In this blog post we continue our data protection FAQs for Small Clubs and Member Societies.
You can still send emails to individuals but should be clear about what lawful basis you are using to do this. Note that if you are sending marketing emails, you may also have to comply with the Privacy and Electronic Communication Regulations (PECR). If you are simply communicating with individuals about scheduled club meetings and events, the PECR will not be relevant.
As explained above, all processing requires a lawful basis. These include valid consent and legitimate interest. Consent is currently perhaps the most frequently used basis for communications. Whilst consent can still be used, it now comes with various burdens attached. If you are relying on consent to use personal data, data subjects have a number of rights including the right to access the data (meaning that you must provide them with all data which you hold about them within strict timelines), the right to withdraw consent (meaning that you will have to stop using their data) and the right to data portability. Furthermore, GDPR sets a high standard for consent and for consent to be valid, the following must be taken into account:
Due to the individual rights attached to personal data obtained on the basis of consent, other alternative legal basis may be more appropriate. Consent is only appropriate if your members are to have real choice and control over how you use their data.
Legitimate interests may in some cases be a more appropriate option for clubs and societies. It is the most flexible basis for data processing and will often apply where data is being used in a way that would be reasonably expected and which will have minimal privacy impact or where there is a compelling justification for processing. A club or society’s legitimate interests may be to inform its members of meetings and events. In order to rely on this basis the processing in question must be necessary – if the processing would not be reasonably expected or would cause unjustified harm, the individual’s interest will outweigh that of the club and the club could not rely on this legal basis.
Another data principle is that of “Data Minimisation”. Personal data must be adequate, relevant and limited to that necessary in relation to the purposes for which they are processed. Furthermore the GDPR imposes a storage limitation requirement, meaning that personal data can be kept for no longer than necessary for the purpose for which it is processed. This data retention limit means that you must only keep data of members for as long as you need it for their membership. You should therefore ensure that you remove from your files/database information relating to people that are no longer members of the club.
Personal data must be processed in a manner that ensures appropriate security of the personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The security measures in place will depend on the data controller and what type and volume of personal data is being processed. The level of security must be appropriate to the risk posed to the personal data being processed. A locked filing cabinet or password protected database (with the password only known to those who require access e.g. club secretary) may well be appropriate security for a small, local club holding only members names and contact details but not for a large organisation holding larger volumes and more complex personal data who will require much more advanced security measures to ensure compliance. Even so, if a locked filing cabinet is used, make sure it is in a secure room, always locked and that the key is kept secure. Password protected systems should be backed up regularly and wherever possible, data should be pseudonymised/encrypted.
If you are also collecting bank details from members for payment, keep these in a separate, secure location.
Importantly, staff/volunteers should be aware of the GDPR security requirements and also be trained on breach notification procedures.
Yes. Under the GDPR, individuals have (i) the right to obtain confirmation that you are processing their personal data and (ii) the right of access to the personal data. You so you must respond to them without delay and always within one month. This must be done free of charge unless an individual repeatedly and excessively requests information in which case a reasonable fee may be imposed taking account of the administrative costs involved.
Before responding to such a request, ensure you verify the identity of the person making the request using reasonable means.
Note that if you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent. If they are younger you must obtain consent from the parent or guardian.
If you are relying upon the “legitimate interests” basis you must take responsibility for identifying the risks and consequences of the processing, and put age appropriate safeguards in place.
Make sure you have appropriate and up–to-date data policies and procedures in place to help staff and volunteers understand data protection issues and solutions.