General Data Protection Regulations
What should clubs be doing
It is widely recognised that not everyone will be 100% compliant on the 25 May 2018. However, this does not
exonerate you from your responsibilities and the need to start taking action now and formulate your clubs plans. Below are just a few of the simple steps you can take now.
• First and foremost, raise awareness of GDPR with club members and club officers. The more people know
about it the less scary it is; it soon becomes routine rather than a chore.
• Reiterate and monitor good practice, such as using the ‘Bcc’ field when sending emails – don’t assume everyone
knows what you mean by Bcc (from experience, many confuse this with ‘cc’ which does not keep the email
address confidential – think about giving a practical demonstration, some members will appreciate it.
• Password protect spreadsheets – if you don’t know how, Google is a wonderful thing!
• Where your club or district has a website, make sure that personal contact details are not on public pages –
where possible, consider using a generic contact email address on your website such as ‘enquiry@xxxxxx.xxx’
which can be redirected to individual Rotarians.
• Understand and document what personal data your club/district collects, where and by whom is it held, and who
has access to it. Many of the changes with GDPR revolve around having good documented evidence that shows
you know what personal data is held, where data is held, and that data collection and security is recorded as part
of the planning process of activities.
• Think ahead – a new aspect of GDPR is ‘privacy by design’. For example, as soon as your club/district decide to
embark on a project or event that includes the collection of personal data (whether from Rotarians or nonRotarians),
you must from the outset consider and document as part of your plans how you are going to manage
the personal data within GDPR. If you have already started planning an event taking place after 24 May 2018,
revisit the planning and document how you are going to manage any personal data.
• Ensure that those who hold, or access personal data have appropriate security on their PC/devices, including
firewalls on home routers. We will be covering this subject with District IT Officers in due course so that they
may provide additional support at club and district level.
• Ensure that those who hold, or access personal data have specific training and abide by the Rotary GB&I Privacy Policy
and any additional club and/or district privacy policies.
IMPORTANT
Clubs must note that every activity, Youth competitions or event where an entry form or online application captures personal data then a Privacy Notice is required, bespoke for the event and added to the event web site if there is one.
Clubs are also required to have their own Privacy policy for the club.
Clubs/districts also have to remember that when they collect personal data as a Data Controller for their own use (i.e. outside of the Rotary membership tools), and they share the data with an outside company/organisation/individual, that they have signed agreements (contracts) in place as to how the club/district expect that company/organisation/individual to handle the data on their behalf. Whilst this may seem onerous, remember GDPR applies to everyone and like Rotary, companies you deal with should be preparing for GDPR and should have readily available their privacy notice – you just have to ask for it.
When undertaking a specific activity, and collecting personal data as a Data Controller, it cannot be assumed that an individual is automatically happy for you to use their data for multiple purposes and you have to separate out those requests and give options for individuals to opt out. For instance, where a club organises a Rotary Ride event it is a ‘reasonable expectation’ by that individual to have their personal data used to process their registration for that year’s event, it cannot automatically be assumed that the individual will also wish to receive communications after the event regarding any subsequent Rotary Rides the club may organise. A separate tick box specifically to gain consent to be included in a mailing list for information about subsequent Rotary Ride events must be used together with a tick box to opt out of being included on the mailing list. If a club wanted to also get consent to mail that individual with information about other general club activities, a separate tick box must be used for each mailing list so that the individual has the option to be included in one, both or none.
PRIVACY NOTICE TEMPLATE
Club Privacy Notice template (click it) - This template can be used and adapted for your clubs OWN Privacy Notice and for any club event or youth competitions etc where personal data is collected (eg Registration form or Spondorship form). Please feel free to use it as a frame work to adapt to the way your club works.
For Clubs
A useful aide memoir see here for the 6-Principles of GDPR
1. Suggested words to be added to your clubs yearly invitation to Honorary or Assosciate members. These members are not fee paying to Rotary so Rotary has no assumed right to store or use their information so you MUST obtain their permission and retain it in the club.
"By accepting the Honorary/Assosciate membership you accept that Rotary will store and use your personal date for lawful purpose and subject to the Rotary Great Britain & Ireland Privacy Notice and General Data Protection Regulations."
2. Clubs CAN NOT use historic lists of names/emails/phone numbers previously gathers to circulated invitation to up-and-comming events such as bike rides, swimathons, fun runs etc. They have nod given you their data to use to contact them! However, you can contact them to ask if you can use their information to contact them in the future. Suggested words for clubs to use or ammend.
"We need to talk (but we need your permission first!). Just one click is all it takes.
Communicating with the people who support the work we do in Rotary is vital.
However, new Data Protection legislation is being introduced which means we need to contact everyone on our email database and check we can carry on staying touch.
The Rotary club think it’s really important we keep you up to date with what we’re doing and how you can get involved if you wish.
To continue to allow us to contact you please just reply with a Yes.You can opt out at any time by contacting us anytime.
A no reply will mean we assume you do not wish to be kept informed and your data will be removed"
Note: A no reply CANNOT be assumed as a yes! to continue to contact them will be a breach of the legislation. you have been warned.
All "yeses" will neeed to be retained so the club can prove they have received an agreement to use the data. If you cannot prove you have the agreement then you will be in breach of GDPR.