Data protection is not an issue confined to large businesses. Data protection requirements apply to all organisations that process personal data, and failure to comply with legislation could have devastating effects on your organisation no matter its size or occupation. Following the General Data Protection Regulation (GDPR) legislation which governs the EU, the UK implemented the Data Protection Act 2018 in order to comply. The new legislation has seen a tightening up in surveillance and more serious consequences should data breaches occur, including potentially devastating fines. Therefore, data protection training is more crucial than ever in protecting your organisation.
Who Does Data Protection Apply To?
Data protection restrictions apply to all data controllers and data processors.
Data controllers are organisations that own personal data and are responsible for deciding how personal data is used. If your club or society hold information about its members, volunteers, suppliers, or employees, then data protection applies to you.
Requirements for Your Club/Society
You are required to ensure all officials, staff, volunteers, and members have satisfactory data protection awareness under GDPR, and that anyone who handles club matters adheres to strict data policies. Remember, data can only be used for the purpose for which it was obtained and this purpose must be explicitly stated.
Under GDPR legislation, data subjects (individuals who have personal data held about them) are entitled to know how their data will be used and for what. Your organisation must be clear and transparent regarding your data processing procedures and issue a privacy notice explaining this to data subjects.
Another individual right under GDPR is the right of access to the personal data that is held about you. This can be achieved through the submission of a Subject Access Request (SAR). You are required to respond within one month if you receive a SAR from a data subject.
Valid consent must be gained in order to process personal data. This includes consent from club officials to make their names and contact details available to the public. In order for consent to be valid it must be informed, specific, freely given and easily revocable. You are required to ensure any consent obtained in the past meets the new criteria and re-obtain consent if necessary.
As a data controllers, clubs and societies are responsible for the personal data they own – even when it is in the hands of a third party. Therefore, it is important to draw up a written contract between you and any third parties you work with, documenting their agreement to comply with your data policies.
Though data protection education and training you can minimise the chances of your organisation suffering a data breach. However, if a breach does occur you are responsible for reporting it to the Information Commissioner's Office (ICO) within 72 hours of it being detected. Data handlers must be trained in rapidly identifying breaches it order to implement measures intended to minimise any adverse consequences.
High Profile Breaches
In November 2017 an exclusive Oxford and Cambridge club had its reputation tarnished when it suffered a serious data breach. Names, home addresses, phone numbers and some bank details were extracted from a computer system. The information leaked was enough to facilitate identity theft. Due to the number of high profile members in the club, including Steven Fry, the breach was the focus of many news articles and growing publicity rendered the clubs reputation ruined.
Queensland sports club found itself a victim of cyber-attack in March 2018. Hackers extracted personal information on 70,000 individuals including the club's employees, members, events centre customer and corporate partners. The information extracted included name, gender, date of birth, address, telephone number, email address, next of kin, employment status, membership number, photograph, company details, invoices and bank accounts. The largescale nature of this breach highlights the widespread repercussions that a data breach could have across your business.
The Benefits of Compliance
Lack of data protection regulation compliance can result in data breaches, which can have a multitude of ramifications for your organisation and the individuals whose data is implicated.
Following a data breach your organisation could incur fines of up to €20,000,000. Large-scale breaches often hit the news and result in serious damage to an organisation's reputation. Your organisation has a duty to protect its data subjects as breaches can result in emotional, physical and financial consequences for the subjects involved. In order to ensure compliance within your organisation all members and employees should undergo regular data protection training along with the implementation of rigorous data policies.