SI Bingley Club’s Guide to Data Protection
THE SOROPTIMIST INTERNATIONAL
OF BINGLEY CLUB GUIDE
TO DATA PROTECTION
For the purpose of this document, references to Soroptimist International Great Britain and Ireland (SIGBI) Limited and Soroptimist International may be written as “SIGBI” and “SI” only.
The General Data Protection Regulation (“GDPR”)
Growing digital technology means the world is a different place to what it was when the Data Protection Act 1998 (“DPA”) came into force. Record keeping has shifted from paper to electronics, the methods for manipulating personal information have become more powerful and identity theft has become a significant problem. People want greater choice and control over how their personal data is used.
The EU General Data Protection Regulation (“GDPR”) extends the data rights of individuals, making transparency a right and increases the obligations on organisations to have clear policies and procedures in place to protect personal data and to adopt appropriate technical and organisational measures.
The GDPR will come into force on 25 May 2018. The new Data Protection Bill repeals the Data Protection Act 1998 and incorporates the GDPR into UK law as well as incorporating some additional new provisions.
How does the GDPR apply to the club?
Every organisation in the EU will need to comply with GDPR and that means SI Bingley has reviewed the impact of the Regulation on its operations and determined what changes need to be made to ensure compliance.
SI Bingley comes within the definition of data controller in the legislation, as a ‘body, which determines the purposes and means of the processing of personal data’.
Processing means ‘obtaining, recording, or holding information or data or carrying out any operation on the information or data”.
Personal data is ‘information relating to a living individual who can be identified from that data (data subject). We also call these people “members”
Steps We Have Taken
1. Awareness – We have discussed as a Club the fact that the law is changing to the GDPR.
2. Audit – We have carried out an audit of the personal data we hold as a club. We have documented our answers to the following questions –
• What personal data we hold and where it came from
• How is it stored and where it resides physically
• What the lawful basis is for the processing of that data
• What we have told the data subjects, our members, about the processing we carry out
• What we will do with it and what we are planning to do with it
• Who we share that data with
• How secure that data is
• How long is data held for and what the reason is for that time period
3. Privacy information – we will have a privacy notice on the club website and will ensure that members who do not have online access have access to a hard copy. The club has explained to its members the different ways information will be used, what we will not do with the data, how we will ensure its security, how individuals may access their data and how to make a complaint.
4. We have considered the individual rights listed below and how the club can ensure these will be met. For example, how the club would deal with a subject access request.
5. Data breaches – we have put in place procedures to detect, report and investigate a personal data breach.
6. We have designated the Executive and Development Committee to take responsibility for data protection compliance
GDPR IN DETAIL
The GDPR outlines 6 principles that should be applied to any collection or processing of personal data.
1. PERSONAL DATA MUST BE PROCESSED LAWFULLY, FAIRLY AND TRANSPARENTLY
Conditions for processing
In order for processing to be lawful under the GDPR, we need to identify a lawful basis before we can process personal data, referred to in the GDPR as ‘conditions for processing’. The legal basis identified has an effect on individuals’ rights (see below), e.g. relying on consent to process data means the individual will generally have stronger rights, e.g. to have data deleted.
You don’t need consent for every use of personal data, but if you don’t have consent, you need to know what other legal justification you have that allows you to use the data. It is important that you determine your lawful basis for processing data and document this.
The conditions for processing that may be relevant to the club’s processing of personal data are:
(i) Consent of the data subject/member
CONSENT UNDER THE GDPR
The GDPR sets a high standard for consent. The Club will ensure it has clear and unambiguous consent.
• Consent should be in a separate form/document to other terms and conditions of business and the consent document should be laid out in simple terms.
• Pre-ticked opt-in boxes are specifically banned.
• Consent must be given to each separate processing activity (e.g. if you wish to carry out 6 different actions, the data subject/member must consent to all of them).
• We will keep clear records to demonstrate consent (who consented, when, what they were told at the time how they have consented and whether they have withdrawn consent).
• We have informed data subjects, members, of their right to withdraw consent and it is easy for them to do this.
(ii) The processing is necessary for the performance of a contract.
(iii) The processing is necessary for the purposes of legitimate interests pursued by the club (including commercial benefit) unless this is outweighed by harm to the individual’s rights and interests.
Most of the club’s processing of personal data relating to members falls under this condition of processing, because it is required to enable it to carry out its functions as a membership organisation.
Fair and transparent processing
Even if an organisation has a legal basis other than consent for sharing data, it still needs to tell people what it is doing with their data in order for the processing to be fair and transparent (unless there is an exemption from this in data protection legislation).
When collecting personal data, organisations need to give people certain information, such as their identity and how they intend to use their information. This is usually done through a Privacy Notice, which we have on our Club website. Under the GDPR we need to tell people our lawful basis for processing the data, our data retention periods and that individuals have a right to complain to the Information Commissioner if they think there is a problem with the way we are handling their data. We have provided this information in concise, easy to understand and clear language.
2. PERSONAL DATA CAN ONLY BE COLLECTED FOR SPECIFIED, EXPLICIT AND LEGITIMATE PURPOSES
(See below Right to Information).
3. PERSONAL DATA MUST BE ADEQUATE, RELEVANT AND LIMITED TO WHAT IS NECESSARY FOR PROCESSING
This requires data minimisation – collecting only what is necessary for the particular purpose and retaining a minimum amount of data.
4. PERSONAL DATA MUST BE ACCURATE AND KEPT UP TO DATE
The club has a method for ensuring details (such as addresses) are kept up-to-date. This is done via our annual membership renewal process.
5. PERSONAL DATA MUST BE KEPT IN A FORM SUCH THAT THE DATA SUBJECT/MEMBER CAN BE IDENTIFIED ONLY AS LONG AS IS NECESSARY FOR PROCESSING
We have decided what the retention policy is for the personal data we process.
The club as part of its Data Protection Policy, has a data retention policy that specifies retention periods for different categories of information.
6. PERSONAL DATA MUST BE PROCESSED IN A MANNER THAT ENSURES ITS SECURITY
The GDPR specifies protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Examples of technical measures are: anti-virus software on computers, back-up, firewalls, password protection, encryption, steps taken to stop cybercrime, hacking and other security compromises, robust IT systems etc.
Examples of organisational measures are: policies and procedures.
We have taken suitable technical and organisational measures to protect members’ personal data.
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the Data Protection Act. The GDPR provides the following rights for individuals:
1. THE RIGHT TO BE INFORMED
The right to be informed encompasses our obligation to provide ‘fair processing information’, usually through a privacy notice. Our Privacy Notice sets out the information we hold and when individuals should be informed of it. The information we hold has come to us directly from individual members. The information is concise, transparent, intelligible, easily accessible, written in clear and precise language and is free of charge.
2. THE RIGHT OF ACCESS (SUBJECT ACCESS REQUESTS)
Individuals have a right to obtain confirmation that their data is being processed and gain access to their data under the GDPR. These are to be complied with within 30 days. We make no charge for complying with the request.
3. THE RIGHT TO RECTIFICATION
Members can have any inaccurate or incomplete personal data rectified and if this has been to any third parties, we will inform them of the rectification where possible. We will respond to a request for rectification within one month.
4. THE RIGHT TO ERASURE/ RIGHT TO BE FORGOTTEN
This enables individuals to request the deletion of personal data where there is no compelling reason for its continued processing, but is only available in limited circumstances and is not an absolute right.
5. THE RIGHT TO RESTRICT PROCESSING
When individuals exercise this right, we are allowed to store personal data but not to further process it.
6. THE RIGHT TO DATA PORTABILITY
This is unlikely to ever apply to the club because it enables easy transfer of data for consumers.
7. THE RIGHT TO OBJECT
Individuals have a right to object to processing based on legitimate interests. If the request is valid, the club will stop processing in these circumstances, unless we can demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the individual or the processing is in relation to legal claims.
We have stressed to individuals about their right to object “at the point of first communication” and in our privacy notice.
8. RIGHTS IN RELATION TO AUTOMATED DECISION MAKING AND PROFILING
This is unlikely to ever apply to the club. It is designed to be a safeguard against potentially damaging decisions being taken without human intervention.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
The Regulation mandates informing both the Information Commissioner and the data subject/member themselves where the breach may result in serious harm to the rights and freedoms of the data subject/member or the breach affects the personal data of a large number of data subjects/members. A process is in place to make these notifications in the event of a breach. Data Breach Reports must be made within 72 hours of The Club becoming aware of the breach. The notification must be in the form set out in our Data Breach Policy which includes a description of the process and measures we will take to address the breach and mitigate its possible side effects.