Hi Aaron and all,
We have arranged a follow up session at Space 4 for Wednesday 23rd May, to look at all aspects of GDPR compliance
This can be in the afternoon or evening depending on which works best for people.
The idea is to do precisely what you suggest as regards website privacy notices: rather each co-op spending a lot of time and effort developing policies and procedures in isolation develop a way for sharing the process.
This needs to be ongoing as the level of confusion over GDPR (they were still making amendments yesterday) means that 25 May will be the beginning of a new phase of Data Protection Legislation rather than cliff edge.
I have started a Policy Corner on the Cotech Wiki as a place where Co-ops can share their policies. So far I have added three Digital Liberties Policies, including our Contractor Application Form. It means that workers and other contractors have explained to them how their data as employees/freelance contractors will be handled. Actually, strictly speaking it may not be necessary (this is an area covered by contract and legitimate interest), however it creates a record that the individual has had the matter explained to them and should encourage them to take Data Protection seriously.
It would be good if people could publish suvch things as their privacy notices their for others to copy that would be great.
As for your question:
“Can we confirm if we are responsible for confirming that the controller has a legitimate interest when we are processing data? If we process data where the controller falls foul of GDPR and does not have a legitimate interest, are we covered by insurance / law?”
This question needs to be rephrased:
When an organisation claims “legitimate interest” (LI) this needs to be spelt out in the organisations Data Protection Policy, which should be a policy agreed by the Co-op as a whole. Procedures may be measures which have been devolved to teh Data Controller, but these should be written out and available to all co-op members. There is an element of risk here, in that it may turn out that the ICO does not accept the claim, or , indeed it could be tested in court.
At the moment questions of LI have not been tested, so we all moving into an unknown future. The ICO has said that in the event of non-compliance organisations which have a well developed Data protection Policy will face less severe sanctions - possibly just a warning - compared to organisations with rudimentary or completely absent policies. i.e. even if the ICO does not accept the argument you present for LI, if they still find them reasonably coherent they will view this as an honest mistake and not impose punitive sanctions.
What is covered by insurance will depend on the insurer - and also whether the organisation actually acts in accordance with the policy. So that is a bit hard to answer.
What will happen over time is that as issues are tested in individual cases, the reality of GDPR will emerge from the misty future as something with much clearer characteristics. Therefore what is important is that people with responsibility for Data Protection will have to regularly check for ICO rulings/court cases etc. for developments and then take any necessary policy reviews to their Co-op management meeting.
We should be clear here that in general it will be the co-op falls foul of the GDPR, not the controller, and the rules changes spread the burden more evenly amongst all data processors as well as the controller - who I would regard more as a co-ordinator ensuring the co-op as a whole complies with the GDPR.
I hope these comments are useful and encourage all fellow co-operators with an interest in Data Protection to start working more closely together, whether that means coming to the session at Space 4 on Wednesday 23rd May - in person or online - and also participate in ongoing GDPR collaboration through the setting up of a working group.
all the best,