I looked at the impact of the existing UK Data Protection Act on my club and am happy that my club is compliant, so what is new about GDPR?
You will need to tell people about how and what you do with their data at the point you collect it.
For example, the purposes of clarity BF have introduced the concept of ‘Fencing Data’ (see definition below) that can and will be used for the administration of the sport. We have listed the activities where the data may be used and the organisations with which the data can be shared.
In becoming a member of BF, BF will collect certain information about you which may include your name, date of birth, gender, email address, address, telephone number, names of the BF affiliated clubs that you are a member of and details of any coaching or officiating licenses you hold (Fencing Data).
In addition to passing data to BF the use of data by affiliated clubs/bodies is likely to include the following activities and more:
Training and competition entry
- Share data with club coaches or officials to administer training sessions
- Share data with club team managers to enter events
- Share data with facility providers to manage access to the training venues
- Share data with home country associations, regional associates, county associations and other competition providers for entry in events
Funding and reporting purposes
- Anonymised data shared with a funding partner as condition of grant funding e.g. Local Authority
- Anonymised data analysed to monitor club trends
Membership and club management
- Processing of membership forms and payments
- Share data with committee members to provide information about club activities, membership renewals or invitation to social events
- Publishing of competition results
- Website management
Marketing and communications (where separate consent is provided)
- Sending information about promotions and offers from sponsors
- Sending club newsletter
- Sending information about selling club kit, merchandise or fundraising
All clubs should already have a privacy statement and policy, and certainly will need one now. This outlines to an individual who is providing you with data, details of exactly how it will be used. If someone isn’t clear and you do not manage data in accordance with the policy, you are increasing the risk of breaching data protection laws.
As an affiliated club you may no longer have to notify the Information Commissioners Office (ICO) as a data controller - you may already not need to under the current exemptions available to a not-for profit organisation.
You can check here to determine whether your club is currently required to register - https://ico.org.uk/for-organisations/register/self-assessment/
You may still be required to pay a data protection fee, the details of which are currently not available.
Responding to subject access requests
Subject access requests (requests for copies of personal data from individual club members) will need to be responded to within one calendar month rather than the current 40 calendar day period. It is also no longer possible to charge £10 for dealing with the request. They are often contentious. Individuals usually make requests if they have something to complain about. Make sure you keep a log of how and when you respond.
There will be direct obligations on data processors as well as on data controllers. This may mean that if you use any third parties to process data, for example hosting your website, then you must have a written contract in place, and these are likely to be negotiated and drafted in favour of your processors.
Fines increase significantly
Currently the highest fine the ICO can levy is £500,000. Under the GDPR they will be able to issue fines up to 20 million euros or 4% of your global annual turnover (whichever is the higher) for serious breaches. The fine could be 10 million euros or 2% of your global annual turnover (whichever is the higher) for less serious breaches. Obviously, these fines are designed to ensure larger commercial organisations comply, but penalties exist for all sizes of organisation. The more members you have and the less robust your processes the greater the risk.
Consent will be much harder to achieve. If you rely on consent from individuals to use their personal data in certain ways, for example to send marketing emails, then there are additional requirements to comply with. For example, if you currently have one opt in box to ‘marketing information by email, post and SMS’ under the new regulations ‘email, post, SMS’ would have to be separated out. If you are organising events you should ensure that you get explicit consent to contact participants with regards to future events. You should be able to produce evidence of how and when each consent was obtained.
Retention policies need to be clear. You can’t keep data for longer than is necessary for the purpose for which it was collected. You also need to inform people how long you will keep their personal data and you can’t keep it indefinitely. For example, a member may not have renewed for 4 years- how likely is it that they will return? If the answer, is ‘unlikely’ then their core data should be deleted, or their record anonymised after that time.
Privacy by design
If you are planning on putting in place a new system or electronic portal, then you need to consider whether the service provider you choose has adequate security to protect personal data. BF is currently assessing our systems with the aim of offering improved services to clubs to help where we will be able to assure security is in place.
You will only have 72 hours from being aware of a serious breach in which to report it to the ICO. For example, if a membership secretary holds the membership data on their laptop and it is not encrypted and gets stolen- the data is now at risk and a breach would have to be reported. You need to make sure that personal data is held securely, i.e. that electronic documents are encrypted, and password protected and that they are backed up on a regular basis. You also need to make sure that your volunteers can identify when a breach has happened and that they know what they should do and who they should talk to.
One of the principles of the Data Protection Act 1998 (and the GDPR), is that you can only process data for the purpose for which it is collected. This means that if you collect a name and contact details of an individual, so that they can become a member of your club, you can’t simply use that information to allow other bodies (e.g. a club sponsor) to contact them for marketing purposes. You also need to tell people when they join your club if you are going to transfer their data, for example to an umbrella organisation.
Privacy or data capture statements
When individuals provide you with their details, make sure you are clear and transparent about why you have it and what you will do with their information. This means you need to make sure that you have the right data capture statements to present to individuals when they give you their personal details.
Does all this only apply to data that is held digitally, e.g. on a computer, or does it cover paper records?
This may be a good opportunity to review filing systems and to limit the amount of paperwork you have to manage. Personal data collected manually and stored in files as a hard copy still has to be managed in accordance with the data protection regulations. As you can imagine, some of the legislation is more difficult to implement in relation to paper copies. For example, privacy of data is key to the GDPR. Paper documents can get into the wrong hands easily and this could easily become a data breach. Transportation of data in any format (including paper) should be seen as a threat to information security. One small slip and it’s too late – an individual leaves sensitive paperwork on a train, a courier loses an archive box full of payment records, a member of committee has files stolen from their car. These are all real-world situations where paper documents can get into the wrong hands.
My club keeps its membership records “in the Cloud” (e.g. via shared files on DropBox or Google Drive, or via a bespoke or commercially available membership system): what should I do about that data?
Data security is key and when storing anything online you need to ensure that you protect yourself by ensuring you keep passwords safe and ensure that files that contain personal data are encrypted. The likes of Dropbox, OneDrive and Google Drive have built in security measures for the protection of files whilst in storage or in the process of being shared. When using third party software you need to ask for assurances over the security of the system. For example, ask the provider for an explanation of how data security is managed or ask if a Privacy Impact Assessment has been undertaken.