General Data Protection Regulation (GDPR)

In May 2018, the rules around the handling of personal data will be strengthened with the introduction of the EU General Data Protection Regulation (GDPR). It replaces the Data Protection Directive 95/46/EC and has been designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy. The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by the government; meaning it will be in force from 25 May 2018. Although the UK is leaving the EU, the Government has indicated it will implement an equivalent or alternative solution. The expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the Information Commissioner’s Office (ICO) and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market. The date of implementation is 25 May 2018 and from then your club must keep track of sensitive personal data and have proven audit trails of the processing of such data. Should a breach occur, notification to the Information Commissioner’s Office must be provided within 72 hours. Personal data is any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. The conditions for consent, to hold or use such information, have also been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose of data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. For those clubs dealing with significant amounts of personal data information, an individual data protection officer must be assigned. There are considerable risks for clubs if they do not comply such as the financial implications of being fined and the loss of reputation should a data breach occur. It is also the case that members themselves may wish to see clear guidelines on the handling of their personal data. There is no doubt that this new law will, in some way, affect almost every club and therefore it will be essential to preserve expectations and trust to remain successful. Any club not protecting their members’ data sufficiently will risk losing them to competitors. Further information on how you can prepare your...
This is member only content

Please LOGIN to read the full article.

Not a member? Please click here to join today.

More from Industry