Data Protection law has changed.
GENERAL DATA PROTECTION REGULATIONS 2018 [GDPR]
The General Data Protection Regulation comes into force on Friday 25 May 2018.
Expand each heading to read more information regarding GDPR and Rotary. [you need to be logged in to www.rotarygbi.org
Rotary and GDPR
The Rotary Support Centre has been working closely with
the RI office, specifically the legal services team, on becoming GDPR
compliant within our two offices and this will be a continuous process
to ensure that we remain compliant. RI has a responsibility to also be
GDPR compliant. They are data controllers of personal data of UK
citizens, and of course citizens of other European countries with the
Republic of Ireland being of specific interest to us.
GDPR affects everyone who collects, processes or has access to
personal data, i.e. clubs, districts and where applicable, individual
The Rotary Support Centre will be issuing communications to club and
district officers, and to the wider membership, in the form of
newsletters and specific webinars. Visit the GDPR – Communications webpage to view the plan. You will also be able to register for the
webinars by clicking the relevant link in the Communications Plan table.
To view current or previous newsletters, visit the GDPR – Newsletters webpage.
Background DPA to GDPR
General Data Protection Regulation (GDPR) legislation is coming into
force on 25 May 2018. It is EU law but it will become law in the UK on
25 May 2018 (regardless of BREXIT) and will replace the Data Protection
The Data Protection Act (DPA) has been in force in the UK since 1998; data protection is not new, but it is changing.
The DPA is certainly in need of an upgrade – it was suitable back
when it was introduced but, with technology and the digital age, we have
evolved in the way in which we generate, store, access and use data
every day and new guidance and protections needed to be put in place to
safeguard everyone’s interests.
Main differences between GDPR and DPA principles
The eight DPA principles are now down to six GDPR principle and these
focus on the intent with which any data is accessed and used being
lawful, fair and transparent, and that it is for specified explicit and
legitimate purposes. It’s also focused on data being adequate, relevant
and limited to what’s necessary in relation to the purpose of the data
access. Consideration is given to how accurate the data that is held is
and how it is kept up-to-date, plus that it’s only held in a form where
the data subject could be identified for no longer than necessary.
Finally, it also looks for confirmation of appropriate technical or
organisational measures being in place in an organisation to protect
against unlawful or unauthorised processing, as well as accidental loss
Members, clubs and districts should already be working within the
current DPA and the GDPR principles are based around the DPA principles.
The following documents are useful guides for the GDPR principles and
are ideal for clubs and districts to use at events, such as DOTS, PETS,
Assembly, Conferences and within clubs for members to raise awareness
and understanding of responsibilities.
DPA to GDPR Principles – flowchart - shows how the previous Data Protection Act principles have evolved into the GDPR principles.
GDPR Principles - explanation of each of the GDPR principles. More detailed information on the GDPR principles can be found here on the ICO website.
What should clubs and districts be doing?
It is widely recognised that not everyone will be 100% compliant on the
25 May 2018. However, this does not exonerate clubs and districts from
your responsibilities and the need to start taking action now and
formulate club and district plans. Click here to see a few of the simple steps you can take now. More topics and advice will be covered in the GDPR newsletters.
Data Management System (DMS)
Both RIBI and RI provide a number of tools to members, clubs and districts for administration and communication, such as the RIBI Data Management System (DMS) and My Rotary.You access personal data via these tools as a data processor and
providing that you use the personal information in accordance with your
Rotary role and the RIBI and RI privacy policies you can be confident
that you are acting within GDPR. Should you use the information outside
the parameters of the privacy policies or the Rotary role for which you
have access to that information, then you will be in breach of those
policies and GDPR.
The RIBI Data Management System (DMS) will undergo continuous review,
modification and development. We want members, clubs and districts to
use the DMS as the ‘go to’ administration and communication facility.
An information webinar to help better understand the capabilities of
the DMS has been scheduled in May 2018. This is a great refresher for
those that already use the DMS and more importantly a great start for
those new to the DMS and want to understand the benefits. See below for
Information Webinars - Details and Registration
A number of webinars will be held to assist with understanding GDPR
responsibilities and resources available. Below are details of the
webinar schedule to date. All webinars will be recorded and made
available on the GDPR webpages as a resource for you to view/use at a
Please register early as spaces will be limited for webinars.
|| GDPR, Security and IT
| Date & Time:
|| Wednesday 18 April 2018, 7.00pm to 8.30pm
|| District Officers for Data Protection, IT Administrators, DMS Administrators and District Secretaries
|| Registration has now closed. The recording of the webinar will be posted here shortly for you to view
|| GDPR and DMS Demonstration
| Date & Time:
|| Wednesday 16 May 2018, 7.00pm to 8.00pm
|| Open invitation to district/club officers and members
|| Click here to register for this webinar
The Support Centre will continue to develop resources to assist the RIBI
office, clubs and districts to be GDPR compliant. These will include a
move to an online Membership Proposal Form; this will provide an
electronic record held centrally which will include consent to collect
and process personal data. The way in which directories are produced is
also under review.
Downloadable resources can be found on the GDPR – Resources page here.
You can contact the RIBI Support Centre on data protection matters on the new email address email@example.com
Information Commissioners Office (ICO)
is the UK’s independent body set up to uphold information rights and is
empowered to enforce GDPR. The ICO website is where you will find ALL the information regarding GDPR and responsibilities. You should bear in mind that the ICO website
gives the absolute information for GDPR which is intended for ALL types
of organisations and individuals.
However, the guidance can be overwhelming when first approached as it
is very much aimed around large organisations that process large
amounts of data, most of which is for marketing purposes – you need to
read the ICO advice and guidance in the context of the type of
information that clubs, districts and members collect and use.
When using tools such as the DMS or My Rotary, clubs and districts
are data processors and must treat that data within GDPR and the privacy
policies set by RIBI and RI. If a club or district, or individual
member, collects personal information outside of these tools for their
own use, such as a district conference or club project/event, then they
do so as a data controller and have more responsibility for that data.
More information regarding this will be covered in newsletters and
As GDPR day approaches you will see more and more hype and
scaremongering surrounding GDPR, mainly from companies offering
‘solutions’ at a cost. Such companies quote instances of huge fines for
data breaches, but what they do not tell you is that the offenders were
large organisations who process significant amounts of personal data, in
the main, for marketing purposes and that they had ignored improvement
instructions from the ICO which resulted in the size of the fines. Do
not be drawn in by such companies, all the guidance you need is on the ICO website.
ICO is there to encourage, advise and support organisations in the
first instance and will work with them should they encounter
difficulties with data breaches, their aim is not to immediately impose
fines for minor offences.