Horsham District Scouts have a robust data privacy policy, supported by digital tools and processes to ensure we continue to comply with our legal obligations. You can find details of our Privacy Policy and our District Digital Toolkit on our District website https://horshamscouts.com/
Storing of documents or holding Scouting emails in personal accounts poses a significant GDPR risk due to unauthorized data transfers outside the controlled environments, potentially leading to fines, reputational damage, and legal action.
While we understand this may be convenient, storing emails and data externally can inadvertently expose personal data — such as youth member details, volunteer records, or safeguarding information — to environments outside our control. This poses a risk to both individuals and the organisation.
Here’s a breakdown of the key GDPR risks and implications:
Unauthorized Data Processing
Storing documents or emails containing personal data (e.g. member details, volunteer records, or other scouting contracts) to personal accounts is considered a form of data processing. If done without a lawful basis (like consent or legitimate interest), it violates GDPR principles.
Loss of Data Control
Personal accounts typically lack enterprise-grade security, monitoring, and access controls. This increases the risk of data breaches, unauthorized access, and non-compliance with data retention policies.
Security Vulnerabilities
Data transferred to personal accounts may be exposed to phishing, malware, or third-party access. GDPR requires organizations to implement appropriate technical and organizational measures to protect personal data—personal accounts often fall short.
Breach Notification Obligations
If personal data is compromised due to exporting of auto-forwarding, the organization may be required to notify regulators and affected individuals within 72 hours. This can trigger investigations, fines, and reputational harm.
This can also significantly impact Horsham Scouts ability to respond to a Subject Access Request (SAR) under GDPR.
Loss of Audit Trail
Once documents or emails are moved to personal accounts, they leave the Districts controlled environment. This makes it difficult to track, retrieve, or verify what personal data was accessed or stored — undermining our ability to respond accurately to a SAR.
Incomplete Data Disclosure
If Scouting data is stored in a personal folders or email accounts not part of the District Digital Toolkit, we may inadvertently omit relevant records when fulfilling a SAR. This could be considered a failure to meet GDPR obligations.
Risk of Unauthorized Disclosure
If the data help in personal accounts contains third-party personal data (e.g. youth members, volunteers), and the personal account is compromised or used for SAR response, you risk disclosing data unlawfully.
Retention and Erasure Conflicts
GDPR requires organizations to manage retention and deletion of personal data. If data is duplicated in personal accounts, it may persist beyond lawful retention periods, making it harder to comply with erasure requests.
If you need help accessing your Scouting email more easily or would like to explore secure alternatives, please don’t hesitate to get in touch.
Directory Listing for Position: Data Lead
| Name | Team | |
|---|---|---|
| Data Lead | Send A Message | District Leadership |
