Are you ready to be GDPR compliant by 25th May?
All clubs and counties hold data about their members including names, addresses and other contact details.
On 25th May 2018 the General Data Protection Regulation (GDPR) will come into force, adding significantly to the existing Data Protection legislation and providing the possibility of severe sanctions against organisations that fail to comply.
Since all clubs and counties are separate legal entities from the EBU, you are responsible for complying with all applicable legislation including the GDPR.
In order to help you prepare for this we circulated to all clubs and counties on information document which will point you towards more help and document templates on our website, with the aim of making it easier for you to understand what you need to do. It is repeated below for those who may not have received, or misplaced, the original. You can also read it here.
Please note though that this does not constitute legal advice and you should seek specialist advice if you are unsure of your responsibilities in any respects.
A webpage of collated information, and templates which may be useful for your club, is available here.
We are adding to it as more documents are produced, but it currently includes:
Information/documents for clubs/counties
Please note that the data protection regulations may differ slightly in the Channel Islands and the Isle Man. They will mostly be similar, but will be overseen by different bodies (i.e. not the ICO). Please seek advice as necessary from the relevant body.
Do look at this information carefully now and consider what steps you need to take to ensure compliance by the 25th May. I will be happy to help in whatever way I can if you have further questions.
Information about Data Protection for clubs and counties
The new General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and in preparation for it we are issuing this information to counties and affiliated clubs. The GDPR applies to all clubs and counties as separate organisations, regardless of their size. You can find further information on the website of the Information Commissioner’s Office at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Should you have questions relating to this document, please contact Gordon Rainsford firstname.lastname@example.org. Note that this document does not constitute legal advice and if you are concerned about any of these matters you should seek advice from the ICO or other specialists. Clubs and counties in the Isle of Man and the Channel Islands will have different regulating bodies and should take care to ensure that any advice they take is applicable to their circumstances.
- All information you collect relating to your members is “personal data”. Keep it secure and only use if for the purpose for which it was collected. Do not pass it on to anyone unless that was explicitly part of the reason for collecting it – eg passing on membership details to the EBU for their EBU membership, or submitting scores for the NGS and Master Points schemes, are both purposes for which the data was collected.
- Information relating to guests is also “personal data” and covered by the same requirements as that of members, though likely to be more limited in scope.
- If you keep paper records they should be secure – if on club premises they should be locked, with a note taken of who are key-holders.
- If you keep your records on a computer, they should only be accessible by appropriate people – the computer and/or the folders in which they are contained should be locked and/or encrypted. There is more information about this available from https://ico.org.uk/for-organisations/guide-to-data-protection/encryption/.
- Only committee members or club managers, if relevant, should have access to members’ records. Passwords should be changed whenever these roles are filled by new people.
- Emails should not be sent to groups of people in a way that makes their email addresses visible. To avoid this, either use a mailshot program or blind copy (bcc) all the recipients.
- For committees where you would like them to be able to reply to all recipients to continue a discussion, it is acceptable to copy them all in the usual fashion providing they were told this when they joined the committee and they have been given the option to not be copied in this way. Any committee members who are concerned about this might be advised to have a separate email address just for the purpose of committee business. Committee members’ contact details should only be displayed on websites if they have specifically agreed to this. It may be sensible for this information, if it must be available, to be in a password-protected area of the website, only available to members.
- Clubs should not issue lists of members' contact details (telephone number and email address) to all their members. Any such list that is made available should only contain the details of members who have specifically agreed to this. Any clubs that currently publish such a list should contact all members on it to ask whether they wish to remain on the list. They should be asked to “opt in” to this - it is not permissible for the default to be to include them unless they opt out.
- Access to a club’s or county’s My EBU is currently gained by using that organisation’s password. This means that any committee member who needs access needs to have the password, rather than accessing it through their own personal login. For this reason, you should keep the number of people who have access to the password to a minimum. You should change the password whenever any of those officers change.
- Scorers do not need to have access to the club/county My EBU in order to upload results – you can designate them as a scorer (as in the screenshot below) and then they will be able to submit results through their own personal My EBU without needing to access your club’s database. This is recommended to avoid having more people than necessary with access to your data.
- Do not keep data in more places than necessary – not only does this weaken your security, it also increases the possibility that the data will get out of sync and will not be consistent in different places. It is however sensible to have a backup of your data providing that you have a system to ensure it is backed up regularly and kept in a secure place.
- Many applications, such as your scoring program or a club management system like Pianola will have the ability to store significant amounts of data about your members, but unless you are using them as your primary database (and securing them appropriately), you should only store the minimum amount of essential information on them.
- Not all clubs and counties will need to register with the ICO but you can check on your particular circumstances at https://ico.org.uk/for-organisations/register/self-assessment/ - you are likely to need to register if you use security cameras or if it is a proprietor club, but it is best for each club to check based on their own circumstances.
Specific information relating to the GDPR
- The legal basis on which you collect most of your data is likely be that it is in the organisation’s “legitimate interest” to do so.
- You must inform everyone from whom you collect data:
- The legal basis for doing so;
- What data you collect;
- How it is stored;
- To whom you pass it on and for what purpose;
- For how long you keep the data;
- What they can do to limit how you use your data.
This will usually be done via a Privacy Notice, which may be on your club’s website, but a printed copy should also be available in the club and be sent to those who request it. Your members should be directed to this Privacy Notice on every occasion when you collect data, so it should be referred to on your membership application forms. We will provide a template club membership form as well as a Privacy Notice for clubs and counties that you can modify to match your circumstances.
You need to take all reasonable measures to ensure that your members are aware of this, so you do need to contact them one way or another. While email is convenient, you should also contact those members for whom you do not have valid email addresses, if necessary by post.
- Clubs act as Data Controllers with regard to their own data. They also act as Data Processors on behalf of the EBU, to whom they send members’ contact data and game results. They may use other Data Processors, such as Bridgewebs or Pianola, in doing this.
- The EBU is the Data Controller with regard to its own data but also acts as a Data Processor for its counties, to whom it sends details of their members.
- Data Controllers and Data Processors need to have contracts as described in https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/. We are waiting for templates of these contracts to be made available by the ICO and they will need to be adopted as soon as they are.
- We intend to implement as much of the rest of our GDPR strategy as possible as soon as we can, rather than waiting until the ICO contracts are ready, and we advise clubs and counties to do likewise. The sooner we all start to implement this, the more time we will have to deal with unforeseen circumstances and work to resolve problems that may arise.
- We will add a FAQ section to this document in answer to questions that we receive from clubs and counties.
All documents added prior to 29/1/18 (when clubs were first contacted by email about the GDPR) except where stated.