GDPR considerations for running clubs?
1 lurker |
4 watchers
May 2018
11:00am, 22 May 2018
1,240 posts
|
J2R
I'm trying to make sure my running club conforms to the new rules coming in on Friday with GDPR. I was wondering what others have done in this respect, if anyone on here is in charge of membership information, etc., for their running club? Clearly we have to retain the basic membership details of all the members, and I don't believe (?) that we require explicit opt-in from members for that, do we? But what do we need to do in terms of club-related emails to members?
|
May 2018
11:18am, 22 May 2018
4,837 posts
|
larkim
My take on it (as an amateur) is that the new regs really don't affect communication with your members for the purposes of managing and running a running club - that fits under one of the lawful bases for processing data. The areas of bigger concern would be the security with which you hold the data (how many people have access to the membership lists) of members, and particularly of runners from other clubs who sign up to events etc. England Athletics have some template guidance I think for making people aware. In truth I think it is a damp squib in terms of Friday's changes simply because the regulator won't bother with making life difficult for small organisations. If you're BT, or Amazon etc etc it's a much bigger deal! |
|
May 2018
11:32am, 22 May 2018
1,241 posts
|
J2R
That's helpful, larkim. We have a mailing list which is accessible by people who are on the club committee, via a login, and no-one else. I imagine that should be OK in terms of security.
|
May 2018
11:34am, 22 May 2018
6,231 posts
|
The_Saint
We rely on the UKA "Trinity" database, you can mail directly from there. We do not allow members to be unaffiliated to UKA
|
|
May 2018
12:03pm, 22 May 2018
1,242 posts
|
J2R
Thanks, The_Saint, I'm wondering about switching over to using that. As it is, any member of our club committee can send out an email, and to do so via the UKA db would presumably require the login details to be shared with all committee members, which strikes me as probably not ideal. Our actual mailing list does come from the UKA db, via periodic dumps every couple of weeks.
|
May 2018
12:26pm, 22 May 2018
7,517 posts
|
GordonG
Larkim is right in that in reality there are much bigger fish our there for the regulators. but of course that doesn't mean that you can ignore GDPR re your point about the mailing list 'accissible by people who are on the club committee'. One of the constant themes running through GDPR is "why?". so why does every committee member need to see that list? Legitimate and justifiable reason? fine. No legitimate reason? probably in breach of GDPR. probably the other significant part of GDPR as far as a running club is concerned is what you do with the personal information (names, addresses, DoB) you collect on club members and/or people taking part in your event. Say you organise a 10K race and you collect all the basic contact info everyone collects of runners: You've collected it for legitimate reasons: GDPR OK Assuming you store it securely: GDPR OK When the race is over, what do you do with that info? if it was given to you just for the 10K then you have no legitimate reason to store it indefinitely. So keeping it either on paper or electronically is not GDPR OK. Though BTW you would have a legit reason for storing the results indefinitely You've asked people if it's OK to send them info about future events: GDPR OK so long as that's all you use the info for. Note also that any tick box that says something converluted like "You do you not agree that it is OK for us not to no longer..." etc, is not GDPR OK. hope this helps a little (and doesn't confuse even more!) |
May 2018
12:46pm, 22 May 2018
104 posts
|
Raemond
I'd have to disagree with the idea of storing anything *indefinitely* - (though that may end up being the effect) the better way to phrase it for compliance purposes is 'as long as necessary for the stated purpose.' I used to work for the ICO and can confirm they have no interest in fining small and non-profit organisations. They're far more likely to offer help figuring out how to comply and keep your members' data safe. They produce a lot of guidance material as well that's usually fairly acessible ico.org.uk |
|
May 2018
2:39pm, 22 May 2018
4,840 posts
|
larkim
i think GordonG summed it up nicely there (with Raemond's caveat about indefinitely being correct). In 50 years time, if my name is still in the parkrun database (and I'm still alive) and visible in terms of my parkrun results in 2018, is that an issue? Or conversely, if parkrun start to remove results from (say) 10 years ago from their databases because they are concerned that there was nothing in the consent that we gave when we signed up to show unlimited results for time immemorial would that be correct? I am actually employed with some DP responsibilities - and I'm fearing the flood of emails on Monday next week when every Tom Dick and Harry decides that as subject access requests are now free they will fire them off all over the place! |
|
May 2018
2:46pm, 22 May 2018
7,518 posts
|
GordonG
yes thanks Raemond, good clarification.
|
|
May 2018
2:47pm, 22 May 2018
105 posts
|
Raemond
Sadly DP rules lack the easy out of declaring someone 'vexatious' that's available to FOI bods. There's always been something about it that attracts the tin foil hats, even when it was a tenner a pop. |
Related Threads
-
Club Insurance
Sep 2017
-
Clubs, constitutions, committees and legal obligations? :-)
May 2022
-
Trying to Move House/Flat
Nov 2024
-
Data protection
Oct 2024
-
Noise Annoys
Jul 2024
-
Travel insurance process etc
May 2022
-
HR advice - do we have any HR or employment experts I can talk to?
Oct 2020
-
Accountant or solicitor with experience of being an Executor
Jan 2020
-
Fetchie Family Law Experts- I need you!
Apr 2019
-
Legal Help -m Agreement or just a broken promise.
Jul 2016