Frequently Asked Questions

Here are some frequently asked questions about the General Data Protection Regulations (GDPR). 

This will be updated depending on the types of queries Scouting Ireland receives over the coming months.

What information does the GDPR apply to?

The GDPR applies to personal data, which means any information relating to an identifiable person (data subject) who can be directly or indirectly identified. This includes name, address, email, and date of birth. In addition, personal data can be classified as sensitive personal data if it contains further data, such as religion, ethnicity or health data.

What is a data breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just losing personal data. Examples could be an email sent to the wrong recipient or the loss of a paper folder, both with personal data contained within them.

What is a privacy notice?

A privacy notice is information presented to a data subject at the point they are disclosing their personal data to you. This could be through an online or paper form. The concept behind the notice is that it is; - concise, transparent, intelligible and easily accessible, - written in clear and plain language, particularly if addressed to a child, and - free of charge.

When will the forms produced by Scouting Ireland be updated?

Scouting Ireland are currently working through the large number of forms that need to be updated.  Priority is being given to those forms which are used the most including those most relevant to youth members and Scout Groups.  These will be released as soon as ready by the Data Protection Sub-Committee.

What is a data Subject Access Request?

Data Subject Access Requests (SARs) are when a data subject requests the data controller to do something with the data you hold on them.

This could be a request to identify:

- the reason why you have the data and what you are doing with it

- the type of data you hold on them

- the third parties you have disclosed the data to

- the period you will be keeping the data for and why

In addition, they can ask you to:

- delete or modify the data you have on them

- transfer this data to a third party of their choice

In all cases the action they are requesting cannot have a material impact on you fulfilling your obligations to the data subject. For example, you require a number of data points when registering a youth member – e.g. name and date of birth and parental/guardian contact details etc.

How can I find more information on the GDPR?

The ICO website for Northern Ireland or the DPO in the Republic of Ireland website is the best place to find out more information about the GDPR.

What is the Data Protection Officer (DPO)?

The Data Protection Officer is a nominated individual(s) who are the channel between the organisation they work for and the ICO or the DPC.

The role of the DPO is to:

  • inform and advise the organisation and its volunteers about their obligations to comply with the GDPR and other data protection laws,
  • monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train volunteers and staff and conduct internal audits,
  • be the first point of contact for supervisory authorities and for individuals whose data is processed (members, customers etc) these include:
    • Personal Data Breach Reports
    • Subject Access Requests
    • Breach Responses, internally, externally (data subjects) and the DPO.

If you have a question please submit it to