General Data Privacy Regulations (GDPR) – a set of EU-wide regulations that replaces preexisting legislation on data protection and data privacy. Why do you need to know about this? Because it affects every club, group, company, sole-trader, FTSE100 listed company, local charity, village hall…….EVERYONE who has someone’s personal information stored somewhere as part of an official activity. GDPR seeks to identify all information flows from receipt/capture through processing and then reuse back out into the world.
What’s ‘an official activity’? This is my term for describing the storage of another persons’s data (even just their name let alone anything else) that is to be used for e.g. membership of the club. It does NOT include Aunty Theresa’s and Uncle Jeremy’s Christmas card address books with friends and family listed in it.
The General Data Protection Regulations classify any storage of any data (even the act of storing it, without using it) as “Processing” and so GDPR seeks to ensure accuracy, transparency, and legitimacy in the handling of such data. Therefore, every HEMA club in the EU will be subject to GDPR when it comes into force on the 25th May 2018.
This article is a basic guide to GDPR for HEMA clubs; see below for the official Information Commissioners Office (ICO) UK guidance.
Should clubs be concerned/worried/panicking?
No – although some will have more work to do than others. All clubs should be complying with existing data protection laws (mostly common sense), including the Data Protection Act 1998 (https://www.gov.uk/data-protection) and the EU Privacy and Electronic Communications Regulations (PECR) 2003 (https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/). GDPR simply takes these and asks organisations to identify what data they are collecting, why, and how it will be used. The real impact of GDPR is behind the scenes with organisations now REQUIRING documented compliance procedures (more on this later) and being able to react to information requests from individuals.
GDPR sets out more rigorous guidelines for larger organisations (>250 employees) which is not particularly relevant for the HEMA world, covering the appointment of a data “Controller” as well as a data “Processor”. Whilst neither is actually required for our clubs, it should be viewed as ‘best-practice’ to appoint a committee member/director as the lead data protection officer – ensuring data storage is clean and compliant.
Nice summary, but what does GDPR actually mean for me, as an individual?
When it comes to personal data, GDPR has just made you a demi-god.
GDPR puts the onus on organisations to justify why they are collecting/storing/processing your information as well as the procedures that are in place to ensure it is stored safely and used appropriately. Furthermore, you can request to see precisely what information is stored as well as (!!!) proof of the procedures in-place to protect it. Finally, you have the right to be forgotten, so should you no longer wish to recieve Season’s Greetings from Uncle Theresa and Aunty Jeremy, you are able to request to be deleted from the database and recieve proof that this has been completed.
I run a HEMA club, but what does GDPR actually mean for me/us?
Get ready for some work…
Firstly, GDPR will be ‘policed’ by the Information Commissioners Office (ICO) https://ico.org.uk/ and they will be more interested in the big organisations of the world, like Amazon, rather than a bunch of HEMA clubs. In all cases, it will still take a complaint from an individual to begin an investigation, so the real-world risk of a huge fine is limited. However, thanks to this article and the resources attached to it, your workload shouldn’t be too onerous, complicated, nor difficult. Ignoring it probably isn’t the best idea.
The existing Data Protection Act 1998 and PECR cover cold calls, unsolicited emails (spam) and similar digital contact. They also cover consent (e.g. opt-in to communications) and what to do about opt-out. There are no surprises here: don’t contact people who have no interest in what you do, don’t contact them if they have asked you not to, don’t ask for any information you don’t need and don’t keep their records on file for any longer than you have to.
However, GDPR does have a couple of specific routes that must be chosen to ensure communications are compliant with GDPR: “Consent” based and “Legitimate Use”.
GDPR – The Specifics (also known as the ‘to-do’ list):
Here we get to the meat of the issue (or suitable vegetarian option). Before dealing with out-bound communications (email, calls, letters, Facebook messages….) clubs should be looking inwards at their admin to ensure compliance; get this sorted and everything else is easy. The ICO have an exceptionally useful PDF titled “12-steps to compliance” – I recommend you read it. I have adjusted it for this article, but the two align eventually.
(1) Get together with your co-directors/committee members/sensible helpers and let them know some data protection stuff is coming and work needs to be done now.
(2) Use the ICO website tool to check your existing GDPR compliance rating: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
(3) Conduct an existing data storage audit. This may be tricky depending on how your admin systems are set up. For clubs with an online cloud-based storage system, your workload is less than those with a ‘paper-stack-shoved-in-several-draws’ system.
- Where is data stored? Is it in one central spreadsheet that only nominated officials can access, updated yearly/regularly to ensure accuracy? (GOOD). Or is your membership data spread over a few spreadsheets, various committee mobile phones, some paper records in a draw, and on a couple of old laptops? (BAD). Identify it all methodically! Once done, most of it can be shredded/deleted/removed but until you know what you have and where, you cannot do anything about it.
- Once identified, work out whether you should be keeping it or not. Record keeping for clubs is important but email addresses, phone numbers (and so on) should not be retained indefinitely. GDPR allows for record keeping if the data is anonymised i.e. cannot be linked to an individual (such as a post code using the first part only), gender, birth year. However, attendance records usually contain full names, and so these should be anonymised once the data is no longer required for club admin – the data points will still be present, but cannot be reconstructed to identify the actual member.
(4) GDPR is ‘granular’: this is absolutely key to the regulations and is specifically mentioned. “Granular” is interpreted as what data is being collected, why, and its lifespan. Previously some bland statement such as “we will collect your data to help us better target information to your needs and may be shared with third parties whenever we want” was acceptable; thankfully this will be insufficient under GDPR with clear information flows required.
(5) If data is to be transferred to a 3rd party (e.g. insurance, affiliation) then this needs to be explicitly stated to members. What is being transferred, why, and to whom. There is also a burden on the club (who is sending the information) to ensure accuracy. If a mistake is noticed in the data, it should be corrected and the recipient organisation notified immediately. This ‘data accuracy’ may be largely reactive (members tell you of an error) or proactive (regular data checking e.g membership renewal).
(6) At this stage, you will have a pretty good idea of what is going on with the data in your club, what can be deleted, and who has access (and shouldn’t) so it is time to clean the files of old data and print-outs, ensure data security, and generally spring-clean the databases. As you’re doing it anyway, you may as well combine as much information as possible into one spreadsheet/database program for future maintenance.The following spreadsheet is a very real possibility in dealing with data protection within a typical club, such as Taunton Longsword Association. Whilst the examples are very obviously fake, the actual depth and breadth is close to actual.
Example GDPR Club Spreadsheet:
From here, with a cleaned database, you will be able to draft a GDPR compliance statement that also sets out what data you have, what you collect, and where it goes. Take the opportunity to include the other aspects of GDPR compliance such as ‘Breach’ notifications, complaints procedure, and data requests. See this example for TLA:
(7) You’re just about done, with the majority of work completed. Next it is time to consider your communications and what form of compliance needs to be taken. GDPR has two main routs for marketing communications compliance:
- Legitimate Use
‘Legitimate Use‘ is the easiest to comply with and will ensure those whom you have always emailed may continue to recieve your comms (probably). Legitimate Use is grounded in the fact that at some point (timescale important here) there was a moment where a contract was being considered being entered into: they had a need for some sword knowledge, and the club had the facilities to transact that; the individual has a legitimate interest in finding out more in order to make a decision. All your existing members will fall into this category as you have a valid reason to use their details for membership, insurance, etc.. However, timescale is important here, as is consideration to unsubscribe requests. If it has been 5-years and still no sign-up/interaction, then that “red-hot enquiry” should be removed from your contact list (BTW, 5-years is not mentioned in GDPR, its a fictitious example).
‘Consent’ covers all other comms – from the enquiry down the pub to cold-contacting local people. This is a fair bit trickier as you need to ensure a contact database is present, cleaned regularly for accuracy, and you have a mechanism to record unsubscribes and data deletion requests. Not only does the database need to be spot-on, but you also need to ensure that you have consent for sending which has been verified. Organisations have not been allowed to have tick-boxes on forms that start off accepting receipt of comms, it must be an opt-in decision, not and opt-out one. On the back of that, the double opt-in is required so before you can send anything meaningful, you have to just make sure that they really do want to recieve comms…no reply = no consent.
For organisations and clubs going down the Consent route, there are complications around the balance of power and the individual being able to provided unpressured consent. For example, can an employee decline consent to their employer to share their information with HMRC/Payroll/banks? Yes they can, but may feel unable to for fearing for their job. So the power is unequal and Consent (even if given) may be proved to be forced. Likewise, a club member may decline Consent to share their details with 3rd Parties, but if that information is required for insurance or other club admin, and if Consent is not given then they are not part of the club, so the balance of power is also unequal. In both these cases, “Legitimate Use” may be used which does not require “Consent”, however, requests from Members to restrict data flow should be treated sensitively and with reference to GDPR guidance.
In both cases, all communications should have an “Unsubscribe” link or instructions, this is already in law.
(8) Last of all is the GDPR requirement for individual data management. Any person may request to know what data is being held, why and so on (see above) but they also have the right of data portability – being able to take their data and move it elsewhere. A real world example of this would be one of our members moving to another region in the UK or EU and wishing to transfer their information to the new club. We, the holding club would need to be able to give this information in an accessible digital format within 30-days.
Individuals also have the right to be forgotten, and so (in this example) the transferring individual may request that all their information is deleted; once again, if the data is in multiple locations and has not been cleaned during the data audit, this becomes a more onerous manual task.
I’m not including this section in the ‘to-do list’ of GDPR compliance, although it is a critical aspect of GDPR: do YOU know what to do in the event of a data breach? A laptop is stolen and your password is 1234 (easy to crack)…you lose your mobile phone with your auto synchronisation of the cloud data including member details (can you remote delete or wipe the device)…Google/Apple/Microsoft send you an email stating your data has been compromised by a mass server access…One of your members decides to access the laptop at training with a USB and downloads a folder…
GDPR requires you to notify the ICO within 72-hours of such an event. This page on the ICO website will guide you: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-breaches/ . Happily, there is some leeway on what needs to be reported, so in the above examples and for what we as HEMA clubs do, there is little to concern us. However, the key decision making threshold is outlined int he guide thus:
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Therefore, a breach of email address or date of birth is unlikely to be an issue. The loss of a mobile phone number and address is, again, more serious but unlikely to cause significant detrimental effect on individuals…but what if it is a geographical breach locally? Now it becomes more serious as the person is known locally and impacts magnified. What happens if nothing occurs for a couple of months but then a local stalker begins turning up at their home or calling them? The data breach has suddenly become significant and probably part of a police investigation (not the club, but how the individual got the data in question). The ICO recommends that every data-breach be handled on a case-by-case basis, but as a responsible HEMA club, every occurrence (hopefully none) should be discussed at a club committee/director level to work out the risk…and this conversation should be minuted for the records.
I hope this article, despite its length and depth, has been useful. There are loads of free resources out there but it mostly comes down to data security and common sense. Should you have any questions, I will do my best to assist – drop me a line via tauntonhema [?at!] gmail.com
* NOTE: I am not a lawyer nor specialist digital law consultant. I am a professional marketing manager whom has been looking at this for a while and working out how it applies to HEMA clubs. Whilst I hope this article helps – please don’t take the content as gospel, legally binding or as the last word in expertise! Thank you to Chantal at TLA for proof-reading for me!