Introduction
The General Data Protection Regulation (GDPR) came in to force on 25th May 2018, this document aims to provide you with all the information BMFA Affiliated Clubs and Specialist Bodies require so you are able to ensure GDPR compliance. GDPR is quite a complex regulation and there is a huge amount of information available.
Within this document we have aimed to distil your GDPR responsibilities in to 5 stages for clarity, but also provide some more in depth information so you are better aware of your responsibilities, also provided are some template documents that you can adapt to meet your requirements.
To further assist you in complying with GDPR requirements the BMFA JustGo membership system will take care of personal data storage and many of the consent requirements. We strongly recommend all clubs and specialist bodies use this to administer your club information.
If you have any questions or would like to provide feedback please contact the BMFA Club Support Officer, Andy Symons. Email:- andy@bmfa.org
5 stages to GDPR Compliance for your club
1 Appoint a “Data Protection Compliance Manager”
- Acts as club contact for any data protection issues
- Can be existing data processor
- Does not need to be registered with the ICO
- Ensure DPO is aware of reporting procedures in the event of a data breach.
2 Conduct a Data Audit
- What data do you collect?
- Is the data necessary?
- How is the data stored?
- Who has access to the data?
- Who do you share the data with?
- What security measures are in place to protect data?
- See sample Data Audit sheet (Appendix 3)
3 Ensure any stored data is secured with limited access
- Password protect any electronic data
- Ensure PC’s storing data are password protected, patched with the latest software and have up to date anti-virus protection.
- Restrict access to the minimum number of processors
- Use the BMFA JustGo Membership portal https://bmfa.justgo.com
- Ensure hard copies of data are stored securely
4 Introduce a Club Privacy Notice
- See BMFA Club Template notice (Appendix 2)
- Ensure Privacy Notice is on your website
5 Communicate Privacy Notice to all members and new members when joining.
- If using electronic communications to members gather consent from all existing members and new members when they join. This requires a positive action from the individual.
Please Note
As not-for-profit organisations that only process data to maintain membership you are exempt from registering with the Information Commissioners Office (ICO) according to the ICO this exemption is being carried forward under GDPR.
What is GDPR
In the UK, GDPR replaced the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches.
GDPR Imposes obligations on organisations that collect, handle and analyse personal data.
Six key principles
- Transparency, fairness and lawful use of personal data.
- Limit to specific legitimate purposes.
- Minimising data collection for intended purpose.
- Ensuring accuracy of data. Right to be rectified or erased.
- Limiting storage of data - to be kept for as long is necessary to achieve purpose.
- Ensuring security, integrity and confidentiality.
Who does the GDPR apply to?
'Controllers' and 'processors' of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government or a model flying club. A processor could be an IT firm doing the actual data processing or in your case the individuals in your club who accesses and uses the data.
It's the controller's responsibility to ensure their processors abide by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
What information does the GDPR apply to?
Any data, whether stored electronically or as hard copies, that relates to an identified or identifiable person e.g.
- Application Forms
- Home addresses
- Contact Details
- Membership databases
- IP addresses
- Health and medical details
- Feedback forms
- CCTV footage
- An online identifier, user names etc.
12 Steps to GDPR Compliance
The Information Commissioners Office (ICO) have identified 12 steps to GDPR compliance
These 12 steps are
- Awareness :- Make sure that decision makers and key people in your club are aware that the law is changing to the GDPR.w
- Information you hold :- You should document what personal data you hold, where it came from and who you share it with. Consider conducting a “data audit” See appendix 3 for sample data audit sheet.
- Communicating privacy information :- Review or introduce a club privacy policy/notice.
-
- When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice.
Under the GDPR there are some additional things you will have to tell people. For example,
-
- you will need to explain your lawful basis for processing the data,
- your data retention periods
- what the individual’s rights are including the right to complain to the ICO if they think there is a problem with the way you are handling their data.
-
- The GDPR requires the information to be provided in concise, easy to understand and clear language.
- See Appendix 2 for a Sample Club Privacy Notice.
- Individuals’ rights :- Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
-
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
- Subject access requests:- Update your procedures and plan how you will handle requests to take account of the new rules:
- In most cases you will not be able to charge for complying with a request.
- You will have a month to comply, rather than the current 40 days.
- You can refuse or charge for requests that are manifestly unfounded or excessive.
- If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
For further details on Subject access requests see https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/subject-access-request/
- Lawful basis for processing personal data:- identify the lawful basis for your processing activity in the GDPR, document it and update your privacy policy/notice to explain it.
There are 6 lawful bases available which are, Consent, Contract, Legal Obligation, Vital Interests, Public Task and Legitimate Interests. As a model flying club your primary lawful basis will most likely be
-
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
However if you use electronic communications you also should seek consent
-
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose, especially electronic communications.
- Consent:- Review how you seek, record and manage consent and whether you need to make any changes. GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action.
- Children:- You need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK).
- Data breaches:- Make sure you have the right procedures in place to detect, report and investigate a personal data breach. GDPR introduces a duty on all organisations to report certain types of data breach to the ICO. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals
- Data Protection by Design and Data Protection Impact Assessments:- GDPR makes privacy by design an express legal requirement, the new BMFA membership system which we strongly advise all clubs to use meets this requirement. Data Protection Impact Assessments (DPIAs) while mandatory in some circumstances will not be mandatory for the processing a model flying club conducts
- Data Protection Officers:- You should designate someone to take responsibility for data protection compliance however you are not formally required to designate a Data Protection Officer.
- International:- This is only relevant if your club operates in more than one EU members state which is highly unlikely, if you believe this may affect you please contact us.
See https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf