Looking for the professional services page? Click HERE

Working with GDPR

Working With GDPR

page header

You will be aware of a raft of changes being introduced by GDPR on 25th May 2018. As an organisation that already takes data protection extremely seriously, we don't anticipate that there will be any dramatic changes to the way that we work with you.

However, we are clearly not the only parties affected by GDPR within ClubPay; our Vendors must also be aware of the implications for your organisation, your members, and your customers.

The new law states that personal data must be:

  • processed lawfully, fairly and in a transparent manner;
  • collected for specified, explicit and legitimate purposes;
  • adequate, relevant and limited to the purposes for which it is processed;
  • accurate and kept up to date;
  • kept in an identifiable format for no longer than is necessary;
  • and kept securely

For the purposes of GDPR, we consider ClubPay Ltd to be the 'data processor', i.e. we process data on behalf of a 'data controller'. In the context of the above list, we can only directly influence the final item but you can be assured that we will continue to manage your data as securely as we have done for the past decade.

Our Vendors - that's you, that is - are therefore 'data controllers'; these are defined as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. Only you as the Vendor have direct control of all of the items on the list above; that need not mean wholesale changes to the way you interact with your members and customers, but it does require that you take very seriously the duty of care that you have for your data that you collect and store on their behalf. In that respect it also requires a little thought, some planning, and a review of your processes.

We consider there to be six main areas that you need to review and possibly take action:

Security

Data Protection has always had data security at its heart. This includes the security of the infrastructure on which the data is stored. But as the majority of security breaches are down to human factors, it must also include the security practices, processes and protocols of those responsible for controlling the data.

ClubPay Considerations

Vendor Considerations
  • We already take security very seriously and we will continue to do so
  • We will provide Admin access for those for whom we have had legitimate requests from authorised Vendor representatives
  • We will continually review security practices and seek improvements
  • Do you know everyone in your Organisation who has access to your data?
  • Do they all need to have access?
  • Is access up to date and have you asked us to terminate access for those who no longer require it?
  • Does everyone with access with access to your data use it in a safe, secure manner?
  • Do they all understand the implications of GDPR?
  • Do you have written procedures in place where you feel you need them or where there is any scope for ambiguity?

Compliance

Organisations must implement appropriate (and proportionate) technical and organisational measures that ensure and demonstrate compliance with GDPR. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.

ClubPay Considerations

Vendor Considerations
  • We have implemented appropriate technical and organisational measures that ensure and demonstrate that we are compliant
  • We will create and improve security features on a regular basis
  • We can only manage data held on our servers - downloaded data is entirely outwith our control and so the responsibility of those with it in their possession
  • For amateur/ smaller organisations there is likely to be a minimal requirement in this area, other than applying common sense
  • Larger Organisations should consider reviewing internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
  • In all cases, you should look to implement measures that meet the principles of data protection by design and data protection by default. Measures should include:
    • Not collecting any more data than you require - remember, specified, explicit and legitimate purposes
    • Keeping data accurate and up-to-date but also…
    • …Not storing data for any longer than is necessary (although don't neglect the financial accountability aspects)
    • Considering pseudonymisation
    • Ensuring transparency
    • Allowing individuals to monitor processing
  • Our view is that the vast majority of data collection is done to deliver service and/ or protect the safety of those being served
  • Providing you can justify what you are collecting, and can provide access and the right of amendment/ removal, we believe Order data can be stored for up to six years in most cases

Consent

Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation. Consent requires a positive opt-in. Don’t use pre-ticked boxes, hide consent amongst T&Cs, or use any other method of default consent. In a nutshell you must:

  • Unbundled: consent requests must be separate from other terms and conditions.
  • Opt-in: pre-ticked boxes or other pre-selected options are invalid.
  • Granular: if the data is to be used for multiple marketing activities, then consent must be granted for each of them separately.
  • Named: the request must state all organisations and third parties that will be relying on consent.
  • Documented: records must be kept to demonstrate when, how and what the individual consented to
  • Click Here for our Guidance Page on adding Consent and Opt-In to your Products

ClubPay Considerations

Vendor Considerations
  • We have updated our Vendor Application Form to include a clear consent opt-in
  • Vendors already signed up with us will not be asked to confirm consent as we cannot deliver our services without that consent
  • But you are free to withdraw consent and stop using ClubPay at any time without penalty
  • We do not and will not sell or share Vendor details with third parties except where compelled to by law
  • We will only contact you with important information or updates of an operational nature
  • You should consider adding a Consent Opt-In statement alongside your T&Cs statement on Products - we strongly recommend this on all Products
  • Vendors may not sell their customer/ membership data at any time for any reason
  • Any Vendor found doing so will be expected to cease immediately and if they do not, we may suspend or terminate services to them
  • We do understand that some Vendors may have to share data with third parties from time to time, e.g. National or Regional Governing Bodies
  • Where this needs to happen, we expect appropriate security measures to be put in place to protect the security of that data
  • We cannot and will not accept any responsibility for data security once downloaded or otherwise transmitted on a medium outside of the ClubPay System, e.g. email, CSV, PDF, etc

Rights of the Individual

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

ClubPay Considerations

Vendor Considerations
  • We will rigorously apply these rights to the individuals for whom we control data - our Vendors
  • You are free to come to us at any time with any questions or concerns on your rights as a Vendor in this respect
  • You must rigorously apply these rights to the individuals for whom you control data - your members and customers
  • You can edit the data provided on an Order, but you should not do so without clear instruction from the person providing it
  • We would recommend that you maintain a record of instances where, when and why you have edited Order data and retain an audit trail of any authorisations to do so
  • Where you are asked to remove data, you should consider this request in the context of your duty of care to those to whom you are delivering services
  • You should be clear on what data you are collecting and why
  • You should not collect any more data than you need and be prepared to explain why you collect the data you have requested

Subject Access Requests

Subject access requests give individuals the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information (mostly the information provided in T&Cs and/ or privacy notices)

The procedure for making and responding to subject access requests remains similar to current data protection laws, but the GDPR introduces some changes. For instance:

  • Information must be provided for free
  • You have one month to respond
  • Electronic requests must be available e.g. via email and/ or provided in an electronic file format

ClubPay Considerations

Vendor Considerations
  • We will comply with all reasonable subject access requests from Vendors in line with GDPR
  • But we do not hold any data on Vendors that cannot be viewed through your Admin Portal
  • We will assist - on a best endeavours basis - with any subject access requests received by Vendors but these remain the primary responsibility of Vendors; your data, your control
  • You must comply with all reasonable subject access requests from your members/ customers in line with GDPR
  • The data collected by Vendors is, in the main, informational and not used for marketing or decision-making
  • We do not therefore anticipate that you will receive many subject access requests
  • Where these are excessive, unfounded, or repetitive, you are permitted to charge a 'reasonable fee'
  • In extremis, you can refuse to comply and provide the originator with details of their right of appeal to the supervisory authority

Reporting Data Breaches

All organisations must report a personal data breach to their supervisory authority within 72 hours, and in some cases to the individuals affected. A personal data breach refers to a breach of security that can lead to the destruction, loss, alteration and unauthorised disclosure of, or access to, personal data. So a breach is more than just losing personal data.

A breach must be reported to the relevant supervisory authority within 72 hours of an organisation becoming aware of it. Depending on the scale of the breach, it may be impossible to investigate a breach fully within the given timeframe, so organisations will be allowed to provide information in phases.

ClubPay Considerations

Vendor Considerations
  • When notifying of a data breach we will detail the type of personal data compromised, including:
    • The type and estimated number of individuals affected
    • The type and estimated number of personal data records concerned
  • We will provide the name and contact details of a point of contact where further information can be obtained,
  • We will detail the possible outcomes of the personal data breach
  • We will also detail a list of measures taken or being taken to deal with the breach and appropriate measures taken to mitigate any adverse effects
  • If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify those affected directly
  • In addition to the standard notifications, you must also inform ClubPay Ltd of a suspected breach IMMEDIATELY
  • When notifying of a data breach you must detail the type of personal data compromised, including:
    • The type and estimated number of individuals affected
    • The type and estimated number of personal data records concerned
  • You must provide the name and contact details of a point of contact where further information can be obtained,
  • You must detail the possible outcomes of the personal data breach
  • You must also detail a list of measures taken or being taken to deal with the breach and appropriate measures taken to mitigate any adverse effects
  • If a breach is likely to result in a high risk to the rights and freedoms of individuals, You must notify those affected directly

Final Word…And a Caution

We take GDPR very seriously and have taken all reasonable measures to ensure compliance but we are not subject matter experts in this area and any advice provided to Vendors is necessarily generic and therefore for guidance only. If in any doubt as to the specific impact of GDPR on your organisation, you should seek professional advice.