The GDPR comes into force on 25th May 2018 replacing the Data Protection Act 1998 (DPA).
The purpose of this briefing is to give you a simple overview of the new Regulations and to help you start thinking about what you need to do in order to ensure you are compliant when they come into force.
GDPR applies to all organisations that process data, regardless of size or legal status (e.g. incorporated or unincorporated) or tax status (e.g. charity or CASC). There are no exemptions and clubs should note the fines for getting it wrong are potentially huge.
What does processing data actually mean?
Processing – means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Thus the collection of member data, participant data from race entries, collecting visitor information on an open day all constitute the processing of data.
Personal Data – means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data Controller – means the natural or legal person which alone or jointly with others determines the purposes and means of the processing of personal data.
The Information Commissioner’s Office (ICO) website has a specific area for GDPR which we suggest you consult, however, it is predominantly written with commercial business in mind - do bear that in mind and don’t be put off by it.
We recognise that complying with GDPR may seem like a minefield, however, if your club is already complying the DPA it is likely to be halfway there to compliance with the GDPR. And whilst at first glance the GDPR appear insurmountable, the best way to approach it is in bite sized chunks.
Whilst the Regulations do not come into force until 25th May 2018, as from that date you will be expected to be compliant. We therefore strongly advise that you get underway now.
Start with a data audit to enable you to assess what personal data you hold, where it came from and who you share it with. You will need to document this. This will no doubt take some time but will form the basis of everything else you need to do.
When collecting data you must provide data subjects with the following information, in the form of a Privacy Notice:
- your identity and how you intend to use their data;
- you need to explain your lawful basis for processing data;
- your retention policy and an individual’s right to complain to the ICO if they believe there is a problem with your handling of their data.
It might be helpful to consult the ICO’s Privacy Notices Code of Practice.
Under the GDPR individuals have various rights, such as:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
You need to develop written policies and ensure you can comply with them.
Subject Access Requests (SAR):
These are not new, however, they are being used more and more by disgruntled members so you must ensure you are able to determine whether an individual has a legitimate right to request information you hold relating to them. It is often used by members subject to disciplinary issues and as such it will be necessary to balance the confidentiality rights of any witnesses against that of the individual’s right to request a SAR. We will be producing a separate Guidance Note on complying with SAR’s in due course.
You will have a month in which to provide the information (currently 40 days under the DPA) and you will no longer be able to charge a £10 fee.
Lawful Basis for Processing Data:
Lawful basis exists under the DPA but it is probably fair to say that many organisations will not have paid much attention to this. However, under the GDPR you need to explain your lawful basis for processing personal data in your privacy notice and when you answer a SAR.
Lawful basis include processing on the basis of:
- legitimate interests of the data controller;
- necessity for the performance of a contract;
- compliance with a legal obligation;
- in order to protect the vital interests of the data subject or of another natural person; and
- necessary for performance of a task carried out in the public interest.
It should not be too difficult to review your processing activities and identify your lawful basis for processing data. Most clubs will no doubt be relying on consent and perhaps legitimate business interest. Once again you will need to document this.
Whilst you perhaps already process data on the basis of consent, you are going to need to overhaul your consents to ensure they comply with the GDPR. Consent must be given freely, be specific, informed and unambiguous. There must be a positive opt-in – it cannot be inferred from inactivity, silence or pre-ticked boxes. Your consents must be separated out from any other terms and conditions. Individuals must be given the right to withdraw their consent and this must be as easy to do as it was to consent in the first place.
Legitimate interests of the data controller:
This can be inferred from the contractual position e.g. when members join your club they sign up to your governing documents (e.g. Constitution / Articles of Association) and in so doing agree to your holding their data (typically name, address, telephone number, email, date of birth) and processing it purely for membership purposes. This may be quite narrow, for example you would be able to use such data for notifying members of club events, boat storage related issues, mooring issues but it probably would not extend to including members’ details in the club handbook/directory – which is likely to require explicit consent.
You will need to set a data retention policy that takes into account the purpose(s) for which the data is kept, whether the purpose has been fulfilled and whether the data needs to be kept for any potential future claims and how data will be safely destroyed.
General correspondence between your organisation and a member/customer is only likely to be needed to be kept for a relatively short period (perhaps a few weeks) whereas correspondence relating to a potential claim/disciplinary proceedings may need to be kept for a number of years.
It is extremely important that financial data is only ever kept for as short a period as required e.g. if a member pays their membership in full at the beginning of the membership year, any bank account details held for them should be destroyed as soon as the funds are cleared in the club account; if members pay by Direct Debit their financial information will need to be kept for the term of the Direct Debit arrangement, in such circumstances it will be necessary to ensure there is security around the retention of this data. Credit/debit card information should be security disposed of once the card has been processed e.g. by means of cross-cut / shredded onsite.
You will need to make sure you have documented procedures in place to detect, report and investigate data breaches. In certain circumstances some breaches are reportable to the ICO and possibly the individuals themselves (e.g. where a breach is likely to result in a risk to the rights and freedoms of individuals such as discrimination, damage to reputation, financial loss, loss of confidentiality and any other significant economic or social disadvantage).
Data Protection Officer:
Whilst it will not be mandatory for clubs to appoint a Data Protection Officer, it would be prudent to get someone at the club to take ownership of the role. Getting ready for the GDPR is likely to take some time and will require considered thought to develop suitable processes and policies and thereafter ongoing management. Appointing someone or a team of volunteers within your organisation to take ownership of the process is likely to be necessary.
If your organisation operates in more than one EU Member State, you will need to determine your lead supervisory authority (i.e. your main establishment being the location where your central administration in the EU is carried out) and document this.
We are in the process of producing more detailed Guidance which will be published in the next few weeks via Club Room.