Most, if not all non-profit, sports club and associations collect and process personal information in any form. We give you a quick summary of how GDPR will affect you and your association.
On May 25'th a new regulation will be enforced that will strengthen the personal integrity and place tougher requirements on how you can collect, store and process personal information.
But do I need to care?
The simple answer is yes, you do. But the question is more complex than to say do this, or do that to avoid fines of up to €25 million.
OK - But where should i start?
If you follow common sense and the current laws and regulations in regards to personal integrity you don't really have to do all that much to be compliant with GDPR. The biggest step for you to start with is to get an understanding for what GDPR is and what changes your association must make to follow the new regulation. There isn't really a reason to wait - kick start the new year and make sure that your association believes in your members right to personal integrity!
Make sure to have the answers to the following questions:
- What personal information do we collect and process today?
- Where do we store them (which IT systems)?
- Who has access to them (are they used for advertising)?
- What lawful basis do we use to collect and store the information?
We have put together a handbook that contains the practical steps that your association should take to get the answers and kick start your GDPR activities. Read more about it on the link below and download your free copy.
What is personal information?
According to GDPR a personal information is anything that can be used to identify an individual. At a glance, this make sense and you might think that this is easy - well, it's more complicated that you think. The old personal integrity laws were created before the Internet was widely adopted, so before the birth of Google, Facebook and similar companies that collect, share and process information about a lot of people.
Some examples of what a personal information is: Name, social security number, membership number, IP address, car license plate, a Twitter / Facebook name and even photographs of people.
Some information is classified as sensitive data and must be handled with special care. Often encryption and other security measures are needed to restrict access to this data. Examples of sensitive data are: Health information (allergies etc), union membership, religion and sexual orientation.
Unless it is absolutely necessary, you should avoid processing sensitive information, alternatively erase them as soon as you no longer need them. If you, for example, need to collect food preferences for a tournament that you organise it is best to erase this information as soon as the tournament is finished.
The rights of you members
The purpose with GDPR is to strengthen the protection of the individual's right to personal integrity.
All individuals has the right to get a detailed and easy to understand information about how their personal data will be processed, what the purpose is and what rights the individual have. The indivual has the right of access to their details that you keep and to have incorrect details corrected.
What does all of this mean?
A request of access to personal information could be that one of your members is requesting a list of all personal information you have about them. Hopefully you have collected it in a centralized membership management system and then it should be pretty easy to get access to it. But sometimes it gets a bit more complicated when the details are kept in multiple systems, for example membership database, e-mail lists and invoicing spreadsheets.
It also means that you no longer can store information that you know is inaccurate. Some association membership management systems require you to enter a date of birth to be able to add the member in the system. But what if you do not know the individuals DOB? You might enter a year and then 01-01 for the month and day. But this information that you now associated with an individual is incorrect. Data minimization is a key activity that you should be doing, in plain English it means: Only track information that is absolutely necessary and stop harvesting information that you think could be "nice to have some time in the future"!
The right to be forgotten - empowering the individual What this means is that a data subject (i.e your members) can request to be forgotten - to have their information permanently deleted. You can obviously still keep information that is required for you to fulfil obligations when it comes to, for example book keeping or similar obligations to not break the law. However - this information that you still keep can only, and I mean only be used for that processing activity.
When can I collect personal information - lawful basis
The requirement to have a lawful basis to collect and process personal information is not new, but GDPR is making the definition a bit more clear.
Consent - a consent should be a clear and affirmative action and not bundled into a long and technical agreement. Implied consent is no longer valid so no more pre-checked checkboxes to opt in to newsletters. It must also be as easy to withdraw consent as it was to give it in the first place.
But one of the most important bits, something that we should see a big change in is the way that you need to communicate to the individual why you need to borrow their personal information at the time of collecting it.
But do you need a consent at all times to collect personal information? Of course not! There are some other lawful basis for processing personal information and one that is highly appropriate for a membership organisation is to 'fulfil an agreement'. That is why we suggest all membership organisations, associations, sports clubs and non-profits to establish a membership agreement with your members to give you the lawful basis to process your members personal information.
You should immediately identify on what lawful basis, you are currently using to process personal information.
Do not process personal information via e-mail!
e-mail is something that has made communicating with people a lot easier - which means that you inadvertently process personal information in an e-mail conversation. In the previous data privacy laws, there was an exemption for unstructured material, this includes websites and e-mails. But this exemption is no longer valid with GDPR - that means that all personal data you process via e-mail is affected by GDPR.
One quite common thing we see is that many membership organisations have a signup form on a website, which send an e-mail to the association admin including all the registration details. Not very good, but luckily easily avoided by using a smarter membership management system such as CoachHippo
Report data breaches!
Data breach, hacked, hacker attacks are unfortunately quite common. You have probably read it in the news that 'several thousand e-mail addresses leaked from company X'
Incidents where personal data (such as e-mail addresses) can end up in the wrong hands must be reported to the authorities within 72h after the breach have occurred.
In some cases you must also notify all individuals which data was leaked.
This is not a fun spot to be in - having to reach out to all your customers and members and telling them about a security breach where their details was stolen. So make sure to have clear routines and processes in place, and choose a vendor for your Association Management System (AMS) that believes in the individual's right to personal integrity and that follows all the requirements that GDPR put on software vendors.
Erase information that is not used
Personal data may only be saved when it is correct and needed according to the processing activity (the reason you have to collect data) you notified the individual about at the time of collecting the details. Address, employer and mobile number are examples of information that quickly becomes inaccurate and obsolete - what routines do you have in place to make sure that they are up to date? Here is an idea - stop collecting information that isn't absolutely necessary.
If you are an assocation, sports club or membership organisation, it is quite smart to empower your members to access and update their own personal data.
CoachHippo gives you and your members smart tools to keep your valuable membership database up to date and accurate.
Konsento helps associations, companies and sports clubs create and manage membership agreements, consents and keep a record of your personal data processing activities. Do you want to know how Konsento can help you? Contact fredrik@konsento.io