What is this GDPR?
General Data Protection Regulation” (GDPR) is a set of rules agreed by the EU in 2018 which significantly tightened the rules in force with regard to data management prior to that date. These were subsequently adopted by the UK after leaving the EU. The GDPR applies to "personal data", which means any information relating to someone who can be directly or indirectly identified by reference to an identifier (a piece of data). This set of rules applies to organisations operating within the EU, and the definition of organisations includes Charitable Associations of members such as a Bridge or Social club, and the SBU itself.
What about the ICO?
Even before GDPR was developed at the European level, the UK like many other countries, had basic Data Protection/Privacy legislation, and thus a Regulator to lead and educate the public and also act on complaints. The ICO (Information Commissioner’s Office) is the UK’s independent authority set up some years ago to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. More information and advice from the ICO can be found here.
What do I as a SBU member, club, district or SBU official need to know about GDPR?
Three major things.
1. The intent of the GDPR is to “give back control” of data to the citizens themselves. So, officials should not view club membership data as data belonging to the club or the SBU, the data belongs to the individual players, and thus any official or the organisation involved has to have solid legal reasons why you handle and store it.
2. Member/player’s data belong to the players themselves; that means that a club secretary for example has to handle it carefully, have adequate security practices and need to explain to club members what it is used for, and who else you allow to see or use it.
3. The more sensitive the data you collect from members, the more risk there is and thus the more care is needed. One way therefore to reduce risk and workload, is to reduce the amount of data you hold per player, and above all try not to hold sensitive data. Holding data such as names and addresses, telephone numbers, email addresses and dates of birth if required is less onerous than holding a credit card number for example.
As Club Secretary - how should I store the data the Club is holding about Members?
This should be securely stored on computer and handled carefully if anything needs to be passed on to other Club Officials or Members i.e not circulating emails with all the email addresses on view.
More details of GDPR requirements can be found within the SBU GDPR pages and the ICO (as described above) is a useful source of more information. If you have any particular queries the SBU do have a Data Protection Officer - Charmian Entwistle - who will be happy to help.