What is GDPR?
General Data Protection Regulation (GDPR) is the new European law that took effect across the UK on 25 May 2018. The legislation affects anyone living inside the EU and any organisation that holds the data of EU residents.
DPR replaces the Data Protection Act 1998 (DPA). GDPR is designed to strengthen the DPA and to give EU citizens more control over how organisations use their data – with large fines introduced for organisations that do not comply.
Does that include LBBFC?
Any club or organisation that collects/holds the data (digital or physical) of any EU residents is expected to comply and we could receive a hefty fine for failing to do so.
Should we be concerned?
Hopefully not but our Committee, Coaches and administrators must be careful about how we collect, store and process data about our club members. This is an area we should already be vigilant with but now requires extra scrutiny to ensure compliance.
Key rights from GDPR
- Right to be informed: Members can ask about personal data, how it is used, and why it is being used at any time.
- Right of access: Members can request a copy of personal information LBBFC hold about them at any time.
- Right of rectification: Members can update (or request updates to) personal information at any time.
- Right of erasure: Members may request that LBBFC erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Right to object: Members can request that LBBFC cease to process their data based on legitimate interest or for direct marketing.
How are these rights likely to affect LBBFC members?
If we:
- Collect member’s data on paper forms?
- Share member’s data digitally with other volunteers at the club?
- Store digital data in multiple places?
- Have digital documents with member’s data that isn’t password protected and encrypted?
- Do we need to download data from a central database to transfer to another product? For example for sending emails en mass via mailchimp/campaign monitor/similar?
What should we consider?
Consent/legal basis
For any member data held by LBBFC the member will need to confirm that we have a legal basis to use their data for this purpose. This legal basis will often be based on consent:
i.e. “the individual has given clear consent for you to process their personal data for a specific purpose.”
LBBFC will make the purpose clear to the member at the point of collection. Whilst consent is often best practice, LBBFC are able to store and process member’s data for a legitimate compliance and legal basis:
Legal obligation
“the processing is necessary for LBBFC to comply with the law (not including contractual obligations).”
More information on establishing a legal basis available from the ICO website.
Other data
Any data that LBBFC hold on our members is subject to GDPR. This includes any spreadsheets, surveys, forms and any other documents, paper or digital, that may contain data about your members.
It is recommended that we destroying any of this information that is not absolutely necessary. But where LBBFC do continue to hold/collect it is important to consider and follow the guidelines:
Data storage
- Only collect and store the minimum amount of information required.
- Make sure all information is up to date.
- Members need to be informed we will hold data for 3 years.
- Review the security of data – consider encryption for any digitally held documents.
- Limit the use of personal data – particularly where it is not held in a central, secure system.
- Avoid storing data in multiple products/services).
Data breaches
- All data should be held securely, digital documents need to be password protected and encrypted and backed up.
- We need to be able to identify when a breach has occurred and this will need to be reported to your data protection authority within 72 hours of becoming aware of it.
Useful Free Resources
Information Commisioners Office (ICO)
“The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.”