On the 28th May 2018 the General Data Protection Regulation (GDPR) comes into force across Europe. But what does this regulation mean and how should golf clubs deal with it? The regulation consists out of 4 main area’s which will be explained below.
Legal
The GDPR imposes on you to have secrecy statements, a privacy policy and processor agreements. With every third party (processors) you are sharing personal data with you have to have an agreement. This could be with a printing office, data hosts, the system you are sending your newsletters with, etc. Within that agreement there should be information about the security of the data as well as the removal of the data when the data is no longer needed.
An important point is the Right to be Forgotten. Companies have to inform their members in which way there are capturing personal data and how that data can be removed. The best way to do this is to add it to your privacy policy and to put that policy on your website.
ICT
Software and virus scanners have to be up-to-date, always. And back-ups are mandatory. These back-ups have to be secured to protect personal data from loss and ransomware. This means that every data carrier (like a USB) must be protected.
Another rule is that data storage (in the cloud) is not allowed outside of the EU. If that is the case, it must be certain that the data protection rules are the same as within the EU. For example data storage in the USA is not allowed since they don’t follow the same data protection rules.
Internal procedures
It is important to look at your organisation and make an inventory of what personal data you have captured. All channels and sources (e-mails, excel files, files in the cloud, printed files, CRM system etc.) should be checked and put into one document with information on the type of personal data you have. Important: you can only save personal data if you have a reason/purpose for it, with permission of that person.
Secondly you have to make sure that not everyone can see this information. You have to protect it with a password or keep it in a closet that can be locked. In that case you also need to have a key policy; who keeps the key and who can use it.
Education
Awareness is very important and must be clearly expressed to all employees and volunteers. Make sure everyone knows what they can and cannot do and what procedures are in place.
Detailed map topic by topic – General Data Protection Regulation
- Personal data
Personal data consists of all data that will give information about an identifiable, natural person. Also information of members of a professional company or personal data of employees of member organisations are a part of this regulation.
There are 2 types of personal data:
- Normal personal data
(name, address, zip/postal code, city, province, country, place of residence, phone number, fax number, e-mail address, website, gender, date of birth, place of birth, titles, marital state, LinkedIn, Facebook, Twitter, working for an organization, bank account number, license plate)
- Specific personal data
(ethnic background, political preference, religious preference, member of a trade union, genetic or biometric data concerning identification, information on health, sexual orientation, criminal data, information on salary, copy of a passport, identification number)
The ‘processing’ of personal data consists of all the actions you do with that data. Processing data could be an excel member list, list with addresses for the newsletter, etc. The most important thing you have to do with this data is to make an inventory of it. Make a clear overview of the data you are saving.
Important: processing specific personal data is not allowed unless you have explicit permission to do so.
- Purpose
It is important that you are using the data for the same purpose as the reason why you received the data. The person concerned gave you the data with a specific purpose (becoming a member of your organisation) and that is the only reason where you can use that data for.
Important: make sure to put in the membership agreement that personal data will be used according to your privacy policy. You can add the privacy policy or refer to the policy somewhere on your website.
- Authorization of employees
It is wise to write down which persons are authorised to see personal data and to process that data. Make sure that the authorised persons sign a pledge of secrecy.
- Permission at minority of age
If the personal data belongs to a person younger than 16 years, you need to have written approval (signature on paper) of a (foster) parent or legal representative.
Important: if the membership is dependent on age you need a date of birth at the registration. If that is not the case you are not allowed to keep that personal data since you don’t need it for a specific purpose.
- Delete personal data
Personal data cannot be kept longer than needed. So if someone ends the membership, the personal data of that person must be deleted.
Be aware: in financial administration this data is allowed to remain captured, that is because you legally have to keep that data for 7 years. This is a regulation in The Netherlands, please check if that is the same for your country.
- Processor (3rd party) agreement
As an organisation you are not allowed to give away any personal data without having an agreement. With an agreement it is only allowed to share personal data in case that is necessary accomplish a certain purpose.
- Never store data outside of the EU
Data storage (in the cloud) is not allowed outside of the EU. If that is the case, it must be certain that the data protection rules are the same as within the EU. For example data storage in the USA is not allowed since they don’t follow the same rules concerning data protection.
- Right of Involvement & Privacy Policy
You need to have a privacy policy. You have to inform people about that privacy policy in case you will save their personal data. People should be able to easily find that privacy statement which includes information about their rights. The easiest way to do so is to add the privacy policy on your website and to refer to it in all document and e-mails.
Important do’s and don’ts when it comes to privacy:
- Always lock your screen when you leave your desk
- Never leave documents with personal data on your desk or at the printer
- Never choose to save your login details automatically on your computer
- Know that public networks are not safe
- Pay attention to what you share on social media
- Always cover up your webcam to avoid people looking ‘at you’
- Never share your login details with colleagues
- Make sure your mobile phone is secured with a password
Note: a person always has the right to look into his/hers personal data. You can for example hand over a copy of the registration form to them.
- Security of personal data
When it comes to security of personal data you have to take the following measures:
- Encrypt your data carriers (USB etc.) and make sure that personal data is not readable to others
- Take care of secrecy, integrity and availability of personal data
- Take care of the possibility to recover data in case of physical/technical incidents
- Test and evaluate the security on a regular basis
- Access security
All personal data must be secured with a password and if possible also with an username.
- System security
In order to keep systems as safe as possible you have to make sure they are kept up-to-date. You can do this by turning on the automatic installation of updates of the software. Also put a good antivirus software which automatically updates itself.
- Back-up
In order to protect data from loss and ransomware it is necessary to make a back-up on a regular base. Make sure this back-up is stored somewhere safe.
- Secure papers
Personal data is also stored on paper. All papers with personal data on it must be stored somewhere in a closet that can be locked. Only employees who need that personal data to do their work are allowed to get in.
Note: in case you have personal data on paper and store it somewhere, it is wise to set up a key policy. Write down in that policy who keeps the key and who is allowed to use the key.