CONTACT US 0845 345 5004

Clubs, Societies and the GDPR (part 1)

Whilst many large organisations are busy preparing for the GDPR coming to force on 25th May this year, there are many smaller organisations out there wondering if and how it applies to them. In the next two blog posts we answer some frequently asked questions for those involved in clubs and societies.

I am secretary for a small members only club. Will the GDPR apply to us?

Yes. The terms of the GDPR will apply to anyone processing personal data except for individuals processing personal data for personal or household activities.

For this purpose personal data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Such identifiers could include someone’s name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The GDPR sets out a number of data protection principles which must always be adhered to if you process personal data. In the main these are the same as were found in the GDPR’s predecessor, the Data Protection Directive. However there are some new elements which may affect data use by clubs and societies, as set out below. The GDPR applies to both automated personal data and also to manual filing systems where personal data is accessible according to specific criteria (e.g. alphabetically or chronologically ordered sets of manual records containing personal data). This means that for clubs or societies holding the names, contact details or other personal information about members, then yes, the GDPR will apply.

Do we have to change our membership application form?

This will depend on what exactly is in your current membership form but you should certainly review what is currently in there. The transparency principle in the GDPR means that you must communicate information clearly to members at the point at which you collect data, and your membership for/website are the ideal places to do this.

The Purpose Limitation Principle means that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes so membership forms should only be collecting information that is necessary for the club/society’s needs. For example, a person’s name and contact details are likely to be required so that they are contactable (e.g. about club events and meetings) and if an emergency contact details are required in case of an accident. However, a person’s occupation, for example, may be irrelevant for your purposes and if so, it should not appear on membership forms.

Data must be processed Lawfully, Fairly and in a transparent manner. This means that you must inform individuals about how and what you plan to use their data at the point at which you collect it so your application form must clearly set out this information. There are various other pieces of information that you must tell them about including how long you are planning on keeping/using it for and whether you plan to transfer it to anyone (for example to an affiliates for marketing purposes). This information can be communicated via a privacy notice/privacy policy/T&Cs which should appear on the membership form itself, and on your website it you have one.

Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.  Therefore you should be ensuring that members’ details which you store are up to date by contacting them and requesting them to confirm details.

Lawful basis for processing. In order to process data, data controllers must be able to point to their lawful basis for processing. There are 6 to choose from – consent, contract, legal obligation, vital interests, public task and legitimate interests. Clubs and societies are most likely to find the following the most appropriate: consent (where the individual has given clear consent for you to process their personal data for a specific purpose), contract (where the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract) or legitimate interests (the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests). Once you have established what your lawful basis will be, this should be communicated to members, most easily done by including this information in your privacy notice on your membership form and website.

Do we have to update our website?

Transparency is key to the GDPR so you should make sure that individuals are aware of how you plan to use their personal data. If your club or society has a website you should make sure that your privacy policy/terms and conditions clearly set out everything to do with your data processing activities – your contact details, your lawful basis for processing, what you plan to use the data for, how it will be processed and how long it will be retained. It should also set out how they can contact you with any queries about the processing of their data and provide information about their individual rights.

If you use any third parties in relation to your website – e.g. website hosting/marketing agents – they as data processors will also have obligations. As data controller you must ensure you have a contract in place with them and have GDPR compliance provisions in that contract

Do we have to complete any other documentation?

The accountability principle under the GPDR means that you must be able to demonstrate compliance. In line with this, the GDPR contains explicit provisions that require you to maintain internal records of your processing activities. Among other things, records must be kept on processing purposes, categories of personal data, recipients of personal data, and retention.

However, there is a limited exemption form the documentation obligation for small and medium-sized organisations. If you employ fewer than 250 people, you need only document processing activities that:                               

  • are not occasional (e.g., are more than just a one-off occurrence or something you do rarely); or
  • are likely to result in a risk to the rights and freedoms of individuals (e.g., something that might be intrusive or adversely affect individuals); or
  • involve special category data or criminal conviction and offence data (as defined by Articles 9 and 10 of the GDPR).

It is worth noting that we await further guidance on this particular topic from the Article 29 Working Party who are currently discussing the scope of this exemption.

What happens if we lose any members information?

The GDPR introduces a new obligation on data controllers in the form of breach notification. This means that if there is a data breach and data is destroyed or lost, altered or disclosed or if there has been unauthorised access to such data which results in a risk to the rights and freedoms of the individuals involved, you as a data controller have an obligation to report this to the ICO within 72 hours. If there is a high risk of adversely affecting individuals’ rights and freedoms you must also inform the individuals themselves, without undue delay. This applies whether the breach is accidental or malicious and can be something as simple as sending personal data to an incorrect recipient or a computing device containing personal data being lost or stolen.

Therefore when there has been a breach, you must establish the likelihood and severity of the resulting risk to individual’s rights and freedoms.  If a risk is likely, you must inform the ICO. If a risk is unlikely and only has the potential to be a small inconvenience (such as the loss of a small list of telephone numbers with no other identifying information included) – no reporting is required. When assessing whether or not it affects individual rights and freedoms, Recital 85 of the GDPR give the following guidance:

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.      

This means that a breach with the risk of causing emotional distress, physical or material damage must be notified. You must also document any data breaches, whether or not notification is required and staff or volunteers should be trained so that they know the appropriate procedures to follow in case of such a data breach.

For more information on GDPR, contact andy.harris@mbmcommercial.co.uk.

Read also our Part 2 here.

GDPR NEWS - ICO issues further guidance on meaning...
MBM Commercial LLP support leading university prog...

Contact us

Invalid Input
Invalid Input
Invalid Input
Invalid Input
Invalid Input

You must confirm you have read and accept our Website Privacy Policy.

Invalid Input

Contact us

Invalid Input
Invalid Input
Invalid Input
Invalid Input
Invalid Input
You must confirm you have read and accept our Website Privacy Policy.
Invalid Input