The General Data Protection Regulation (GDPR) is already in force and we are currently in a period of implementation with the deadline for compliance set for 25 May 2018. GDPR is an important change in government legislation regarding data protection and stands for The General Data Protection Regulation. It effectively provides an update to the Data Protection Act, bringing in new requirements and increasing the penalties for breaches. Any organisation that is required by law to comply with GDPR must do so by 25th May 2018 at the latest. South Bank Taekwondo (SBTKD) collects and stores personal data from consenting members such as name and email address. This data is managed in accordance with data protection principles:
Data regarding a member's result/s from an event such as competition/grading maybe passed to other organisations to publish, the individual entering the event needs to be aware of this. By consenting to share your personal data with SBTKD on sign up:"You agree that we may publish your Personal Information as part of the results of the event and may pass such information to the governing body (British Taekwondo or any affiliated organisation (Taekwondo Chungdokwan Great Britain) for the purpose of insurance, licences or for publishing results either for the event alone or combined with or compared to other events. Results may include (but not be limited to) name, grade, any club affiliation, occupation and age category."For the purposes of clarity, in becoming a member of SBTKD, SBTKD will collect certain information about you when you join us which will include your name, date of birth, gender, email address, home address, telephone number, next-of-kin contact phone number and email address. This information is primarily used in the administration of SBTKD. In addition to passing data to SBTKD the use of data is likely to include the following activities and more:
Training and competition entry
Funding and reporting purposes
Membership and club management
Marketing and communications (where separate consent is provided)
Responding to subject access requests
Subject access requests (requests for copies of personal data from individual club members) currently via email only will be responded to within one calendar month.
SBTKD do not keep data for longer than is necessary for the purpose for which it was collected. If you are an active member (currently training) we will keep your data safe and secure. If you become inactive (i.e. stop training) we will keep personal data for a maximum of two (2) months unless you email and instruct us to remove you from our records prior to this two month expiry period. This period allows for non-training periods such as holidays and unforeseen circumstances. Your core data will be deleted, you will be removed from our club email list, our Whats App group and your training record anonymised after this time. Should you wish to rejoin us, standard joining fee and procedure will apply.
We have 72 hours from being aware of a breach to report it to the ICO. Under the Data Protection Act there are no obligations to report breaches. That being said, personal data is held securely, i.e. that electronic documents are encrypted and password protected and are backed up on a regular basis.
One of the principles of the Data Protection Act 1998 (and the GDPR), is that we can only process data for the purpose for which it is collected. This means that when we collect a name and contact details of an individual, so that they can become a member of our club, we can’t simply use that information to allow other bodies (e.g. a club sponsor) to contact you for marketing purposes.
Privacy or data capture statements
When individuals provide us with their details, we are clear and transparent about why we have it and what we will do with their information, example: 'sign you up to our newsletter' with the capture statement 'enter your email address'. The right data capture statements presented to individuals ensures what we will do with the information provided to us when they give us their personal details.
Does all this only apply to data that is held digitally, e.g. on a computer, or does it cover paper records?