GDPR EU legislation on holding data

  • 2
  • Question
  • Updated 8 months ago
Changes to EU law that means social clubs need to protect data. Need to know how ClubBuzz is addressing this, if they are. What are other clubs doing to protect themselves.
Photo of Steve Curtis

Steve Curtis

  • 8 Posts
  • 3 Reply Likes

Posted 1 year ago

  • 2
Photo of Sarah

Sarah, Admin

  • 1389 Posts
  • 103 Reply Likes

ClubBuzz Guide to General Data Protection Regulations (GDPR)

The GDPR regulations will apply to all EU member states and the UK from 25 May 2018.  These changes are significant and cover all your club’s operations.  We advise you to check the Information Commissioner’s web site for full details (https://ico.org.uk/). This document covers your contract with ClubBuzz Ltd and deals with the changes necessary for you to comply with the new regulations.   We hope to have covered all the issues raised in the GDPR but the Information Commissioner is still making new recommendations, so you may receive communications from us over the next two or three months.

The first thing you need to know that, under these regulations, you are classified as the Data Controller (a data controller is defined as “the person who owns and decides what should be done with the personal data.”) and ClubBuzz is your Data Processor.  

This guide is aimed to assist you, our client, as data controllers.  It tells you what changes we will be making to the ClubBuzz template that you use and also outlining what actions you need to take before GDPR comes into force. Again we ask you to note that this is a guide to how our systems can help you comply but you hold full responsibility for making yourselves aware of all the elements of the regulations and ensuring that you conform to them.

GDPR is concerned with personal data, this is defined as “any information relating to an identified or identifiable living natural person”  The GDPR rules that such data must be processed fairly and lawfully.  This means that the data subjects (your members) should not be misled about the purpose of the collection of their personal details.  You must therefore make clear to them all the uses which you intend to use their personal data for. This must be done when collecting new information from a member. N.B. it is our understanding that you do not need to notify your members about data you held prior to the new Regulations coming into force, although for best practice purposes we would recommend that you do advise them at point of re-registration. 

In order to facilitate the new functions necessary we will provide a new heading visible to the Data Controller and the Administrator entitled GDPR. This will be used to customise the various messages and emails which will become necessary.

Summary of Main Points of GDPR which we believe affect you:

Personal Data must be kept secure from unauthorised access, it should only be retained as long as is necessary for the purposes for which it was collected.

1.       You must nominate a “data controller” who is responsible for seeing that you comply with data protection law.  In order to comply with GDPR as your data processor we need to know who this person is so that we can report any breaches quickly to your club.  If you have a Data Controller you will be asked to add their details in your club account page.  NB: If you don’t have a Data Controller or until you add one, your club administrator will be our default point of contact and be assumed to be your Data Controller.

As a data controller you must carry out due diligence when choosing your data processor to ensure that they conform to the GDPR.  Please note that If you were our client prior to the new regulations we do not need to gain new approval from you.  However, we will make our guide available which should give you confidence in our ability to serve you in accordance with both Data Protection Law and Best Practice. Any questions you have should be emailed to support@clubbuzz.co.uk, subject header GDPR query.

You must be able to demonstrate that the data subject (your member) has consented to the use of their personal data and such consent was freely given.  Where consent is given in a written declaration which covers other issues, for example a standard terms and conditions policy, the request for consent must be clearly distinguishable, in an easily accessible form and use clear and plain language.  You must define the specific reasons for which the data is required. In each case where this applies a “tick box” will be available against clear wording confirming the member’s agreement. Those who are members of your club prior to the new regulations coming into force do not need to be asked to consent to you holding current data on them.  However, if you collect new data from them you will need to advise them of the purpose of the data collection.  As best practice, for those clients using registrations we will add wording at the bottom of the registration form with a tick box so that you can gain their approval on an annual basis.  When we make these changes it will include a form already populated with our suggested standard wording. It will be editable by you so that you can fully explain the use of data within your organisation and it is vital that you do cover ALL the uses you put personal data to. New members will have to agree to the use of their data, they will see the same wording as mentioned above at the point of accepting their invitation to register on the system.  In the case of either an existing member or a new applicant, if they do not agree, an email will be sent to your data controller asking him to contact the subject directly and take whatever action is deemed appropriate. (e.g. delete record from file).

2.  The data subject has the right to withdraw consent at any time, which must be as easy to do as giving consent.  In order to facilitate this we will place in the footer text a clear message prepopulated with- “If you wish to withdraw consent for us holding your personal data please email {populated with email of your data controller} requesting your data be removed from the site. However, this will only be possible if you cease your membership”.  You will be able to edit the actual wording in the “GDPR” section. Where a member proceeds with the request the Data Controller will start an automated deletion of the member account which will actioned 48 hours after the initial request.  Should a member have an outstanding financial balance on their account (for clients using our financial package) that member will be notified of the need to make full payment of the balance in order that their data can be deleted.  In that instance all personal data will be deleted after 48 hours except that data required to manage debt collection.  Once all debt has been paid there will be an option for the Data Controller to delete all remaining data.

3.  The regulations also includes a “right to be forgotten” action, where anyone being mentioned on your web site may ask for that reference to be removed. This will be explained in the footer where there will be an option to commence this procedure.  

4.       In defining security of personal data the GDPR specifies that it must be transmitted and stored in encrypted format. If your site uses one of our subdomains for example derbysportsclub.clubbuzz.co.uk you already conform, being fully protected by our 256bit SSL certificate which confirms that the data is encrypted and you need take no further action.  If you use your own domain name, you are unlikely to have any faculties for encryption of the data entered from one of your computers and loaded onto our system.  (You can easily check – if your URL begins with HTTPS:// you have encryption installed). If you don’t, you will require your own 256bit SSL certificate and this will cover all data sent to and from your website such as contact enquiries, facility enquiries and join the club enquiries.   

5.       There are specific security obligations relating to the security of data and as such passwords must be robust.  Whilst members can only access their own data those with management roles can view other member’s data and it follows that they need a higher level of password.  We will make the rules for an acceptable password more stringent and require passwords to be changed from time to time.   The rules for managers will be even tighter in order to ensure they meet the reasonable standard demanded by the GDPR. We aim to have this in place by 1st March 2018 so when a member logs in they will be advised of the requirement to reset their password. 

6.       Data subjects under the age of 13 cannot give their own consent and any agreement to hold data, request to delete and use the right to be forgotten must come from the parent / guardian. Any written declarations will include the following wording: Please read the statement below and tick the consent box.  If you are under 13 years of age this consent must be given by your parent/guardian.  Where this is the case the name of the adult agreeing must be entered together with their relationship to the juvenile.

 

Additional questions to consider

We hope we have made clear the route we are taking towards full conformity with the GDPR.  For you as a club there are other considerations however, some of which we list below:-

1.       If you download members’ personal data onto laptops, tablets, phones, etc. you need to ensure that this is secure from unauthorised access. Paper-based lists need to be held securely too.

2.       Do you have any old databases on other systems or personal computers?  If so how secure is it, do those systems comply with GDPR?  The regulations are specific that data should only be held for as long as it is necessary, so it is a good idea to review who holds what, on what and delete anything which is not current and no longer required.

3.       Do you delete personal data of lapsed or old members on a regular basis?  Is it necessary to keep data for as long as you do?

4.       Do you give any data to third parties, sponsors, etc.?  If so it is your responsibility to ensure that they are complying with GDPR as far as the handling and security of your data is concerned.

5.      An excellent plan is to minimise data held on computers under your control.  Check who holds what data, for what reason, whether it is secure and whether it is necessary.

6.       Data entered through your ClubBuzz template is NOT stored on the computer used to enter it.   So there is no possibility of a breach unless you decide to download such information.  Such reports should be used for whatever purpose the data was downloaded and then erased.

7.       Where you hold data with member details on a spreadsheet you should secure it with a password.

We trust that this document is helpful. We will be updating you as D-Day for GDPR approaches. You may be assured that we will be in a position to conform fully by that time.  If you do have queries please email us at support@clubbuzz.co.uk using the heading GDPR QUERY and we will do our utmost to help.


Photo of Alan Mawdsley

Alan Mawdsley

  • 40 Posts
  • 4 Reply Likes
Can you tell us when the new ClubBuzz features to support GDPR compliance will be available, please? 
In particular, when can we see the proposed standard wording for member registration? 
We are updating our data policy to comply with GDPR and so would like to align with the template wording.
Photo of Sarah

Sarah, Admin

  • 1389 Posts
  • 103 Reply Likes
We are working on changes and closely monitoring the information coming from the information Commissioner's site so a lot of the work will stay on staging until we are sure they will make no more changes before it goes live, we aim to have live by end April.  In terms of wording we are currently looking at this statement:

– Fair Processing Notice
This notice is proposed to be available at the foot of each client’s website and will be read and agreed to by each new member.

By submitting Personal Information to this website, you agree that [the specific club or group name] may process it in the manner described in this policy which describes our current practices with regard to Personal Information and hosted by ClubBuzz Ltd (or GroupBuzz).
The term "Personal Information" refers to information about you personally, which, from time to time, you will be asked to submit (e.g. name and email address) in order to receive or use services on our website.
As a result of changes in the law and technology, our practices will change over time. When this happens, we will post the changes on our website as soon as is practicable and, therefore, we encourage you to check the site frequently. We will always deal with your Personal Information fairly and in accordance with your instructions.
Use of Personal Information
We will use the personal data you provide us in order to
i. Contact you with information relating to your membership of the club
ii. Be able to select you for teams and other activities
iii. contacting you to inform you of new services, events or information which the company think will be of interest to you
Disclosure
Any information you provide to us will only be used by us and possibly passed to our partners for the purpose of dealing with payments and using communications portals. It may also be disclosed to your organisation’s Governing Body. You should also be aware that your information may be disclosed where we are obliged or permitted by law to do so.
Timescale
We will hold your Personal Information within our systems for as long as you remain a member of the club [group]. When you cease to be a member all personal data will be deleted within 6 weeks of the date of your resignation.

Security
Your data will be managed by ClubBuzz Ltd who manage data for hundreds of similar clubs in a secure hosting environment. Your data will be retained within the European Economic Area (EEA) other than where it is transferred to a third party for the purpose of setting up a payment regime where it will only leave the EEA if security meets the EU’s security requirements.
Photo of SparsholtCricketClub

SparsholtCricketClub

  • 24 Posts
  • 2 Reply Likes
will you be adding consent checkboxes to contact forms?
Photo of Sarah

Sarah, Admin

  • 1389 Posts
  • 103 Reply Likes
We won't be adding these, you can edit the wording for contact forms to suit your own club and if you require you can add consent wording in to this area.  The privacy policy will be in the footer of each page and you will also be able to amend this to be personal for your own club
Photo of SparsholtCricketClub

SparsholtCricketClub

  • 24 Posts
  • 2 Reply Likes
so if the ICO was to approach a club and was asked to prove explicit consent (which is required) for you to have an individual's personal data - wording is not enough. Best practice indicates that a physical checkbox that the person has to tick indicating that they give their consent should be available. This would then come through on the automated email as consent given.

This is what we have been recommended by a number of GDPR specialists that I have been speaking to.
(Edited)
Photo of Sarah

Sarah, Admin

  • 1389 Posts
  • 103 Reply Likes
In terms of best practice - the contact us form will create an email asking you to contact that person - you will need to delete details from that email once you have dealt with it, the details are not held anywhere on the ClubBuzz system

Join us form is slightly different - you as a club may need to hold applicant data for 1 or 2 weeks, others may hold them on a waiting list for a year or more, depending upon the nature of the club or the type of activity.  We have been advised that personal wording is important and it is the full responsibility of each club to expressly explain why they are holding data, there is almost an implication that by completing the form you are in agreement with those terms, however I do see your point and we will look at adding a consent tick box to the join us form
Photo of Natalie

Natalie

  • 1 Post
  • 0 Reply Likes
Please can you confirm where the data is stored when someone completes the online application. Is this within the EU or outside the EU 
Photo of Sarah

Sarah, Admin

  • 1389 Posts
  • 103 Reply Likes
Your data will be managed by ClubBuzz Ltd who manage data for hundreds of clubs in a secure hosting environment. Your data will be retained within the European Economic Area (EEA) other than where it is transferred to a third party for the purpose of setting up a payment regime where it will only leave the EEA if security meets the EU’s security requirements.