GDPR for small clubs and societies: How to become GDPR compliant

In this article:

• Basic UK GDPR terminology for small clubs and societies
  
• What do small clubs and societies need to do to become UK GDPR compliant
• How important is consent for small clubs and societies in the UK
• What does data processing mean for small club and societies?
• What is the difference between data processors and data controllers, and what does it have to do with small clubs and societies?
• What are the eight basic privacy principles of UK GDPR?
• What are the children's rights under the UK GDPR for small clubs and societies?
• What happens when a data breach occurs?
• Do small clubs and societies need a data protection officer? (DPO)
• Conclusion
        

Basic UK GDPR terminology for small clubs and societies

Before getting started, here are some key terms to keep in mind to gain a better understanding of how GDPR works.

• Personal Data
  • Any information on a named or identifiable person, whether it is related to his or her personal, professional, or public life.
    
• Special category of data
  • Personal data that uniquely identifies an individual, such as racial or ethnic origin, political ideas, religious or philosophical views, trade union membership, sexual orientation, and health, genetic, and biometric data.

• Consent
  • Consent is defined as any "freely provided, precise, informed, and unequivocal" expression of the data subject's desires, either by a word or a clear affirmative action.

• Data Subjects
  • A single individual is a data subject. An individual, a member, a consumer, a candidate, an employee, a contact person, and so on are examples of data subjects.

• Data Controllers
  • Any organisation, person, or body that sets the objectives and methods of processing personal data, whether alone or jointly, is in charge of the data and is accountable for it.

• Data Processors
  • The data controller decides the objectives for which personal data is processed and the methods by which it is processed.

• Legitimate interest
  • The most flexible of the UK GDPR's lawful basis for processing personal data is legitimate interest. It applies anytime a small club or society utilises personal information in a way that the data subject would anticipate.
    
• Contract
  • A document between controllers and processors that guarantees both parties are aware of their responsibilities, liabilities, and obligations.

• Legal Obligation
  • The need to comply with the law in order to process someone's personal information.

• Vital interests
  • Interests that are necessary in one's life. The scope of this legal basis is quite narrow, and it usually only applies to life-and-death situations.

• Public task
  • Executing a specified task in the public interest as defined by law or exercising official authority as defined by law.

Now that we have discussed a few terms used in UK GDPR compliance let us take a look at the ways UK GDPR will affect small clubs and societies in the future.

What do small clubs and societies need to do to become UK GDPR compliant?

The following points are recommended to keep in mind when helping your small club or society comply with UK GDPR:

• Collecting member information
  • When collecting member information on your website, you must make it clear to the member how their data will be used.
    
• Storing supporter information
  • Data security is already crucial, and it will only become more so in the future. The UK GDPR mandates you to preserve records proving that your supporters have actively opted in.

• Communicating with supporters
  • Inform everyone who will have a long-term relationship with your small club or society (members, investors, mailing list subscribers) about your privacy policy and encourage them to opt in to remain on your records.

• Existing members and contacts
  • The UK GDPR applies to all data, not only data that was obtained after the legislation came into effect. You may need to contact your current members and contacts ahead of time to confirm that they have opted-in to receive marketing emails from your small club or society.

• Keeping membership lists
  • Make some changes to how membership lists are maintained in the club or society. It is no longer acceptable to save data in any binder that may be lying around the club office.
  • If you have physical binders with membership lists, they must be kept in a secure location with only you having access. If you keep it on your desktop, it must be password-protected.

• Map your data
  • Keep track of where your data is stored and how it is kept safe. Work toward reducing the number of places the data is stored and ensure your data is backed up.
    
• Write a GDPR implementation policy
  • Based on the information you gathered from the Data Map about your club or society. You will need policies for data disposal, as well as how people can access their data. Demonstrating how you are complying with GDPR will always put you in a good position.
    
• Use your GDPR implementation policy to write a privacy policy
  • If the public is interested, they may read this document, which explains their rights and how your club or society handles their personal data. It should be kept somewhere accessible so that it may be provided on demand.
    
    
   

How important is consent for small clubs and societies in the UK?

Consent involves providing individuals with the choice and control over how their data is used. Under GDPR, consent must be freely provided, detailed, uninformed, and must have a clear expression of the individual's intentions.

Consent must be distinct from other terms and conditions, and their consent should have easy ways to revoke consent if needed.

Therefore, under UK GDPR, consent must be:

• Unbundled : Separate from general terms and conditions
• Active opt-in : No pre-ticked boxes
• Named : Clear who is given consent; not just ‘third parties’
  
• Documented : Records are kept of the consent)
  
• Easy to withdraw
  

Some data processed by small clubs and societies will be covered by the 'contract' or 'legitimate interests' bases and in those cases no consent is needed. But most marketing activity done by non-profit organisations will rely on consent as its lawful basis.

What does data processing mean for a small club and societies?

The collecting, processing, or use of personal data by a processor in line with the controller's instructions based on a contract is known as data processing.

Before collecting and processing a member's personal data or special category data, clubs and societies must first determine the legitimate basis for processing and document it.

Personal and special types of data have various legal bases. For example, if you are running a sport’s club, as part of its membership application form, the club's valid purpose for processing might be to fulfil membership duties (performance of a contract or to enter into a contract). If there is any uncertainty, however, clubs must get informed consent (in the section above).

Employees can depend on the requirement to meet their legal duties as employers as the legal basis for processing their personal data.

What is the difference between data processors and data controllers and what does it have to do with small clubs and societies?

Understanding what the terms data controller and data processor mean is important because each role represents different tasks of the club or society.

Essentially, clubs and societies are the data controllers since they store and process the data of their members. Even if the club hires a third-party provider to help with UK GDPR compliance, the club is still responsible.

The club, as the controller, is accountable for the processing's legality, among other things. In addition, the data controller must inform the members of the processing and notify the supervisory authorities in the event of a breach.

The data processor processes personal data only on behalf of the controller. The data processor is frequently a third-party entity outside the club or society.

What are the eight basic privacy principles of UK GDPR?

Understanding the basic principles of UK GDPR is the most critical step in protecting privacy and complying with the UK GDPR.

As a club owner, it’s important to be aware of the rights of individuals. These are simple and straightforward rights.They notify individuals about what you are doing and how you are doing it, as well as how they may get copies of their information, correct any mistakes, or have data erased at any time. They are as follows:

• Right to be informed
  • The right to be informed about the processing of personal data related to an individual should be provided to them at the time of collection and within a reasonable time after that.
    
• Right of access
  • Individuals should have the right to view their personal data, which they may have shared, in order to check how that information is being used.

• Right to rectification
  • Individuals should be permitted to receive their personal data for the purpose of correcting inaccurate or missing facts in order to increase their control over personal data.

• Right to Erasure
  • The individual shall also have the right to have his or her personal data deleted and no longer processed if the data is no longer necessary for the purposes for which it was acquired or otherwise processed, or if he or she has withdrawn his or her agreement to such processing.

• Right to restriction of processing
  • Individuals have the right to request that their data be handled in a specific way in certain circumstances. For the time being, you must stop processing their data as asked.

• Right to data portability
  • When personal data submitted by an individual with his or her consent is processed by automated means, the individual should be able to receive that data.

• Right to object
  • Individuals have the right to object to the processing of their personal data on grounds relating to their particular situation, and no further processing of such data will take place until given the green light.
    
• Right to avoid automated decision making
  • The individual has the right not to be subjected to a decision based exclusively on automated processing, including profiling, that has legal consequences for them or otherwise has a substantial impact on them.

Children in small clubs and societies such as sports clubs, school academic clubs, scout clubs, require extra care since they are less aware of the consequences they may face. Learn more about this in the next section.

What are the children’s rights under the UK GDPR for small clubs and societies?

When targeting children under the age of 18 for data privacy, the UK GDPR has added specific concerns to make data protection transparent.

Children aged 13 and over are able to give their own permission in the UK. In turn, clubs and societies must consider the need to safeguard children and plan all operations accordingly. And of course, parental permission must be obtained for children under the age of 13.

When collecting data, make sure you have an effective way of identifying the age of the people you are collecting it from, and that you have parental permission processes in place if necessary. When seeking consent from children above the age of 13, a pro tip is to always use simple and straightforward language.

What happens when a data breach occurs?

You must ensure that personal data is kept safe, by doing things like encrypting and password-protecting electronic documents and backing them up on a regular basis.

You must also ensure that your volunteers can recognise when a breach has occurred and that they are aware of what they should do and who they should contact in the event of a breach.

Failure to comply with the UK GDPR may result in significant fines ranging from €10 million to €20 million, or 2% to 4% of an organisation's entire global annual revenue in the previous financial year (depending on whichever is greater). You may sometimes have to pay compensation to the individuals affected by the breach as well.

Also, you will only have 72 hours from being aware of a breach to report it to the ICO.

Do small clubs and societies need a data protection officer? (DPO)

You already need to have someone in your organisation responsible for data protection and the UK GDPR does not change that.

This role of a DPO is unlikely to be required in most small organisations. A DPO must be appointed if you:

• are a public authority;
  
• carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
• carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
  

The role of a DPO can be performed by a third-party organisation such as DataGuard. Our external DPOs will help your small club or society understand data protection and become overall UK GDPR compliant.

Conclusion:

Spend some time learning what you'll need to do to become compliant. Make a strategy for your UK GDPR journey so that you and your club or society may become UK GDPR compliant as quickly as possible.

DataGuard helps small clubs and societies better understand data privacy and become GDPR compliant.

If you need advice on becoming UK GDPR compliant or how you can protect your data against data breaches, get in touch with one of our GDPR experts to book a consultation today.