Are you ready for next year’s changes? The General Data Protection Regulation (GDPR) is already in force and we are currently in a period of implementation with the deadline for compliance set for 25 May 2018. It may sound like a long way off but there are some key changes that will affect grassroots clubs and need to be addressed.
Does this apply to our club?
The GDPR applies to any data controllers or data processors, so if you collect any personal data in running your club (which you definitely will do if you have any members) then the GDPR will apply to you.
What are the key changes for grassroots clubs?
You will need to give people more information that you need to tell people about how and what you do with their data at the point you collect it.
You no longer have to notify the ICO as a data controller – you may already not need to under the current not-for profit organisation.
Responding to subject access requests
Subject access requests (requests for copies of personal data from individuals) will need to be responded to within one calendar month rather than the current 40 calendar day period. It is also no longer possible to charge £10 for dealing with the request.
There will be direct obligations on data processors as well as on data controllers. This may mean that if you use any third parties to process data, for example hosting your website, then you must have a written contract in place, and these are likely to be negotiated and drafted in favour of your processors.
Fines increase significantly
Currently the highest fine the ICO can levy is £500,000. Under the GDPR they will be able to issue fines up to 20 million euros or 4% of your global annual turnover (whichever is the higher) for serious breaches. The fine could be 10 million euros or 2% of your global annual turnover (whichever is the higher) for less serious breaches.
Consent will be much harder to achieve. If you rely on consent from individuals to use their personal data in certain ways, for example to send marketing emails, then there are additional requirements to comply with.
Retention policies need to be clear. You can’t keep data for longer than is necessary for the purpose for which it was collected. You also need to inform people how long you will keep their personal data and you can’t keep it indefinitely.
Privacy by design
If you are planning on putting in place a new system or electronic portal, then you need to consider whether the service provider you choose has adequate security to protect personal data.
You will only have 72 hours from being aware of a breach to report it to the ICO. Under the Data Protection Act there are no obligations to report breaches.
Some of the common things we advise grassroots clubs on
One of the principles of the Data Protection Act 1998 (and the GDPR), is that you can only process data for the purpose for which it is collected. This means that if you collect a name and contact details of an individual, so that they can become a member of your club, you can’t simply use that information to allow your affiliates to contact them for marketing purposes. You also need to tell people when they join your club if you are going to transfer their data, for example to an umbrella organisation.
Subject access requests
They are often contentious. Individuals only make requests if they have something to complain about. Make sure you keep a log of how and when you respond and that you apply the exemptions from disclosure carefully.
Privacy or data capture statements
When individuals provide you with their details, make sure you are clear and transparent about why you have it and what you will do with their information. This means you need to make sure that you have the right data capture statements to present to individuals when they give you their personal details.
You need to make sure that personal data is held securely, i.e. that electronic documents are encrypted and password protected and that they are backed up on a regular basis. You also need to make sure that your volunteers can identify when a breach has happened and that they know what they should do and who they should talk to.
Top tips to start your journey to GDPR readiness
1. Process – understand the journey that personal data takes through your club. What information do you collect and do you need that information? What do you tell people when you collect it? On what legal basis have you collected it? Where and how do you store that data? What do you do with it? When is it deleted? This will allow you to identify any areas of risk.
2. Awareness – make sure that your volunteers are aware of the GDPR and data protection issues and that they know who to talk to if they receive a subject access request or if there is a breach.
3. Policy – make sure the policies and procedures you have in place help your volunteers deal with data protection issues.
4. Communication – make sure you tell individuals at the point of collection what you will do with their data and when you will delete it.
5. ICO guidance – take a look at the 12 steps to take now and the Getting ready for the GDPR self-assessment tools.
If you have any questions about the GDPR, please call your dedicated legal team on 0845 050 8458 or email [email protected]