General Data Protection Regulation (GDPR) and RCEM

On May 25th 2018, there are some new laws coming into place surrounding the way we capture and process your personal data. These laws will form the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and will replace the existing Data Protection Act 1998.

What is the Data Protection Act 1998?

As a College, RCEM collects a lot of different data from you as an individual, from your training posts and associated data to your address information for journal mailings and subscription information.

The Data Protection Act 1998 sets out how any personal data should be processed by RCEM (the data controller). Personal data is defined by the Information Commissioner’s Office (ICO) as “data which relate to a living individual who can be identified –

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”

RCEM currently processes all data in adherence with the Data Protection Act 1998. The data that we collect from you is necessary to maintain your membership, examinations and training records, and to provide you with relevant information about events, services and other activities at RCEM.

We also have certain legal obligations to keep your data safe and secure. We do not provide the data to third parties unless you have given us permission to do so, or if there is a legal or statutory requirement to do so. If you wish, you can request a copy of the information that we hold on you (also known as a Subject Access Request). This request will be free of charge after 25th May 2018

What will change with GDPR?

The General Data Protection Regulation (GDPR) will come into force on 25th May 2018, and this will replace the current Data Protection Act 1998. There is also a Data Protection Bill being considered by Parliament currently. This will result in a new Data Protection Act replacing the Data Protection Act (1998) and will add clarity on how the UK will apply statutory controls to areas of the GDPR where Member States have been given some flexibility i.e. the derogations. As and when the UK leaves the EU the new Data Protection Act would replace the GDPR.

The current principles of the Data Protection Act will still apply, but there are a number of additional components that are a better fit for the current digital age and allow individuals better control over their own data.

RCEM have been working over the past 12 months to ensure that we will be GDPR compliant by the deadline. There are additional policies and procedures that have been put in place to ensure that our systems adhere to the greater transparency that will apply surrounding consent, subject access requests, and the security and retention of personal data.

We have also undergone ISO9001 registration throughout the College, to give us assurance that all our internal policies are appropriate and fit for purpose before the new legislation becomes enforceable.

How will this affect me?

Your data will be handled in accordance with the Data Protection Act 1998 before 25th May 2018, and after then it will be handed in line with the requirements of GDPR and the new Act once the UK leaves the EU.

You may notice some changes in our online application forms and the terms and conditions that we use to process your data. Please take some time to read these through thoroughly, as it is very important that you understand how your data is processed and maintained by the College.

The personal data that we collect from you is related to and in most cases necessary to maintain your College record, e.g. information around event or exam registrations or maintaining your membership with the College.

In accordance with the new regulations , we may on occasions need to get your explicit consent to use your data, for example to pass the information on to a new third party. If this is the case, we will contact you directly, and you will need to opt-in to have that information sent. Information will not be passed on without your specific permission.

If you would likea copy of your personal data that the College holds, you should send a request in writing to our nominated Data Protection Officer (details below). One effect of the new regulations is that the timeframe for our response will be reduced from 40 days to 30 days, this information will also be supplied free of charge after 25th May 2018.

Where can I get more information?

If you would like more general information on GDPR, please take a look at the Information Commissioner’s Office website here.

For more specific information regarding data and GDPR at RCEM, please contact Jenny Dyer (jenny.dyer@rcem.ac.uk) who is our nominated Data Protection Officer.