From 25th May 2018 the new law for data protection (GDPR) will be coming into effect.
GDPR brings in new requirements on data controllers and data processors. Although most of the principles and terminology have not dramatically changed, the GDPR enhances rights for individuals and introduces a number of additional obligations on organisations, in particular, greater transparency and accountability.
For more information, please see here.
What steps to take now?
The Information Commissioner’s Office (ICO) has created a number of useful resources around some of the general aspects of GDPR. However, of the key areas of guidance are still under consultation. The ICO has produced some guidance for small guidance for small organisations, including a dedicated advice line. Further information is available via the links below.
Of the 12 steps to take, the following will be particularly relevant to clubs, counties and regions:
Awareness – make sure that your committee, volunteers and staff are aware of data protection issues and that the law is changing.
Information you hold – document what personal data you hold, where it came from and who you share it with.
Identify lawful basis for processing data – the lawful basis for processing needs to be identified and documented. They are broadly the same as in the current Data Protection act (DPA) and in most scenarios, clubs, counties and regions will seek to rel on legitimate interest ground for lawful processing.
Consent – review how you ask for and record consent. Under GDPR organisations are likely to rely on other lawful bases for processing rather than rely on consent, which has been widened by GDPR. However you will still need consent to send marketing emails to your members.
Subject access requests – under GDPR organisations will only have one month (currently 40 days under the DPA) to deal with subject access requests. Documenting where you hold information will assist in handling requests within the new timescales.