Working With
GDPR
You will be aware of
a raft of changes being introduced by GDPR on 25th May 2018. As an organisation
that already takes data protection extremely seriously, we don't anticipate
that there will be any dramatic changes to the way that we work with you.
However, we are
clearly not the only parties affected by GDPR within ClubPay; our Vendors must
also be aware of the implications for your organisation, your members, and your
customers.
The new law states
that personal data must be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to the purposes for which it is processed;
- accurate and kept up to date;
- kept in an identifiable format for no longer than is necessary;
- and kept securely
For the purposes of
GDPR, we consider ClubPay Ltd to be the 'data processor', i.e. we process data
on behalf of a 'data controller'. In the context of the above list, we can only
directly influence the final item but you can be assured that we will continue
to manage your data as securely as we have done for the past decade.
Our Vendors - that's
you, that is - are therefore 'data controllers'; these are defined as a person
who (either alone or jointly or in common with other persons) determines the
purposes for which and the manner in which any personal data are, or are to be
processed. Only you as the Vendor have direct control of all of the items on
the list above; that need not mean wholesale changes to the way you interact
with your members and customers, but it does require that you take very
seriously the duty of care that you have for your data that you collect and
store on their behalf. In that respect it also requires a little thought, some
planning, and a review of your processes.
We consider there to
be six main areas that you need to review and possibly take action:
Security
Data Protection has
always had data security at its heart. This includes the security of the
infrastructure on which the data is stored. But as the majority of security
breaches are down to human factors, it must also include the security
practices, processes and protocols of those responsible for controlling the
data.
ClubPay Considerations | Vendor Considerations |
- We already take security very seriously and we will continue to do so
- We will provide Admin access for those for whom we have had legitimate requests from authorised Vendor representatives
- We will continually review security practices and seek improvements
| - Do you know everyone in your Organisation who has access to your data?
- Do they all need to have access?
- Is access up to date and have you asked us to terminate access for those who no longer require it?
- Does everyone with access with access to your data use it in a safe, secure manner?
- Do they all understand the implications of GDPR?
- Do you have written procedures in place where you feel you need them or where there is any scope for ambiguity?
|
Compliance
Organisations must implement appropriate (and
proportionate) technical and organisational measures that ensure and demonstrate compliance with GDPR. This may
include internal data protection policies such as staff training, internal
audits of processing activities, and reviews of internal HR policies.
ClubPay Considerations | Vendor Considerations |
- We have implemented appropriate technical and organisational measures that ensure and demonstrate that we are compliant
- We will create and improve security features on a regular basis
- We can only manage data held on our servers - downloaded data is entirely outwith our control and so the responsibility of those with it in their possession
| - For amateur/ smaller organisations there is likely to be a minimal requirement in this area, other than applying common sense
- Larger Organisations should consider reviewing internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- In all cases, you should look to implement measures that meet the principles of data protection by design and data protection by default. Measures should include:
- Not collecting any more data than you require - remember, specified, explicit and legitimate purposes
- Keeping data accurate and up-to-date but also…
- …Not storing data for any longer than is necessary (although don't neglect the financial accountability aspects)
- Considering pseudonymisation
- Ensuring transparency
- Allowing individuals to monitor processing
- Our view is that the vast majority of data collection is done to deliver service and/ or protect the safety of those being served
- Providing you can justify what you are collecting, and can provide access and the right of amendment/ removal, we believe Order data can be stored for up to six years in most cases
|
Consent
Consent means
offering individuals real choice and control. Genuine consent should put
individuals in charge, build customer trust and engagement, and enhance your
reputation. Consent requires a positive opt-in. Don’t use pre-ticked boxes,
hide consent amongst T&Cs, or use any other method of default consent. In a
nutshell you must:
- Unbundled: consent requests must be separate from other terms and conditions.
- Opt-in: pre-ticked boxes or other pre-selected options are invalid.
- Granular: if the data is to be used for multiple marketing activities, then consent must be granted for each of them separately.
- Named: the request must state all organisations and third parties that will be relying on consent.
- Documented: records must be kept to demonstrate when, how and what the individual consented to
- Click Here for our Guidance Page on adding Consent and Opt-In to your Products
ClubPay Considerations | Vendor Considerations |
- We have updated our Vendor Application Form to include a clear consent opt-in
- Vendors already signed up with us will not be asked to confirm consent as we cannot deliver our services without that consent
- But you are free to withdraw consent and stop using ClubPay at any time without penalty
- We do not and will not sell or share Vendor details with third parties except where compelled to by law
- We will only contact you with important information or updates of an operational nature
| - You should consider adding a Consent Opt-In statement alongside your T&Cs statement on Products - we strongly recommend this on all Products
- Vendors may not sell their customer/ membership data at any time for any reason
- Any Vendor found doing so will be expected to cease immediately and if they do not, we may suspend or terminate services to them
- We do understand that some Vendors may have to share data with third parties from time to time, e.g. National or Regional Governing Bodies
- Where this needs to happen, we expect appropriate security measures to be put in place to protect the security of that data
- We cannot and will not accept any responsibility for data security once downloaded or otherwise transmitted on a medium outside of the ClubPay System, e.g. email, CSV, PDF, etc
|
Rights
of the Individual
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
ClubPay Considerations | Vendor Considerations |
- We will rigorously apply these rights to the individuals for whom we control data - our Vendors
- You are free to come to us at any time with any questions or concerns on your rights as a Vendor in this respect
| - You must rigorously apply these rights to the individuals for whom you control data - your members and customers
- You can edit the data provided on an Order, but you should not do so without clear instruction from the person providing it
- We would recommend that you maintain a record of instances where, when and why you have edited Order data and retain an audit trail of any authorisations to do so
- Where you are asked to remove data, you should consider this request in the context of your duty of care to those to whom you are delivering services
- You should be clear on what data you are collecting and why
- You should not collect any more data than you need and be prepared to explain why you collect the data you have requested
|
Subject
Access Requests
Subject access
requests give individuals the right to obtain:
- Confirmation that their data is being processed
- Access to their personal data
- Other supplementary information (mostly the information provided in T&Cs and/ or privacy notices)
The procedure for
making and responding to subject access requests remains similar to current
data protection laws, but the GDPR introduces some changes. For instance:
- Information must be provided for free
- You have one month to respond
- Electronic requests must be available e.g. via email and/ or provided in an electronic file format
ClubPay Considerations | Vendor Considerations |
- We will comply with all reasonable subject access requests from Vendors in line with GDPR
- But we do not hold any data on Vendors that cannot be viewed through your Admin Portal
- We will assist - on a best endeavours basis - with any subject access requests received by Vendors but these remain the primary responsibility of Vendors; your data, your control
| - You must comply with all reasonable subject access requests from your members/ customers in line with GDPR
- The data collected by Vendors is, in the main, informational and not used for marketing or decision-making
- We do not therefore anticipate that you will receive many subject access requests
- Where these are excessive, unfounded, or repetitive, you are permitted to charge a 'reasonable fee'
- In extremis, you can refuse to comply and provide the originator with details of their right of appeal to the supervisory authority
|
Reporting
Data Breaches
All organisations
must report a personal data breach to their supervisory authority within 72
hours, and in some cases to the individuals affected. A personal data breach
refers to a breach of security that can lead to the destruction, loss,
alteration and unauthorised disclosure of, or access to, personal data. So a
breach is more than just losing personal data.
A breach must be
reported to the relevant supervisory authority within 72 hours of an
organisation becoming aware of it. Depending on the scale of the breach, it may
be impossible to investigate a breach fully within the given timeframe, so
organisations will be allowed to provide information in phases.
ClubPay Considerations | Vendor Considerations |
- When notifying of a data breach we will detail the type of personal data compromised, including:
- The type and estimated number of individuals affected
- The type and estimated number of personal data records concerned
- We will provide the name and contact details of a point of contact where further information can be obtained,
- We will detail the possible outcomes of the personal data breach
- We will also detail a list of measures taken or being taken to deal with the breach and appropriate measures taken to mitigate any adverse effects
- If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify those affected directly
| - In addition to the standard notifications, you must also inform ClubPay Ltd of a suspected breach IMMEDIATELY
- When notifying of a data breach you must detail the type of personal data compromised, including:
- The type and estimated number of individuals affected
- The type and estimated number of personal data records concerned
- You must provide the name and contact details of a point of contact where further information can be obtained,
- You must detail the possible outcomes of the personal data breach
- You must also detail a list of measures taken or being taken to deal with the breach and appropriate measures taken to mitigate any adverse effects
- If a breach is likely to result in a high risk to the rights and freedoms of individuals, You must notify those affected directly
|
Final
Word…And a Caution
We take GDPR very
seriously and have taken all reasonable measures to ensure compliance but we
are not subject matter experts in this area and any advice provided to Vendors
is necessarily generic and therefore for guidance only. If in any doubt as to
the specific impact of GDPR on your organisation, you should seek professional
advice.