliant with the GDPR rests with the respective Trustee Boards, and it’s UK HQ’s intention to sign-post appropriate resources to support local Scout Units in fulfilling their responsibility.
Each adult member and associate member must also ensure that they comply with data protection law when handling any personal data.
Data Controllers
A data controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. This will be the local Scout Unit with accountability sitting with the Trustee Board.
With regard to personal data stored on the Adult Membership System, UK HQ and the Scout Units are independent Data Controllers. Independent Data Controllers may each use and access a shared database but each remains responsible for the personal data within its own control and capacity.
Accordingly, Scout Units remain responsible for ensuring that their handling of personal data locally is in compliance with the GDPR and Policy, Organisation & Rules (POR) (which includes uploading and maintaining such data onto The Adult Membership System) and the UK HQ remains responsible for ensuring that its handling of personal data nationally is also in compliance with the GDPR and POR (including its particular responsibilities for data held on the Adult Membership System).
Data Processors
A Data Processor is defined as a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
This means that any service provider or third party that has access to personal data and processes it on behalf of the Data Controller, is a Data Processor. This Data Processor could also be a third-party system used for data storage, such as an online youth membership system.
In summary a Data Processor is responsible for processing personal data on behalf of a controller, but the controller determines the reasons for the processing.