So, I expect a flood on this topic, if needed pls move the post. I thought posting here is better than emailing foundation as this might interest others.

We use Google services in cloud and Mailchimp. We can delete all data in Google services, Mailchimp will sort out their services before the deadline. We can easily remove data and save data anyone requests as a .pdf or .jpeg and send it to them.

PROBLEM: You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. I do not understand.

We do not communicate with children other than in class so we do not need to verify their age. Am I right?

PROBLEM: Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. I believe Google and Mailchimp would notify us. Am I right?

PROBLEM: Data Protection by Design and Data Protection Impact Assessments
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation. Any fast track way to do this? Tbh haven’t looked it up yet.

Do we need Data protection Officers?

What does keeping data secure mean? Is password protected access in cloud enough? We often change passwords, mostly due to forgetting current one by yours truly
We use gmail. The only completely secure email service is Proton mail, should we all use it?

I see in Changes and Preparations doc that tick boxes should not be used. I use mailchimp and they have it in such manner. Is this not acceptable then?
Pls see our newsletter sign up for example, you do not need to actually sign up. Can I use this?

http://eepurl.com/baOTvP

PROBLEM: You now have a mandatory obligation to notify the supervisory authority of a breach within 72 hours if you are a data controller and to notify individuals of this breach in certain circumstances. If you are a processor you only have to notify the relevant data controller WHO DO WE NOTIFY?

Transfers to countries outside the EEA continues to be very restricted but the GDPR does provide new mechanisms for approved certification schemes. We use services based outside of the EU. Is this going to be a problem?

The GDPR provides new wide ranging powers to the relevant supervisory authority including fines up to €20m or 4% of worldwide turnover. Right, so we could be fined. Who exactly would be fined, because I expect all volunteers to vanish f it applies to them. Myself included. I hope this would not be the case, but…

Thank you sooo much for sending the info. Overall feel is that everyone is panicking, so I joined in.