Each student club and society is responsible for its own compliance with data protection legislation insofar as the personal data it holds and uses is outside the control and responsibility of the College and Students' Union. Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers').

Since 25 May 2018, the main piece of relevant legislation is the General Data Protection Regulation (GDPR) and governs how everyone should handle personal data. GDPR is now in force and you need to ensure you are compliant and are not breaking the law - failure to comply may result in disciplinary action and possible legal action.

The below guidance aims to help Birkbeck Students' Union's Clubs and Societies meet their core obligations with regard to data protection legislation. 

Under the GDPR, data controllers need to pay fees to the ICO. However, most student societies will be exempt from this requirement because they are small not-for-profit organisations (those data controllers that were exempt from registration with the ICO under the Data Protection Act 1998 are similarly exempt from the requirement to pay fees under the GDPR). The exemption from the requirement to pay fees does not mean that student societies are exempt from compliance with the rest of the GDPR.



Personal Data: According to the law, personal data means any information relating to an identified or identifiable individual; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity (i.e. forename and surname, date of birth, email etc).





The GDPR sets out seven key principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability


In order to manage personal data effectively, you will need to think through:

  • What personal data do you hold - you should not collect or keep more than you need
  • Why you hold personal data
  • How you use personal data
  • Where you store personal data
  • When you might share personal data with third parties



Some of the reasons why you would collet and process personal information includes:

  • Maintaining students' personal details (i.e. name, student number, and preferred contact details), including ensuring effective communications with students
  • Keeping financial records (e.g payment of membership fees)
  • Maintain a formal record of your activities and participation
  • Undertaking research into a Club or Society's activities (e.g. writing up a report on the number of students engaging in events)
  • And managing complaints made to the Club or Society.




Currently at Birkbeck, students may choose to use their personal emails as part of their communications with the College, whilst others choose to opt-in and use their College email account (ending with Nevertheless, you should treat all information the same.


At times, we may request a data audit and to establish what kind of information does your Society hold. 


A committee member should be designated as a Data Controller for the Society. This responsibility should be 


As a Society that administrates people's personal details




Birkbeck Students' Unions does not have a contract with Eventbrite. Eventbrite is not engaged as a data processor on the College's or Students' Union's behalf. As a result, Clubs and Societies are advised to not use Eventbrite as a ticketing system. The Students' Union has its own event ticketing systems that allows for both students and non-students to book tickets through the its own website. 

Unlike most ticketing services and providers, the main benefit that you will have is that the Students' Union's ticketing system does not charge a fee for payments made through our website.You should not need to use Eventbrite at all, and should rely on the Students' Union's ticketing system.

If you do want to use Eventbrite, please emphasis that the Eventbrite is a privately run platform for event booking, and that their data will be processed by Eventbrite, and so they should check Eventbrite's privacy policy separately. Eventbrite will then pass on their data to the Club or Society's Committee and be processed under the Society's own privacy policy.