Find out more about the General Data Protection Regulation (GDPR), what it means for your club and what actions you need to take to comply with the law.
From 25 May 2018 the UK's existing data protection laws will be replaced by the EU's GDPR. The new law aims to give EU citizens more control over how their personal data is used, especially online. All organisations who collect, store, share or use individuals' personal data, will need to comply with new regulations or face penalties, including hefty fines. This includes clubs. The key principles to bear in mind are:
Clubs are 'controllers' of personal data for their members (eg. name, address, email address, telephone number, date of birth, emergency contact details, etc). Clubs may also store personal data for people who stay in huts they operate or any non-members signed up to receive email communications.
Sharing their members' personal data with Mountaineering Scotland for the purpose of registration for insurance, magazine or email communications, means Mountaineering Scotland is also a controller of the personal data of members of clubs.
GDPR requires that controllers set out a valid lawful basis for holding and processing personal data. While obtaining explicit consent or 'opting-in' is one of the six options available to do this, it is not required where processing personal data is necessary to provide a service that someone has signing up for, like membership of a club.
Mountaineering Scotland and affiliated clubs have a 'contractual', 'legal' and 'legitimate' basis for holding and processing members' personal data - we do not need to seek their additional approval. Instead, the law requires that these reasons are explained clearly to members, that we show we take their privacy seriously and offer options to manage communication preferences, where practical.
Between now and May, Mountaineering Scotland and clubs need to start implementing changes to ensure we are GDPR compliant. Check out our step-by-step advice and templates for clubs below...
We have received legal support through sportscotland's expert resource, Harper McLeod, in pulling together our advice and templates. We are also working with our third party data processors, including Azolve Ltd, our membership database provider, and the Herald & Times Group, our magazine distributor, to make sure we have the tools we need to manage our data effectively in the future.
You need to understand and record what personal data your club holds and the journey it takes through the club. We have created a helpful table to help you record these things.
Your club needs to be confident that all those people or organisations who have access to your members' personal data are aware of data protection issues and handle that data securely. This may impact how your club Membership Secretary or Treasurer store membership forms or other records. This is a good opportunity to review filing systems and to limit the amount of paperwork you have to manage. You may wish to select a member of your committee to coordinate this.
Data security is key and when storing anything on a computer you need to ensure that you protect yourself by keeping passwords safe and encrypting files that contain personal data. The likes of Mailchimp, Dropbox, OneDrive and Google Drive have built in security measures for the protection of files whilst in storage or in the process of being shared.
From now onwards, Mountaineering Scotland will require all documents containing personal information shared by email between us and clubs to be password-protected before sending.
GDPR aims to ensure that individuals are more clearly informed by organisations that hold their personal data about how and why it is used, how long it is kept for, who it is shared with and what their rights are as data subjects. A privacy notice is the tool organisations use to set out this information.
Your club needs to create a privacy notice. If you already have one, it is likely that you may need to update it to provide more detail. We have created a template privacy notice for clubs, this can be amended to fit your club's circumstances.
It is important that all your club's existing members receive the club's new privacy notice. This can be done by email. Any time you change your privacy notice you will need to show it to all members again. You need to keep a record of how and when you share the privacy notice with your members. You do not need to ask for explicit consent or confirmation that the privacy notice has been seen or accepted.
Members of your club also need to be shown the new Mountaineering Scotland privacy notice as we become controllers of their personal data when you register them with us. We will share our privacy notice with all existing members via our magazine and in our monthly members' email newsletter. You need to provide it to your new members when they join you.
Your club must ensure that it only collects personal information that it really needs, and must share its privacy notice with new members (or other individuals) at the point of collecting their personal data, so they can make an informed decision to sign-up.
GDPR requires additional protection for the personal data of young people under 16 years old. If you collect children’s personal data, then you need to make sure that you obtain explicit consent from the parent or guardian to process the personal data.
We have created a template membership form which contains a data protection statement flagging up yours/our privacy notice and requesting the member reads it. You can either adopt and tweak this membership form to fit your club's circumstances or incorporate the text in the data protection box into your existing membership form.
There are new obligations on 'processors' as well as 'controllers' of personal data too. This may mean that if you use any third parties to process data, for example hosting your website, distributing emails, or administering online hut bookings, then you must have a written contract in place with those third parties. We can provide a template for a 'data processing agreement' and a shorter template 'data processing clause' to add into an existing service agreement.
By following steps 1 and 5 here, clubs will minimise the risk that personal data in their control is lost or stolen. However, in the event of a 'breach' which puts personal data at risk, GDPR obliges controllers to report it to the Information Commissioner's Office (ICO) within 72 hours of being aware of it. Make sure all members of the club with access to personal data are aware of this. We suggest that clubs designate a committee member to take responsibility for reporting any breach.
Another requirement of GDPR is that 'subject access requests' (requests for copies of personal data from individual club members) need to be responded to within one calendar month, rather than the current forty calendar-day period. They can often be contentious, as individuals usually make requests if they have something to complain about. We suggest that you keep a log of how and when you respond.
This advice has been written to help club officers of Mountaineering Scotland's affiliated clubs review whether their club processes will be compliant with GDPR changes in data protection law. We have received legal support through sportscotland's expert resource, Harper McLeod, in pulling together our advice and templates. The guidance in these web pages does not constitute legal advice and is based on information available at the time of writing.