Running a PTA, parent council, club or community group means holding onto people's information: names, emails, who came to what. This guide explains, in plain English, how to look after it properly and keep your group on the right side of GDPR.

The information you keep

When people join your community, attend events, or buy from your shop, you will have:

  • Names and email addresses
  • Event attendance records
  • Purchase history (tickets, shop orders etc)
  • Any other information people provide: answers to questions you ask at signup or checkout (like dietary or accessibility needs) and volunteer details

You are responsible for using that information fairly and for keeping it private.

If you collect children's information

When a parent signs their child up for an event, any details about the child are collected as part of that parent's booking. There is no separate child record sitting in your account. That keeps things simple: the child's details are stored as part of the parent's booking and handled in the same way as the rest of the information they have provided.

Only ask for information you genuinely need. For example, a name, perhaps an age, an emergency contact, or details of an allergy. Do not collect information unless there is a clear reason for it. Allergies and accessibility needs are health information, so only ask for them when they are necessary.

If a parent asks you to delete their data, the child's details go with it because they are part of the same booking. You remove them together. Nothing extra to track down.

What you can and cannot do

You can:

  • Email members about your events and activities
  • Track who attended and when
  • Send donation receipts
  • Ask for feedback to improve your events
  • Remove or ban members from your community
  • Keep records for as long as you genuinely need them

You cannot:

  • Sell member data
  • Email marketing without asking first
  • Share data with sponsors or partners without permission
  • Keep data forever "just in case"
  • Use people's information for things you did not tell them about

What you need to do

  • Tell people what you are collecting Have a simple privacy notice that explains what you collect and why. Jotterly provides a template for you
  • Only ask for what you need
  • Respond to requests within one calendar month If someone asks to see, correct or delete their data, deal with it promptly. Confirm who they are first (make sure any requests come from the correct email address, and they provide the correct details). The month only starts once you have verified their identity.

When someone asks to see their data

A request arrives

Someone asks to see the information you hold about them

Send them any data you hold on them

Event info, spreadsheets, local files, emails etc

Respond

Within one month

The other requests are simpler:

  • "Delete my data." Remove them from your community, then email us and we will erase their data. We only keep what the law requires (financial records for 6 years).
  • "Stop emailing me." Take them off any mailing lists straight away.

Assign these requests to one person on your team and keep a log.

If someone's unhappy

People have the right to complain to you directly about how you have handled their information. You are expected to make that easy, not send them straight to the regulator.

  • Give them a way in An email address or a short form on your page is plenty.
  • Acknowledge it within one month A quick "we have got this and we are looking into it" is fine.
  • Look into it and reply Deal with it promptly and keep them posted if it takes a little time.
  • Keep a log The same one-person, one-list approach as data requests works well here.

If someone's still unhappy after you have responded, they can take it to the ICO. Most things never need to go further than a friendly reply.

Keeping data safe

  • Only let people who actually need it see member information
  • Do not email passwords or sensitive information unencrypted
  • Use strong passwords, and two-factor authentication where you can
  • Password-protect any member data you download to work on
  • Do not screenshot member info into personal chats
  • Back up anything important
  • Give your team a quick briefing on handling member data carefully

Using other tools and services

Most communities use email tools, payment processors, or other platforms. Make sure they are reputable and have appropriate data protection measures in place. You are responsible for your members' data, even when other services hold it.

If something goes wrong

Sometimes data ends up somewhere it should not: an email sent to the wrong person, a shared folder left open, or a lost phone.

Here's what to do:

  • Contain it Lock down the folder, change the password, delete the image from the chat. Stop it spreading.
  • Judge the risk Could this realistically cause someone harm, embarrassment or distress? A spreadsheet of names and emails seen by one wrong person may be low risk depending on the circumstances. A list of children's details posted publicly is not.
  • If there's a real risk tell the ICO within 72 hours. The Information Commissioner's Office has an online form. You report from the moment you realise, not the moment it happened, so don't sit on it.
  • If the people themselves are at high risk tell them too. Plainly, and quickly, so they can take their own steps.
  • If it involves data held in Jotterly email us. We will help you understand what was affected and what to do next.

Even for the small ones that do not need reporting, jot down what happened and what you did. A short log is enough.

Who's responsible for what

Jotterly provides the platform and securely stores the information collected through it. Your community decides what additional information to ask for, how it will be used, and who can access it. That means you are responsible for making sure you only collect what you need and use it appropriately. Jotterly is responsible for keeping the platform secure and helping you respond to data requests.

Common myths about GDPR

"GDPR means I can't email members"

False. You can email members about events and services they have signed up for.

"I have to delete everything after 1 year"

False. Keep data as long as you genuinely need it. Delete it when it's no longer useful.

"Only big companies need to follow GDPR"

False. Every organisation that processes personal data has GDPR responsibilities.

Common questions

Q: Can I email all my members a newsletter?

A: Only those who've opted in to marketing. Event confirmations and receipts are fine for everyone as part of providing the service.

Q: Where's my community's privacy policy?

A: Jotterly hosts one for you at your community's /privacy page, filled in with your name and support email. You'll find the link in your Contact settings, and it's linked from your community footer and welcome emails.

Quick start checklist

☐ Review the privacy policy Jotterly provides and make sure it reflects how your community handles member data.

☐ Assign one person to handle data requests and responses.

☐ Document where you keep member data and who has access to it.

☐ Create a simple incident log to record any data issues that occur.

☐ Brief your team on handling sensitive information carefully and keeping it private.