General Data Protection Regulations [GDPR]


Data Protection law has changed.

GENERAL DATA PROTECTION REGULATIONS 2018 [GDPR]

The General Data Protection Regulation comes into force on Friday 25 May 2018.

Expand each heading to read more information regarding GDPR and Rotary. [you need to be logged in to www.rotarygbi.org

Rotary and GDPR

The Rotary Support Centre has been working closely with the RI office, specifically the legal services team, on becoming GDPR compliant within our two offices and this will be a continuous process to ensure that we remain compliant. RI has a responsibility to also be GDPR compliant. They are data controllers of personal data of UK citizens, and of course citizens of other European countries with the Republic of Ireland being of specific interest to us.

GDPR affects everyone who collects, processes or has access to personal data, i.e. clubs, districts and where applicable, individual members.

Communications

The Rotary Support Centre will be issuing communications to club and district officers, and to the wider membership, in the form of newsletters and specific webinars. Visit the GDPR – Communications webpage to view the plan. You will also be able to register for the webinars by clicking the relevant link in the Communications Plan table.

To view current or previous newsletters, visit the GDPR – Newsletters webpage.

Background DPA to GDPR

General Data Protection Regulation (GDPR) legislation is coming into force on 25 May 2018. It is EU law but it will become law in the UK on 25 May 2018 (regardless of BREXIT) and will replace the Data Protection Act 1998.

The Data Protection Act (DPA) has been in force in the UK since 1998; data protection is not new, but it is changing.

The DPA is certainly in need of an upgrade – it was suitable back when it was introduced but, with technology and the digital age, we have evolved in the way in which we generate, store, access and use data every day and new guidance and protections needed to be put in place to safeguard everyone’s interests.

Main differences between GDPR and DPA principles

The eight DPA principles are now down to six GDPR principle and these focus on the intent with which any data is accessed and used being lawful, fair and transparent, and that it is for specified explicit and legitimate purposes. It’s also focused on data being adequate, relevant and limited to what’s necessary in relation to the purpose of the data access. Consideration is given to how accurate the data that is held is and how it is kept up-to-date, plus that it’s only held in a form where the data subject could be identified for no longer than necessary. Finally, it also looks for confirmation of appropriate technical or organisational measures being in place in an organisation to protect against unlawful or unauthorised processing, as well as accidental loss or destruction.

Principles

Members, clubs and districts should already be working within the current DPA and the GDPR principles are based around the DPA principles.

The following documents are useful guides for the GDPR principles and are ideal for clubs and districts to use at events, such as DOTS, PETS, Assembly, Conferences and within clubs for members to raise awareness and understanding of responsibilities.

DPA to GDPR Principles – flowchart - shows how the previous Data Protection Act principles have evolved into the GDPR principles.

GDPR Principles - explanation of each of the GDPR principles.  More detailed information on the GDPR principles can be found here on the ICO website.

What should clubs and districts be doing?

It is widely recognised that not everyone will be 100% compliant on the 25 May 2018. However, this does not exonerate clubs and districts from your responsibilities and the need to start taking action now and formulate club and district plans. Click here to see a few of the simple steps you can take now. More topics and advice will be covered in the GDPR newsletters.

Data Management System (DMS)

Both RIBI and RI provide a number of tools to members, clubs and districts for administration and communication, such as the RIBI Data Management System (DMS) and My Rotary.You access personal data via these tools as a data processor and providing that you use the personal information in accordance with your Rotary role and the RIBI and RI privacy policies you can be confident that you are acting within GDPR. Should you use the information outside the parameters of the privacy policies or the Rotary role for which you have access to that information, then you will be in breach of those policies and GDPR.

The RIBI Data Management System (DMS) will undergo continuous review, modification and development. We want members, clubs and districts to use the DMS as the ‘go to’ administration and communication facility.

An information webinar to help better understand the capabilities of the DMS has been scheduled in May 2018. This is a great refresher for those that already use the DMS and more importantly a great start for those new to the DMS and want to understand the benefits. See below for registration details.

Information Webinars - Details and Registration

A number of webinars will be held to assist with understanding GDPR responsibilities and resources available. Below are details of the webinar schedule to date. All webinars will be recorded and made available on the GDPR webpages as a resource for you to view/use at a later date.

Please register early as spaces will be limited for webinars.

 Webinar:  GDPR, Security and IT
 Date & Time:  Wednesday 18 April 2018, 7.00pm to 8.30pm
 For:  District Officers for Data Protection, IT Administrators, DMS Administrators and District Secretaries
 Registration:  Registration has now closed.  The recording of the webinar will be posted here shortly for you to view
 Webinar:  GDPR and DMS Demonstration
 Date & Time:  Wednesday 16 May 2018, 7.00pm to 8.00pm
 For:  Open invitation to district/club officers and members
 Registration:  Click here to register for this webinar

Resources

The Support Centre will continue to develop resources to assist the RIBI office, clubs and districts to be GDPR compliant. These will include a move to an online Membership Proposal Form; this will provide an electronic record held centrally which will include consent to collect and process personal data. The way in which directories are produced is also under review.

Downloadable resources can be found on the GDPR – Resources page here.

You can contact the RIBI Support Centre on data protection matters on the new email address privacy@rotarygbi.org 

Information Commissioners Office (ICO)

The ICO is the UK’s independent body set up to uphold information rights and is empowered to enforce GDPR. The ICO website is where you will find ALL the information regarding GDPR and responsibilities. You should bear in mind that the ICO website gives the absolute information for GDPR which is intended for ALL types of organisations and individuals.

However, the guidance can be overwhelming when first approached as it is very much aimed around large organisations that process large amounts of data, most of which is for marketing purposes – you need to read the ICO advice and guidance in the context of the type of information that clubs, districts and members collect and use.

When using tools such as the DMS or My Rotary, clubs and districts are data processors and must treat that data within GDPR and the privacy policies set by RIBI and RI. If a club or district, or individual member, collects personal information outside of these tools for their own use, such as a district conference or club project/event, then they do so as a data controller and have more responsibility for that data. More information regarding this will be covered in newsletters and webinars.

As GDPR day approaches you will see more and more hype and scaremongering surrounding GDPR, mainly from companies offering ‘solutions’ at a cost. Such companies quote instances of huge fines for data breaches, but what they do not tell you is that the offenders were large organisations who process significant amounts of personal data, in the main, for marketing purposes and that they had ignored improvement instructions from the ICO which resulted in the size of the fines. Do not be drawn in by such companies, all the guidance you need is on the ICO website.

ICO is there to encourage, advise and support organisations in the first instance and will work with them should they encounter difficulties with data breaches, their aim is not to immediately impose fines for minor offences.

Contact Permission