Whilst many large organisations are busy preparing for the GDPR coming to force on 25th May this year, there are many smaller organisations out there wondering if and how it applies to them. In the next two blog posts we answer some frequently asked questions for those involved in clubs and societies.
I am secretary for a small members only club. Will the GDPR apply to us?
Yes. The terms of the GDPR will apply to anyone processing personal data except for individuals processing personal data for personal or household activities.
For this purpose personal data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Such identifiers could include someone’s name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The GDPR sets out a number of data protection principles which must always be adhered to if you process personal data. In the main these are the same as were found in the GDPR’s predecessor, the Data Protection Directive. However there are some new elements which may affect data use by clubs and societies, as set out below. The GDPR applies to both automated personal data and also to manual filing systems where personal data is accessible according to specific criteria (e.g. alphabetically or chronologically ordered sets of manual records containing personal data). This means that for clubs or societies holding the names, contact details or other personal information about members, then yes, the GDPR will apply.
Do we have to change our membership application form?
This will depend on what exactly is in your current membership form but you should certainly review what is currently in there. The transparency principle in the GDPR means that you must communicate information clearly to members at the point at which you collect data, and your membership for/website are the ideal places to do this.
The Purpose Limitation Principle means that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes so membership forms should only be collecting information that is necessary for the club/society’s needs. For example, a person’s name and contact details are likely to be required so that they are contactable (e.g. about club events and meetings) and if an emergency contact details are required in case of an accident. However, a person’s occupation, for example, may be irrelevant for your purposes and if so, it should not appear on membership forms.
Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay. Therefore you should be ensuring that members’ details which you store are up to date by contacting them and requesting them to confirm details.
Lawful basis for processing. In order to process data, data controllers must be able to point to their lawful basis for processing. There are 6 to choose from – consent, contract, legal obligation, vital interests, public task and legitimate interests. Clubs and societies are most likely to find the following the most appropriate: consent (where the individual has given clear consent for you to process their personal data for a specific purpose), contract (where the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract) or legitimate interests (the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests). Once you have established what your lawful basis will be, this should be communicated to members, most easily done by including this information in your privacy notice on your membership form and website.
Do we have to update our website?
If you use any third parties in relation to your website – e.g. website hosting/marketing agents – they as data processors will also have obligations. As data controller you must ensure you have a contract in place with them and have GDPR compliance provisions in that contract
Do we have to complete any other documentation?
The accountability principle under the GPDR means that you must be able to demonstrate compliance. In line with this, the GDPR contains explicit provisions that require you to maintain internal records of your processing activities. Among other things, records must be kept on processing purposes, categories of personal data, recipients of personal data, and retention.
However, there is a limited exemption form the documentation obligation for small and medium-sized organisations. If you employ fewer than 250 people, you need only document processing activities that:
- are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
- are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
- involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).
It is worth noting that we await further guidance on this particular topic from the Article 29 Working Party who are currently discussing the scope of this exemption.
What happens if we lose any members information?
The GDPR introduces a new obligation on data controllers in the form of breach notification. This means that if there is a data breach and data is destroyed or lost, altered or disclosed or if there has been unauthorised access to such data which results in a risk to the rights and freedoms of the individuals involved, you as a data controller have an obligation to report this to the ICO within 72 hours. If there is a high risk of adversely affecting individuals’ rights and freedoms you must also inform the individuals themselves, without undue delay. This applies whether the breach is accidental or malicious and can be something as simple as sending personal data to an incorrect recipient or a computing device containing personal data being lost or stolen.
Therefore when there has been a breach, you must establish the likelihood and severity of the resulting risk to individual’s rights and freedoms. If a risk is likely, you must inform the ICO. If a risk is unlikely and only has the potential to be a small inconvenience (such as the loss of a small list of telephone numbers with no other identifying information included) – no reporting is required. When assessing whether or not it affects individual rights and freedoms, Recital 85 of the GDPR give the following guidance:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
This means that a breach with the risk of causing emotional distress, physical or material damage must be notified. You must also document any data breaches, whether or not notification is required and staff or volunteers should be trained so that they know the appropriate procedures to follow in case of such a data breach.
Read also our Part 2 here.