You will recall the extensive work-through we blogged about (Digital Privacy: GDPR Guidance* For HEMA Clubs – Deadline Looming!) – well, the deadline is here.
There has been an unbelievably diverse reaction to the Regulations (capital R!) from the comically naive through to “should know better” (the Royal Mail’s guide to GDPR was itself non-compliant! lolz), to the professionally written and clearly understood.
The TLA GDPR statement link is at the end of this article, and included in the website footer.
Since the original guidance was issued by the ICO which specifically listed two main criteria for legal data processing, a further four options have been added (quietly) indicating that even the regulator has been updating its own guidance:
TLA has crafted it’s own statement and approach to GDPR based on the original two criteria of “Consent” and “Legitimate Interests” (mostly the latter) but with the updated options, we are also compliant under “Contract”.
It is perhaps worth highlighting the “Contract” option further as it is the primary mechanism which personal data can be processed with regard to paying subs to a club via bank transfer/PayPal etc, and also the signing up to competitions, seminars, and so on. To enable the transaction of something coming to you in exchange for cash going the other way, personal details must be used, otherwise everything grinds to a halt. Importantly, “Contract” applies to the fulfilment of a transaction (whether cash exchanges hands or not) and only to the bare-minimum of the data involved to facilitate that transaction.
In summary: the deadline is here. Every club website should have a GDPR statement on their front page and visible. You should have checked the data you hold, and either delete or anonymise old data. The data you collect is the minimum your club needs to function and all of it can be justified as to why you need it. Finally, if you do newsletters circulated by your own email system (or 3rd party provider, such as MailChimp) then you may want to proceed down the “Consent” route if you have a website “sign up to our newsletter” option. Existing members are covered by legitimate interest but non-engaged/speculative sign-up people need the consent option worked through.
Read the TLA GDPR Statement here: