Are you ready for GDPR?
What is GDPR?
It has become a buzz word recently but it is certainly a big change in terms of how businesses operate and process/store customer information. The new GDPR legislation comes into force on the 25th May 2018 and tightens up the existing DPA rules.
The new GDPR legislation can be a daunting subject to many clubs. From our side SimplyCOLLECT systems were designed with privacy as a key aspect and are therefore in line with DPA and the BACs scheme and the principles of the GDPR.
Under the legislation Data Controllers and Data Processors have different responsibilities. SimplyCOLLECT operates as a data processor and as a club you operate as the data controller.
GDPR will apply to all organisations that collect personal data from individuals. You should seek advice to ensure you are compliant but here are some tips on what the legislation requires and looks at.
What practical steps can a club take?
The ICO recommends that organisations take the following steps to be compliant. We have also included a link to the ICO 12 step guide) ICO 12 Step Guide – Click Here
You should make sure that decision makers and key personnel in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact that this is likely to have and identify areas that could cause compliance problems.
Practically this relates to communication from the club to the member and who is responsible for any issues relating to GDPR within your club.
Information your club holds:
GDPR requires you to maintain records of your processing activities. You should document what personal data you hold, where it came from and who you share it with.
For a club this is any record you have with some personal information that can easily identify the individual. So for clubs who process members using membership forms you must ensure any information your keep outside of our systems is safe and secure. We would recommend creating a flow diagram to show the flow of the personal data which will help you understand its journey and be available to members upon request.
Communicating Privacy statements:
When you collect personal data you must give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. As part of the regulations, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you have handled their data.
How you document and provide this to members could be given as a hard copy upon joining or alternatively available on your website. SimplyCOLLECT acting as a data processor will be updating its privacy notice and making this more accessible to your customers via there welcome email and from our website.
The Individual Rights of members:
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. The GDPR includes the following rights for individuals:
The legislation gives members more control over how you process their data. This can be someone asking for copies of documents signed or electronic information stored on them. This relates to the “Subject Access Request”. This refers to an individual’s right to access information an organisation holds on them. You should update your procedures and plan how you will handle Subject Access Requests to take account of the new rules. Here’s a link to further info on SARs ICO Guide – Click Here
Lawful basis for processing personal data:
Most clubs would not have considered the lawful basis for processing information but GDPR requires you document this basis within your privacy statement. Processing of data is lawful when there is consent, contractual, legal obligation in place. SimplyCOLLECT already seek this consent via the membership form under the terms and conditions or if you are using simplyJOIN this is within the T&C’s of the joining process but will also be more explicitly mentioned on the initial sign up page.
Data Protection and Children:
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully.
SimplyCOLLECT already seeks the parental consent to obtain the child details via the membership form additionally via our simplyJOIN product.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard. Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent.
SimplyCOLLECT has already been working hard in the background:
You will see changes to new membership forms and both simplyJOIN/simplyHUB that captures the members “opt in” consent to communicate marketing materials to members. You will also see changes to user right access to data to enhance the security and the flow of personal data; we do need to make you aware that if you export any data out of the simplyCOLLECT systems you are responsible from that point forward relating to GDPR.
The simplyHUB will also have mechanism in place to limit the marketing to non-consenting members. However please be rest assured this only applies to marketing materials. Members will continue to receive service messages (closures, payment increases) regardless. The new rules only apply to marketing/promotional messages.
Over the next month you will see some slight changes in the systems and forms you use on a day to day basis. Being a Direct Debit provider we already adhere to stringent security polices to ensure your member data is safe and secure. You will receive via email an updated section of our client terms and conditions relating to the GDPR regulations once reviewed.