The General Data Protection Regulation (GDPR) applies from the 25th of May 2018. The government intends replacing the Data Protection Act with GDPR and may go further than the Regulation requires. GDPR applies to personal data of people living in the EU (Subjects), even if the organisation using the data is outside the EU. Personal data can be just a name, email address or telephone number. Lions Clubs International District 105SC needs to have explicit consent to use this information to contact Subjects unless relying on a GDPR allowable mechanism such as 'legitimate interests'. Subjects must be informed of their rights.
The regulations are not designed to stop your normal activities! You may continue to record personal details of members and volunteer helpers and do not need their consent because this is part of your normal activities, that is your 'legitimate interest'.
Where to start
Steps you should take to ensure, and demonstrate, that your club is compliant:
- Ensure that all of your members are aware of the need for privacy.
- Document what personal data you hold, where it came from and who you share it with. This is called a Data Audit. Use the table below to get started.
- Create or update your privacy notice on your website and ensure you provide a prominent link to it. All Squarezone Club-Sites websites automatically display a privacy notice to ensure you are compliant.
- Create or update procedures to ensure they cover all the rights of Subjects, including how you would delete personal data or provide copies of data.
- Create or update procedures to handle requests from Subjects within the new timescales (1 month).
- Identify the lawful basis for your processing activity, document it and update your privacy notice to explain it e.g. 'legitimate interests' or 'consent'.
- Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents if they don't meet the GDPR standard. This usually means adding text to a form (printed or electronic) seeking consent with a Yes/No answer (not pre-filled) and informing the Subject of exactly what they are consenting to.
- If dealing with children, put systems in place to verify Subject's ages and obtain parental or guardian consent.
- Create or update procedures to detect, investigate and report any personal data breach.
- It is unlikely you will need to conduct a Privacy Impact Assessment but if embarking on a new system to record personal data, you simply outline what data you will collect, review why, how & who needs it and keep a record of your reasoning - further details.
- Designate someone to take responsibility for data protection compliance. It is unlikely that you will need a Data Protection Officer.
- If you operate in more than one EU member state, determine your lead data protection supervisory authority from this PDF.
You don't need explicit consent from members, volunteer helpers nor those you help because these communications are operational i.e. relate to running your organisation and are 'legitimate interests' with respect to your normal activities.
You do need to satisfy yourself that any third parties involved in your activities, such as ticket sellers and website providers are GDPR compliant. Squarezone Club-Sites are compliant.
You do need to audit the data held on Subjects, whether in electronic or paper form, to ascertain what data is currently held, where it is kept, who has access to it and whether it is excessive for the activity. Your Secretary should keep dated copies of the audit.
The following table may be used as a guide and should be edited to be more specific for your club and also should have a row for each specific activity such as Firework Displays or Car Boot Sales.
|Activity||Data held||Where||Purpose||Source||What is data used for||Accessible by||Shared with|
|Members||Name, Address, Email, Telephone, Gender, Partner's name, Date of birth, Photograph||Website, Members computers, Paper||Communicating with members||Individual members||Used to communicate with members. Printed and circulated to members. Held securely online and on members personal computers.||Secretary and Webmaster||All members|
|Members||Bank details||Treasurer's computer, paper||Accounts||Individual members||Payment to members||Treasurer||No-one|
|Volunteer Helpers||Name, Email, Telephone||Website, Members computers, Paper||Communicating with volunteer helpers||Individual volunteer helpers||Used to communicate with volunteer helpers||Event organiser||Members involved in event|
|Suppliers||Name, Address, Email, Telephone||Website, Members computers, Paper||Communicating with supplier||Supplier||Used to communicate with suppliers||Event organiser||Members who organise events|
|Customers/Event attendees||Name, Address, Email, Telephone||Website, Members computers, Paper||Communicating with customer||Individual customer and ticket agencies||Used to communicate with customers, past and present||Event organiser||Members involved in event|
|Donation recipients||Name, Address, Email, Telephone, Gender||Members computers, paper||Communicating with donation recipient||Individual donation recipient||Used to communicate with donation recipients||Specific members responsible for donations||Members of committee or group responsible for donations|
Do remember that GDPR is not designed to prevent your legitimate activities but is designed to make you think about collecting and using and storing personal information fairly, transparently and lawfully.