From the 25th May 2018, the new General Data Protection Regulation (GDPR) will take effect. In this blog article, we look at the principals of GDPR, the rights of your gymnastics club members under the new rules and give our views from a system perspective.
The principles of GDPR are similar to those already covered under the data protection act. Specifically, GDPR requires that personal data should be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
It also requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
The GDPR provides the following rights for individuals. Where applicable, we’ve included some guidance for those using our Gymnastics Club Manager software:
- The right to be informed
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data. GCM: We recommend you incorporate your privacy statement on the registration page and have a check-box for those submitting their information to select. The privacy statement can be created by using the custom statement option or the ‘Insert terms and conditions option’ both of which can be found under the Admin > Forms page.
- The right of access
Under the GDPR, individuals will have the right to obtain:
a) confirmation that their data is being processed;
b) access to their personal data; and
c) other supplementary information – this largely corresponds to the information that should be provided in a privacy notice. GCM: Members (or more accurately their parents) can access their data via their online Gymnastics Club Manager account, so the requirement for you to provide access to information on request will be limited.
- The right to rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. GCM: Pay Here Limited (the legal entity in which Gymnastics Club Manager trades under) does not rent, lease or sell your club or members information. For support purposes, information is only accessible by employees of Pay Here Limited and our development team.
- The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing. GCM: If you receive a request for erasure, there are 2 things to consider from a system perspective; 1) Deleting a person off the system will also delete their payment history. 2) It will also delete their attendance history which will have implications if you are required to keep their attendance record for a period of time for insurance purposes. Both reasons in themselves could be considered a reason not to comply with the erasure request. However, to retain accurate records you may wish to delete all personal data with the exception of first name, last name and DOB so you can still keep an audit trail.
- The right to restrict processing
Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
- The right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. GCM: It’s unlikely that your members will require their data to be presented in a way that they can port. If this ever did arise, you can export their information in an Excel file from the system.
- The right to object
Individuals have the right to object to:
a) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
b) direct marketing (including profiling); and
c) processing for purposes of scientific/historical research and statistics. GCM: If you use our Gymnastics Club Software for email marketing purposes, we recommend setting up a group called ‘Email marketing’ and copying all members to the group. Send marketing emails only to this group. If someone objects to receiving marketing material from you, simply remove them from the group.
- Rights in relation to automated decision making and profiling
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.
Things to think about now
If you haven’t done so already, now’s a good time to start working towards becoming GDPR compliant. Here are some things you need to consider:
Make sure your staff and helpers are aware of the upcoming changes.
Information you hold
Document what data you hold, where it came from and who you share it with.
Review your existing privacy notices and make any necessary changes in readiness.
Check your procedures to ensure they cover all the rights detailed above.
Ensure your members know how they can access their data.
Identify your data needs
If you don’t use it, don’t collect it. Identify the data you need and document in your privacy notice why you need it.
Review your existing consents (how you seek and record them) and refresh if they don’t meet the new regulations.
If you would like to find out more on how we can help your club become GDPR compliant, book a free consultation today or call us on +44 (1)01892 771 276.