GDPR & CI

outfox

Have any clubs received advice from CI re GDPR implications on clubs and their members databases? I would have expected some sort of advisory note from CI by now.

buffalo

I actually put together a quick draft for our club earlier today, I'll send it on to you if you want?

Tell people what data you want/need and why, what you're doing with it, and when you're going to delete it (i.e. after a reasonable amount of time).

For instance, we collect postal addresses of members when they register, but I'm not sure why as it's been a long time since we've regularly posted anything to members. So after GDPR review we might stop collecting that (depending on what the membership secretary says).

outfox

Thanks Buffalo. I'd really appreciate a quick look at that draft, if it wouldn't put you out. I'll PM you my email address.

68 lost souls

buffalo wrote: »

For instance, we collect postal addresses of members when they register, but I'm not sure why as it's been a long time since we've regularly posted anything to members. So after GDPR review we might stop collecting that (depending on what the membership secretary says).

I would think having an address would be a good thing to have on record for the unthinkable?

buffalo

68 lost souls wrote: »

I would think having an address would be a good thing to have on record for the unthinkable?

Good point. We also have an ICE contact to cover that though.

saccades

outfox wrote: »

Have any clubs received advice from CI re GDPR implications on clubs and their members databases? I would have expected some sort of advisory note from CI by now.

: Side-splitting laughter:

jamesd

Can i get a copy too Buffalo please?

OleRodrigo

They have already issued a policy;

http://www.cyclingireland.ie/page/about/gdpr

It's quite straightforward to form a local club policy based on the CI ' parent ' copy to cover things such as the use of photographs to promote club events etc.

Gathering personal information or data is integral to the correct running of clubs. The risk of mismanaging this data is low, but nonetheless, it is crucial that the data is managed, collected and stored correctly and in accordance with the GDPR.

In the case of Cycling Ireland clubs, Cycling Ireland is usually considered the Data Controller, with the personal data and information on our database required for the purpose of issuing Cycling Ireland membership. Clubs, in this case, are regarded as the data processor as they are gathering personal data for this purpose. In this case Cycling Ireland is responsible for compliance with data protection legislation and GDPR, and clubs are expected to process data securely.

Club officials must ensure data is processed securely;

· it is updated regularly and accurately;

· it is limited to what the club needs;

· it is used only for the purpose for which it is collected; and

· it is used for marketing purposes only if the individual has given their consent to do so. This needs to be an opt-in consent rather than an opt-out consent.



Should the club ask for any information other than that required by Cycling Ireland for membership, recorded consent from the individuals and the processing of their data must take place outside of the Cycling Ireland system, and the club becomes the data controller with primary responsibility for compliance with data protection legislation including GDPR.



Should clubs fail to comply with data protection and are in serious breach, there will be increased fines. While Cycling Ireland is usually the data controller of personal data on its systems, both data controllers and data processors can be issued with fines under GDPR.



RECOMMENDATION
Club officials should not be using personal email addresses, instead a “club” email address should be used. This increases the likelihood of transparency and maintains continuity. It also keeps the data stored in one place that is only controlled by the club official or data controller.