Privacy
The UK was protected and regulated by the EU's GDPR (General Data Protection Regulation), but now that the country has left the EU, we have our own equivalent set of data protection legislation under the UK Data Protection Act 2018 - the UK-GDPR (United Kingdom General Data Protection Regulation) that took effect on the 1st of January 2021. In order to ensure the free-flow of information with European countries, the UK GDPR replicates the EU GDPR and is likely to remain broadly similar. The Channel Islands have similar laws which follow closely the EU and UK GDPR.
GDPR applies to personal data of people living in the UK (Subjects), even if the organisation using the data is outside the UK. Personal data can be just a name, email address or telephone number. Lions Clubs International District 105SC needs to have explicit consent to use this information to contact Subjects unless relying on a GDPR allowable mechanism such as "legitimate interests". Subjects must be informed of their rights.
Don't panic!
The regulations are not designed to stop your normal activities! You may continue to record personal details of members, volunteer helpers and those you assist, as well as those individuals and organisations you interact with in connection with your events and other activities. You don't need their consent because this is part of your normal activities, it is within your "legitimate interests" to hold this data.
Where to start
Steps you should take to ensure, and demonstrate, that your club is compliant:
- Ensure that all of your members are aware of the need for privacy.
- Document what personal data you hold, where it came from and who you share it with. This is called a Data Audit. Use the table below to get started.
- Create or update your privacy notice on your website and ensure you provide a prominent link to it. All Squarezone Club-Sites websites automatically display a privacy notice to ensure you are compliant.
- Create or update procedures to ensure they cover all the rights of Subjects, including how you would delete personal data or provide copies of data.
- Create or update procedures to handle requests from Subjects within the new timescales (1 month).
- Identify the lawful basis for your processing activity, document it and update your privacy notice to explain it e.g. "legitimate interests" or "consent".
- Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents if they don't meet the GDPR standard. This usually means adding text to a form (printed or electronic) seeking consent with a Yes/No answer (not pre-filled) and informing the Subject of exactly what they are consenting to.
- If dealing with children, put systems in place to verify Subject's ages and obtain parental or guardian consent.
- Create or update procedures to detect, investigate and report any personal data breach.
- It is unlikely you will need to conduct a Privacy Impact Assessment but if embarking on a new system to record personal data, you simply outline what data you will collect, review why, how and who needs it and keep a record of your reasoning.
- Designate someone to take responsibility for data protection compliance. It is unlikely that you will need a Data Protection Officer.
Consent
You don't need explicit consent from members, volunteer helpers nor those you help because these communications are operational i.e. relate to running your organisation and are "legitimate interests" with respect to your normal activities.
You do need "consent" if you take photographs that you intend to use in promotional material, on a website or social media, but it is not "consent" as such - just make everyone in the photograph aware of what the intention is and that they may "opt out" if they wish. You don't need to do this when photographing crowds, but if photographing children of 16 and under and/or vulnerable people, you do need to get consent from the relevant parent or guardian or carer and you should record the relationship between them.
You do need to satisfy yourself that any third parties involved in your activities, such as ticket sellers and website providers are GDPR compliant. Squarezone Club-Sites are compliant.
Data audit
You do need to audit the data held on Subjects, whether in electronic or paper form, to ascertain what data is currently held, where it is kept, who has access to it and whether it is excessive for the activity. Your Secretary should keep dated copies of the audit.
The following table may be used as a guide and should be edited to be more specific for your club and also should have a row for each specific activity such as Firework Displays or Car Boot Sales.
Activity | Data held | Where | Purpose | Source | What is data used for | Accessible by | Shared with |
Members | Name, Address, Email, Telephone, Gender, Partner's name, Date of birth, Photograph | Website, Members computers, Paper | Communicating with members | Individual members | Used to communicate with members. Printed and circulated to members. Held securely online and on members personal computers. | Secretary and Webmaster | All members |
Members | Bank details | Treasurer's computer, paper | Accounts | Individual members | Payment to members | Treasurer | No-one |
Volunteer Helpers | Name, Email, Telephone | Website, Members computers, Paper | Communicating with volunteer helpers | Individual volunteer helpers | Used to communicate with volunteer helpers | Event organiser | Members involved in event |
Suppliers | Name, Address, Email, Telephone | Website, Members computers, Paper | Communicating with supplier | Supplier | Used to communicate with suppliers | Event organiser | Members who organise events |
Customers/Event attendees | Name, Address, Email, Telephone | Website, Members computers, Paper | Communicating with customer | Individual customer and ticket agencies | Used to communicate with customers, past and present | Event organiser | Members involved in event |
Donation recipients | Name, Address, Email, Telephone, Gender | Members computers, paper | Communicating with donation recipient | Individual donation recipient | Used to communicate with donation recipients | Specific members responsible for donations | Members of committee or group responsible for donations |
Do remember that GDPR is not designed to prevent your legitimate activities but is designed to make you think about collecting and using and storing personal information fairly, transparently, securely and lawfully.