Earlier this week the following guidance was released by Swim England:
As you will probably be aware, from 25 May 2018 the new law for data protection, GDPR, will be coming into effect.
GDPR brings in new requirements on data controllers and data processors. Although most of the principles and terminology have not dramatically changed the GDPR enhances rights for individuals and introduces a number of additional obligations on organisations, in particular, greater transparency and accountability.
We have produced a separate summary of GDPR that you can read here.
What steps to take now?
The Information Commissioner’s Office (ICO) has created a number of useful resources around some of the general aspects of GDPR. However, of the key areas of guidance are still under consultation. The ICO has produced some guidance for small organisations, including a dedicated advice line. The ICO helpline number for small organisations is 0303 123 1113, then select option four. Further information is available via the links below.
Of the 12 steps to take, the following will be particularly relevant to clubs, counties and regions:
Make sure your committee, volunteers and staff are aware of data protection issues and that the law is changing.
Information you hold
Document what personal data you hold, where it came from and who you share it with. Depending on what systems you already have in place you may need to undertake a mini-audit to map data flows. This will also act as a reference document for any compliance efforts. Swim England will explain to members how data given through the online membership system will be used but clubs for example will need to document information stored on their own event/club management software and explain to their members how it will be used. To assist with this process we will be providing a data audit template that will be made available on the website during the course of next week.
Identify lawful basis for processing data
The lawful basis for processing needs to be identified and documented. They are broadly the same as in the current Data Protection Act (DPA) and in most scenarios clubs, counties and Regions will seek to rely on legitimate interest grounds for lawful processing. For example to administer training sessions or administer an individual in an event they have entered or may wish to enter.
Review how you ask for and record consent. Under GDPR organisations are likely to rely on other lawful bases for processing rather than rely on consent, which has been widened by GDPR. However, you will still need consent to send marketing emails to your members. Consent for marketing will need to be clear, with individuals positively opting in, using unticked boxes with sufficient information in order that a clear yes can be indicated in relation to what is being sent to them.
Subject access requests
Under GDPR organisations will only have one month (currently 40 days under the DPA) to deal with subject access requests. Documenting where you hold information will assist in handling requests within the new timescales.
This guidance and briefing note are a general summary of GDPR. This and the further guidance we will be providing is aimed at assisting clubs, counties and regions to address the additional requirements under GDPR. Where organisations have specific concerns that are not addressed by general guidance then specialist advice may need to be sought.