GDPR stands for General Data Protection Regulation. The GDRP sets out the privacy rights of every EU citizen and the ways in which an individual’s ‘Personal Data’ can and can’t be used.
Personal data is information about an individual such as name, address, phone number etc. and includes special categories of personal data including one’s race, ethnicity, religion or sexual orientation.
The EU will be enforcing these laws across the 28 member states from May 25th 2018. We will return to the Brexit conundrum facing clubs from Northern Ireland later!
Failure to comply with the GDPR will result in the risk of incurring massive fines ranging from €10m to €20m or 2% to 4% of an organisation’s total worldwide annual turnover in the preceding financial year (depending on whichever is greater).
Where a club forms part of a bigger organisation there is a potential for significant fines when the worldwide annual turnover is assessed. It’s in the interest of any individual or organisation to be compliant and up to speed!
The law puts the onus on the person or entity that collects a person’s information (Data Controller), to comply with the legislation and to demonstrate compliance.
However, there is no need to panic!
Most of the Data Protection procedures should already be in place by your club but there are several keys changes that must be highlighted. The Irish Data Protection Commissioner has published a 12-step guide which is worth a read.
It is up to the club to make an inventory of all the data they have of their members and to maintain a record of what they do with this data, this is called ‘data processing’. The object is to find out why, where and how the data is stored? Also, why was it originally gathered, how long it is being retained, how secure it is and whether it is shared with any third parties?
So, all paper forms, emails and computer files should be checked, updated and irrelevant data should be deleted. Data Controllers must be able to demonstrate that consent was given or another lawful grounds for processing can be relied upon and an audit trail is maintained.
The GAA, for example, stores all registered member information on their Central Games Management System (Foireann) and jointly shares responsibility for this data with each club/team/county. Some clubs may have other systems in place (Excel) or use third party providers such as ClubZap to manage their digital systems. Third party providers must be well aware of GDPR compliance and discussions should be held with third parties in relation to responsibilities arising and where liability for a failure to comply will rest.
If relying on consent, it must be ‘freely given specific, informed and unambiguous’. In order to comply with GDPR, membership (or any other) forms should include the following information…
Although GDPR does not kick in until May, it might be wise to bring these changes in this month if memberships are being renewed to save a data dilemma a few months down the line.
Make it a New Year’s resolution! If consent was already gathered in a way consistent with GDPR, then it is not necessary to do so again.
As a data controller your club must protect the rights of individuals.
They include the right to have information erased, inaccuracies corrected and the ability to object to direct marketing.
Data Portability is a hot topic at the moment — it’s the process where an individual’s information is gathered and moved to another provider or to the individual in a technical format. This is more relevant to switching banks or utility services but could crop up when a player transfers club.
If there is unauthorised access to personal data or it is lost or stolen, the Data Protection Commissioner must be informed within 72 hours.
Where there is a high risk to the rights and freedoms of the individual affected, he or she should also be made aware of the breach.
Clubs in Northern Ireland may be concerned over the effect of Brexit on data protection. It is expected that when the UK formally leaves the EU in 2019 it will have enacted legislation that mirrors GDPR. However, this remains to be seen.