On the 25th May 2018 the way that organisations hold personal data on people changed, The GDPR is the EU General Data Protection Regulation and replaced the Data Protection Act 1998 in the UK and the equivalent legislation across the EU Member States. At the RMC the General Data Protection Regulation (GDPR) was in force way ahead of the official deadline.
One of the principles of the Data Protection Act (and the GDPR), is that you can only process data for the purpose for which it is collected. This means that if you collect a name and contact details of an individual, so that they can become a member of a club, you can’t simply use that information to allow your affiliates to contact them for marketing purposes. You also need to tell people when they join the club if you are going to transfer their data, for example to another organisation.
So does this apply to the RMC?
GDPR applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location. Therefore, as the RMC stores personal data on its members, GDPR also applies to us and many other clubs.
What about BREXIT?
Leaving the EU makes no difference and does not make the UK exempt. The UK government are implementing the changes regardless of the current landscape.
So what are the key changes for clubs?
1. More communication
GDPR states that clubs will need to give people more information about how and what we do with your data at the point you collect it.
At the RMC data is collected for membership purposes only. When you sign up this is done through a secure SSL connection and once your account is created, your data is stored in an encrypted data base whilst our system Salts your password which means that passwords are never stored as plaintext passwords; only salted encrypted versions
Your details are used by the RMC so essentially we know who you are, how to contacl you and, to understand where our members are based, know your geographic location. Your details are not passed onto any other third party and we have kept the personal details we hold on you to an absolute minimum so that they only consist of:
- Address (Optional but Country field is mandatory)
- Email Address
- IP Address
Who can see these details?
The actual database is only accessible by two people within the RMC:
- Webmaster - For purpose of administration
- Treasurer - For purposes of membership payments
What if someone ask for my details or email address?
The RMC will never provide details to another party. If someone ask for your details we will send their request to you so that your may reply to them if you wish.
2. Responding to subject access requests & Data Retention
In most organisations when someone requests a copy of the personal data that is held about them this had to be presented within a 40 calendar day period. At the RMC all data held about you is instantly fully accessible by members on-line by logging into your account. Furthermore, with exception of your username, you are free to edit / amend your details as you wish 24/7.
What happens if I let my membership expire?
For members of the RMC whose membership has expired, membership details will be held for 6 months to allow continuity of your account, should you wish to renew. After a 6 month period following the expiry date, your membership account and details will be fully deleted. Expired members whose accounts have been deleted can still contact the club at firstname.lastname@example.org to confirm their details are no longer held by the club. In addition expired members can contact the club prior to the 6 month cut off to ask for details to be deleted.
GDPR policies indicate that there will be direct obligations on data processors as well as on data controllers. At the RMC we use the following third parties for processing data:
Why? We use this for processing payments.
All payment details are stored on Paypal servers and are not accessible to the RMC at any point. Paypal feeds the payment into our system although any information on that transaction, apart from the payment date and fee paid, is not stored on our servers.
Why? We use OneandOne for hosting our website and our members login area.
OneandOne are a trusted hosting company which holds our website are secure servers. These servers also hold Members details are stored in encrypted databases for which only the webmaster has access.
Why? We use MailChimp for our newsletters.
All subscribers email addreses (both members and non-members) are stored on MailChimp servers and subscribers are able to view their details or unsubscribe at any time. These email addresses are for RMC newsletters only and are not available to or provided to any other parties.
4. Getting consent
Under GDPR it is important we get consent to use your personal data in certain ways, for example to send marketing emails or, as in the case of the RMC, to send Newsletters:
From February 1st 2018 all new members are required to tick a box on the application form to agree to their details being stored in accordance with GDPR policies and as such will receive newsletters and RMC magazines via email. The email address may also be used by the club for direct contact about your membership but in no circumstances with be provided to anyone not associated with the mailing list or to anyone outside of the RMC
What if I joined before February 1st 2018?
All members who joined before February 1st 2018 were contacted and provided with details of how to unsubscribe from any further newsletters should they wish for their details to no longer be used in his way. Every newsletter also has both an Unsubscribe and More Preferences option at the end of the newsletter.
GDPR contains additional policies for the protection of children’s personal data. Whilst children are welcome to the club, the RMC recommends that parents or guardians should sign up for their child thus providing consent that the club can store associated data. Because being a member involves a payment via Paypal or by cheque, which itself have adult age restrictions, we believe that all members who do sign up and pay via these sources are therefore adults creating accounts for themselves or if for a child are providing consent by making the payment. It is also for this reason that a member’s age is not requested.
6. Data breaches
In the unlikely event of a data breach where unauthorised access has been made to access member’s data, all members on the data base will be informed.
7. Member’s concerns
At the Reliant Motor Club we have done the best we can to understand and be compliant with the new GDPR rulings that came into effect on May 25th 2018. Whist we trust that members should have no cause for concern about the way their details are kept, should anyone have any concerns or any questions then these should be addressed to GDPR@reliantclub.co.uk
Reliant Motor Club - 5th February 2018
Updated 21st May 2018 (Changed to refer to GDPR in the past tense prior to the go live date)