GDPR imposed new rules around data protection from 25th May 2018 for any organisation that collects and uses data about EU residents and this includes the information your Supporters Trust or Community Owned Club collects from its members.
The new regulation changes the way that we handle, use and store data about our members and the people we engage with.
The Government has confirmed that the UK’s decision to leave the EU will not affect the implementation of GDPR.
- Six privacy principles
- Personal data
- Sensitive data
- What are the FSA & our members obligations as data holders?
- What are the benefits for members of these changes?
Six privacy principles
To comply with GDPR, organisations will have to meet six privacy principles:
- Personal data must be processed lawfully, fairly and in a transparent manner
- Personal data must only be collected for “specified, explicit and legitimate purposes”
- Data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Personal data must be accurate and where necessary kept up to date
- Personal data that is no longer required should be deleted
- Processors should ensure all personal data they hold is secure
Personal data is defined as any piece of personal information that can be used to identify an individual, either directly or indirectly. This includes information such as:
- Telephone Number
- Email address
- Date of birth
- Location data
- Online identifier e.g. IP addresses or cookies
The GDPR defines ‘sensitive personal data’ as data which reveals an individual’s:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade Union membership
- Genetic or biometric details, where processed to uniquely identify an individual
- Health details
Under the GDPR regulations, organisations are banned from processing sensitive data, unless the individual gives the data holder his or her permission or processing is allowed in specific cases.
Under the GDPR, an organisation can lawfully process data only if at least one of the following conditions are met:
- The data subject has given their consent
- If the processing is necessary for the performance of a contract
- For compliance with a legal obligation
- If the processing is necessary to protect the vital interests of the data subject
- Public interest purposes
- If there is a legitimate interest pursued by the data holder or a third party
What are the FSA & our members obligations as data holders?
The ‘accountancy principle’ requires you as data holders to demonstrate that you comply with the principles.
To be able to demonstrate that you comply, you must:
- Create and implement appropriate internal data protection policies such as staff training, internal audits of processing activities and reviews of internal HR policies
- Record data processing activities
- If you have less than 250 employees you are only required to record high-risk data processing e.g. data that is related to criminal convictions/offences
- Check if you need to appoint a Data Protection Officer (The ICO has more information on whether you will need one)
- Run impact assessments to anticipate any issues around data protection, particularly for high risk processing
- Protect any personal data that you hold using appropriate security e.g. data about participants, volunteers, staff etc
- Protect the rights of people who give you their data (see above) by ensuring your organisation has the right systems in place to be able to observe those rights
- Ensure the data you are processing is secure and is kept confidential
- Ensure that data is only collected in your organisation for specified, explicit and legitimate purposes and is kept accurate and up to date
- Review how you get consent to use personal data and ensure the criteria for making data processing legitimate is observed
- Build data protection safeguards into services from the earliest stages of development
What are the benefits for members of these changes?
Whilst the new GDPR rules will require members to devote significant resources to thinking through and – where necessary – changing how you store and use your data, they will also result in a number of benefits to your organisation, such as:
- The new regulation will strengthen your data protection policies, thus minimising the risk of any misuse of data or data fraud occurring in your organisation
- Rethinking the way you store and process personal data gives you the opportunity to use your data more efficiently and productively
- Removing data you don’t need will result in less wasteful data management and processing
- If you need to process data abroad in a country that is in the EU, then having to deal with a single pan-European law for data protection will save you time and money
- If an individual chooses to take advantage of the new right to data portability when joining a sport or recreational activity, then it will make it easier for you and your clubs to obtain and re use their details
- The increased levels of security that compliance with GDPR requires will protect you more widely from cyber-attacks
- The new regulation will give you the opportunity to increase your reputation for being trustworthy to do business with
We know you will be full of questions about the new GDPR regulations and what it means for your society.
We recently held a webinar on GDPR led by an expert in the field from our legal partners Gateley Plc.
You can watch the full webinar HERE or check out the frequently asked questions clips below.
One of the big questions our member Clubs and Trust have is around the issues on current and historic consent?
Check out this video for the answers.