Menu Close

GDPR Overview: Recommended Club Actions

GDPR Overview

Basics of GDPR & Data Protection

  1. Any information about another person that identifies that person is considered ‘data’.  Not all information is considered the same, some data is called ‘sensitive data’.
  2. The main principle of GDPR & Data protection is to keep only as much information as you require for as long as you need it.
  3. The key to data protection is to look at the information you feel you need and have and clearly identify what is the purpose of having this information (do a table and put each item of data in one column e.g. name, surname, date of birth, etc and in the next column write the purpose of having this information. It will become clear very quickly what is essential data). NOTE- There may be a legitimate need/retain data on your members in case of an accident or a IAA investigation. This will have to be factored in to the purpose of having the data.
  4. Identify who has access to this data- who controls the management of the data (data controller) and who can access the data (data processor).
  5. If you are holding this information on behalf of an organisation/club you have a legal responsibility to keep it safe whether it is in paper or on a computer (write down how you are keeping it safe).
  6. It is necessary to tell people what information you have/want and the purpose of having it.  You need to get their consent (and have proof of this consent) that you can keep this information (consider you might also have the information of next of kin and need consent to have this). People can ask to know what information you have on them and there is a time limit when you are required to respond.
  7. Have a procedure in place that allows for data to be deleted if it is no longer necessary (it’s in the Data Protection Act).
  8. If there is a data breach (someone has gained access to the information) you need to report this breach. There needs to be a procedure to manage this situation.

NACI Requirement & Individual Club/Organisation Requirements

  1. https://www.dataprotection.ie/en/organisations/resources-organisations/self-assessment-checklist)
  2. Data Protection Training- Is training will be necessary?
  3. Roles & Details to be considered: Data Protection Controllers and Data Processors, Data Protection Officer & Data Protection contact details

Procedures required: Consent forms, Data Requests, Retention procedures, Data Breach

Considerations

  • Time constraints- reporting data breeches within required time limits (72hrs).
  • Consequences of Data Breach not reported- Failure to disclose an incident could lead to penalties under the GDPR’s second tier of fines – up to €10 million or 2% of your organisation’s annual global turnover, whichever is higher.

References

https://www.dataprotection.ie/en/organisations

A 5-step guide to reporting data breaches under the GDPR

https://www.gaa.ie/my-gaa/administrators/data-protection