- When does the GDPR comes into effect?
The GDPR was approved on April 2016 with a transition period of two years. On May 25th of 2018, this regulation comes into effect. - Who this regulation aims to protect?
This regulation is for the individuals, the data subjects. It focuses on protecting people’s personal data. The purpose is to ensure that the data subject is the rightful owner of their personal data and its rights are ensured, whenever it is. - What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. - What is consent for data processing?
The data you hold (which we as headquarters also hold) is necessary to perform your services to your members. All of the information you hold has a legal basis. It is recommended that you document why you hold that information. Members have joined your club and therefore under the regulations have consented for you to hold certain data pertinent to the services you provide as a BSAC club. - Do I always need consent?
In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate.
You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.
It’s your responsibility to identify a lawful basis for processing under the GDPR - What is the difference between a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. - Does my club need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case of organisations that engage in large scale processing of sensitive personal data. As your club doesn’t fall into this category, then you do not need to appoint a DPO. You can appoint a DPO if you wish to, but normally you would refer DPO matters to BSAC HQ.
- What is a Subject Access Request (SAR)?
A member may issue a subject access request which is a legal request and must be responded to within 40 days. You cannot charge a fee for this. A subject access request (or SAR) is an individual's right to see all of the data you hold about them. - Do I have to delete details about old members?
The standard advice is to delete any old data that is of no use to you. This applies to any data you hold about members who are no longer with you or interact with you in anyway unless you have a specific reason to keep it which follows the GDPR guidelines under the heading 'Data retention'.
Unless you have a valid reason (a legitimate interest) to keep records of former members, then you should dispose of them. If you are keeping them and have a legitimate reason, then you are advised to document this. For the purposes of Christmas cards and invites to club anniversaries, you could class this as a legitimate interest, however it would be recommended to include an option to stop receiving emails from you when you send any communications out. - What is the ‘Right to be forgotten’?
If a member no longer wishes to receive communications from you, they have a right to be forgotten (right to erasure). This also applies to any ex-members who no longer interact with you. If you are contacting them without success, then it is likely they are no longer interested in your communications. - How does the GDPR affect policy surrounding data breaches?
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.