Update July 2018: GDPR has been with us for several weeks now, and as part of our continued commitment to keep our subscribers updated, we thought we’d share a great resource with you. The ICO have their own blog and regularly push out updates and information as well as highlight and fines they have implemented. Quite an interesting read.
Update Feb 2018: as the ICO themselves state, their guide to GDPR is a ‘living document’. This means guidance and recommendations are still evolving as we get closer to 25th May 2018. Whilst this article is still entirely relevant, we recommend that you download our Free GDPR Guide for Sports Clubs. And we urge you to come back regularly and download the latest version as we update it as soon as we hear anything new that’s important.
It’s no secret that the data protection laws have needed updating for quite some time now. Here at Coacha, we know that the thought of big changes in a short space of time are a lot to take on board, especially being people with clubs as busy as yourselves. This is why we are keeping up to date with the new GDPR preparations to keep you in the loop, so that when the law changes next year, you are prepared. The GDPR will bring important changes to the world of data protection and without scaring you silly, this is an official post to outline the changes so that you are fully prepared and know what to expect when the law changes next year.
The serious stuff
With the constant changes in the way that data is used; General Data Protection Regulation (GDPR) is the result of four years’ worth of work by the EU to bring data protection legislation in line with these changes.
The UK currently relies on the Data Protection Act (DPA) 1998. Data and technology has changed dramatically over the last 19 years so we think that this new legislation, which will supersede the DPA, is long awaited.
GDPR will introduce tougher fines for non-compliance and breaches. It will give individuals more say on how companies use their data, making data protection rules standardized throughout the EU.
When will GDPR apply?
The GDPR will come into place in all EU member states from 25 May 2018. GDPR will apply automatically as it’s a regulation, not a directive, meaning no new legislation is required.
Depending on your current level of compliance with data protection, there may be some work to be done before you can operate in line with the new GDPR standards. Therefore, you should be assessing your current data protection policies as soon as possible, leaving yourself enough time to implement any necessary changes. When the time comes in May next year, you will have been given plenty of notice and there will be no excuses for non-compliers.
Who does the GDPR apply to?
GDPR will apply to everyone who controls and processes data, even the controllers/processors who deal with EU residents’ data from outside of the EU.
Who is accountable?
It is the duty of the controller to make sure that the processor works alongside data protection law. If you become involved in a data breach, then you will be far more liable under GDPR than the DPA.
The following information is as stated by the Information Commissioner’s Office (ICO) who have published an article advising on what you can do now in preparation for GDPR.
12 steps to take in preparation for GDPR:
Key individuals within your organisation should be made aware that the law is changing to the GDPR. They should understand that any data breaches could have a detrimental effect on your organisation. You could start by creating a risk register (if you don’t already have one). ICO offer a template here. Implementation of GDPR could have significant resource implications. You will most likely find compliance extremely difficult if you leave preparations until the last minute.
2. Information you hold
Any personal data that you hold should state where it came from and who you share it with. You may find an information audit to be useful. You will need to maintain records of your processing activities under the GDPR. For example, any inaccurate data that has been shared with another organisation will have to updated everywhere that it is held. So you will have to tell the organisation that you shared the data with about the inaccuracy, so that it can correct its records. You won’t be able to do this unless you’re fully aware of what personal data you hold, where it came from and who you share it with.
3. Communicating privacy information
Your current privacy notices should be reviewed and a plan should be put in place for making any necessary changes. When you collect personal data under current legislation, you must inform people of certain information such as your identity and the intended use of their data. This is usually done through a privacy notice. Under the GDPR there are additional things to tell people. For example, you will need to explain your lawful basis for processing the data, your retention periods and that individuals can complain to the ICO if they think there is a problem with the way you’re handling their data.
4. Individuals’ rights
You should review your procedures to make sure they cover individuals’ rights.
The GDPR includes the right:
• To be informed
• Of access
• To rectification
• To erasure
• To restrict processing
• To data portability
• To object
• Not to be subjected to automated decision-making including profiling.
These rights are the same as those under the DPA but with some significant enhancements. Now is a great time to check your procedures and work out how you would react if someone makes a request about their personal data.
5. Subject access requests
Your procedures should be updated and you should plan how you will handle requests in line with the new rules:
• You will usually not be able to charge for complying with a request.
• You can refuse or charge for manifestly unfounded or excessive requests.
• You will have one month to comply rather than the current 40 days.
• If you refuse a request, you must be able to tell the individual why and inform them that they have the right to complain to the supervisory authority.
This must be done within one month.
If you are dealing with a large number of access requests, you could consider the feasibility of developing a system that allows individuals to access their information online.
6. Lawful basis for processing personal data
Under current law, not having a lawful basis for processing personal data does not have many practical implications; this will change with the GDPR as individual’s rights will be modified depending on your lawful basis for processing their data
Your lawful basis for processing must be explained in your privacy notice and when you answer a subject access request.
You should review your process for seeking, recording and managing consent and make any necessary changes.
You should refresh existing consents if they don’t meet the GDPR standards. The ICO has published detailed guidance on consent under GDPR, you should read this and use their consent checklist to review your current practices.
Consent must be given freely, it must be specific, unambiguous and informed. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity and you will need a simple way for people to withdraw consent.
You will need to consider putting systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
GDPR will bring special protection for children’s personal data, particularly in the context of commercial internet services like social networking. If your organisation offers online services to children and relies on consent to collect information about them, then you may need a parent/guardian’s consent to process their personal data lawfully.
The GDPR states a child can give their own consent to this processing at the age of 16, however there is talk of lowering this to a minimum age of 13 in the UK. Consent will need to be obtained from a person holding ‘parental responsibility’ in the case where a child is younger than this age.
9. Data breaches
You should check that you have the right procedures in place to detect, report and investigate a data breach. Some organisations are already required to notify the ICO (and some other bodies) when they have a data breach.
The GDPR introduces a duty on all organisations to report certain types of data breaches to the ICO and in some cases, to individuals. You only need to notify the ICO (and individuals involved) of a breach where it may result in a risk to the freedom of individuals, for example if it may result in:
• Damage to reputation
• Financial loss
• Loss of confidentiality
• Other significant economic or social disadvantages
Procedures should be put in place to detect, report and investigate a personal data breach. You may like to assess the types of personal data you hold and document where you would need to notify the ICO and affected individuals if a breach occurred.
If you are a larger organisation, you will need to develop policies and procedures for managing data breaches. Failure to report a breach could result in a fine, as well as a fine for the breach itself.
10. Data protection by Design and Data Protection Impact Assessments
GDPR makes ‘privacy by design’ an express legal requirement, along with making ‘Data Protection Impact Assessments’ (DPIAs) mandatory in certain circumstances.
A DPIA is required in situations when data processing is likely to result in high risk to individuals, for example:
• When a new technology is deployed
• When a profiling operation is likely to significantly affect individuals
• When there is processing on a large scale of the special categories of data.
If data processing is flagged as high risk by the DPIA and you cannot sufficiently address those risks, you are required to consult the ICO to seek opinion on whether the processing operation complies with the GDPR.
You should begin to assess the situations where it will be necessary to conduct a DPIA, and also consider:
• Who will do it?
• Who else needs involvement?
• Will the process be run centrally or locally?
11. Data Protection Officers (DPO)
It is a good idea to assign someone the responsibility for data protection compliance and assess where the role will sit within your organisation’s structure and governance arrangements.
You are required to formally designate a DPO if you are:
• A public authority (except for courts acting in their judicial capacity).
• An organisation that carries out the regular and systematic monitoring of individuals on a larger scale.
• An organisation that carries large scale processing of special categories of data, such as health records, or information about criminal convictions.
It is important that your DPO has the knowledge, support and authority to carry out their role effectively.
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this. You should map out where your organisation makes its most significant decisions about its processing activities – this will determine your ‘main establishment’ and lead supervisory authority.
Now that we’ve (unintentionally) scared you with the very official ins and outs of GDPR, it’s time to get specific. In the next line of articles, we’ll be cooling things down and providing our view on what the new world of GDPR means for sport clubs and coaches. We’ll be considering the next steps you should be taking to bring your organisation in line with the new legislation and how using Coacha will help you achieve this with relative ease.
The legal stuff
The content of this article is intended to provide information to help you with the subject matter and is not to be regarded as a substitute for consultation with a legal specialist who can advise you with a focus on your specific circumstance. Specialist advice should be sought about your specific circumstances.