In May Gordon Rainsford wrote to all clubs about the question of contracts for data controllers and data processors. Following that a data processor/data controller contract was agreed between most clubs and the EBU. A number of other clubs were less willing to sign these contracts for a variety of reasons.
With any new legislation its interpretation is frequently not established until cases have been brought to test its implementation, so all we have at the moment on which to base our policies are various opinions, not always in accord. Consequently, we have decided to allow the clubs who are yet to sign these contracts, to not do so if they prefer, relying instead on the over-riding requirement that they follow the law in this as in any other matter.
To facilitate them we have updated the Club Terms of Affiliation to include a simple data protection agreement between clubs, counties and the EBU. We will ask all clubs to acknowledge this when making their annual return next year. We have also modified the information about contracts on our GDPR page. If matters of legality are resolved more clearly one way or the other in the future, we all need to be prepared to re-visit this question.
We would be happy to accept termination from any club that wishes, in the following form:
We, (insert bridge club name here) hereby notify the EBU that we wish to terminate the club/EBU data processing contract dated (insert date of contract here).
In summary, if you are happy to have our existing contract, you need do nothing. If you would prefer not to have such a contract, you should notify us by email using the form of words above, though we must stress that this would not absolve you from complying with all current data protection legislation. You should then read the updated Terms of Affiliation, which all clubs will be asked to acknowledge next year when making their annual return.
We trust you will find this a reasonable solution to take account of all clubs’ views and preferences.
So, an example which may occur at your club, is when emailing everyone in the club, but accidentally using ‘cc’ rather than ‘bcc’ – you have disclosed personal information (the members’ email addresses) to people who are not entitled to receive it (assuming you have not put in place a robust system by which permission has been granted to disclose the addresses, etc).
The Information Commissioner’s Office does not expect you to report every single breach. What you must do, however, is consider the severity of breach, and consider whether it is likely to pose a risk to the individuals involved. If a risk is posed it should be reported – if not, then you need not involve the ICO. What you should do, however, is record details of the breach, and the action that was taken by the club officials to reach the conclusion that it was not necessary to report it. If you have this record, then you cannot later be accused of failing to give proper consideration to your requirements.
More information is available here - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
Please note that this is a requirement of the ICO, and not of the EBU, so there is no necessity to involve us. It is not something we are policing – this is just a reminder of what the ICO expects.