Jump to content

GDPR Discussion thread


Andy Banks

Recommended Posts

Dear Valued Members,

You may have heard of the new General Data Protection Rules (GDPR), this is legislation that comes into force on the 25th May 2018. GDPR and the Data Protection Act (DPA) are enacted to ensure that organisations, including the WSCC, that are required to hold personal information about people, do so in a manner that is in line with the legislation, including how people are contacted, how they are asked to give their consent to the use of their personal data, what their personal data is used for and that this data is protected from abuse. The WSCC takes the use and protection of your personal information very seriously and as such needs to properly understand how the GDPR impacts our current good practice, the way the club identifies you as a member, how we use your information and how we need to re-engage with you to ensure compliance.

You should be aware that the WSCC will be implementing measures as necessary to ensure compliance with the GDPR. These will take the form of updated processes, technical changes to the forum and adjustments to our existing terms and conditions. You can find further information about this on the WSCC forums as and when made available and where published, in the WSCC magazine and you will be contacted in the future about these changes. As the changes are complex and we do not have the skilled resources to deal with them, we will need time to review GDPR, its impact on the Club and you and ensure that we take appropriate steps, if any are needed, to change or update our systems, processes and statements in order to be compliant; this we will do and will let you know how we get on.

A word or two on how we use the personal information you will supply or have supplied to the Club:

Your personal information is currently stored securely in the membership system and limited details, necessary for your AOs to make contact, are held on a spreadsheet with each AO. The membership system is part of the forum software and it is the system used to ensure you have access to the forums and receive a copy of the magazine as well as confirming, if needed, that you as a member are entitled to the many benefits available such as discounted track days and insurance products from our chosen partners. It is also the system that tracks your membership status and payment history. No bank details are stored, just a record of purchases of Membership and other Club products along with your name, address, email and contact numbers. The AOs hold a spreadsheet that has your name address and contact number and they use this to contact you about local events. You will have previously given your consent under DPA for all of this to happen.

The WSCC is a Membership Club, it has no need nor desire to sell or market your personal information to anyone else. We hold, protect and manage your personal information for the sole purposes of; ensuring your membership of the WSCC is valid at any given time, enables us to ensure you are notified of renewals and allows you to pay for continued membership. We only ever use your address information to ensure you get a copy of the quarterly magazine and as a last resort if we need to contact you about your membership by post for example if repeated emails, phone calls, private messages and forum posts have failed and it is deemed important enough to do so.

In rare circumstances and so long as there is a majority decision from the prevailing committee, we may also mass email the membership with important Club news (such as this very email). These emails are sent "blind" in that you will never see other members email addresses and other members will not see yours. The WSCC has no need nor desire to email, mailshot or make contact with you for any other reasons.

Confirmation of your membership "may" be requested by the third parties we entrust to provide members with discounted products such as insurance and track days; on the rare occasions that such a third party requires confirmation of membership, we will only ever confirm or deny your membership - no other personal information is given.

What next?

As noted above, we will need to review the impact of GDPR on all of us and make the required changes to ensure compliance, this will take time. What may happen sooner rather than later is that you will be asked to reconfirm your consent (in a manner consistent with GDPR) for the Club to store and use your personal information as summarised above but in more detail giving you specific choices and requiring you to physically and knowingly "opt in". Note, as above, you data is required in order for you to be a member, should you at any point determine that you do not want your data to be held securely by the Club, then it follows that you can't be a member which is logical and reasonable.

As I say, there is much work still to do, we will crack on and aim to make this as painless for all concerned whilst abiding by the new regulations and continuing to protect the data we hold. Thank you for your understanding and patience.

 

Please feel free to use this thread for open discussion on GDPR, we'd welcome your views...

 

Link to comment
Share on other sites

Can you confirm if the information the AO's hold locally is encrypted, or at least password protected?

Link to comment
Share on other sites

Thanks Russ. One of the first and easier things for us to ensure this is in place and is workable for all.

To note, until we have a view and understand what we need to do on this specific point we have not sent out the updated lists. Once we have put in place the encryption/passwords we will send out again.

Link to comment
Share on other sites

22 minutes ago, RussH said:

Can you confirm if the information the AO's hold locally is encrypted, or at least password protected?

In the past, it hasn’t been, however, AO’s haven’t received full contact information either. It’s always been a limited data set.

But as Andy said, this has been halted untill the appropriate measures are in place.

Link to comment
Share on other sites

Just confirm the membership lists have not been published and won't be until we get agreement it is right to do so and the info is suitably protected.

Link to comment
Share on other sites

How will this impact on the club magazine publishing since we presently distribute a full membership list each quarter to an external publishing company?

Link to comment
Share on other sites

Thanks Mark, another valuable question. I believe we would as Data Owner and/or Data Controller, need to ensure we had proper process in pace to a) ensure we had individuals permission to do so and b) ensure we have assurances from the printers/distributors that they have their own GDPR compliance measure in place.

Link to comment
Share on other sites

Why not survery the entire membership asking the following questions:

do you want ro receive the magazine?

are you happy for your AO to have your personal details?

Anyone saying No cannot then be sent the mag or contacted

Link to comment
Share on other sites

Almost like a ‘forum only’ membership? ;):d

Link to comment
Share on other sites

True, this is the crux of GDPR. By default we cannot hold your data, we have to ask for it (again) and we have to ask for it for specific purposes, so as you say we will have to get everyone to reconfirm by ticking the check box that they are happy for us to store their limited personal data for:

  • email contact [check-box]
  • magazine delivery [check-box]
  • AO contact [check-box]
  • managing your membership [check-box]*
  • managing your purchases (track-days, SS entry fees, events, etc) [check-box]*

Technically how this will work is going to be a PITA

*If one declines these then I guess it means you can't technically be a member or register and pay for track days and other events...

Link to comment
Share on other sites

2 hours ago, Andy Banks - Chairman said:

*If one declines these then I guess it means you can't technically be a member or register and pay for track days and other events...

Which will need to be spelled out in big letters so they understand the mess we will be in!

Link to comment
Share on other sites

34 minutes ago, Andy Banks - Chairman said:

True, this is the crux of GDPR. By default we cannot hold your data, we have to ask for it (again) and we have to ask for it for specific purposes, so as you say we will have to get everyone to reconfirm by ticking the check box that they are happy for us to store their limited personal data for:

  • email contact [check-box]
  • magazine delivery [check-box]
  • AO contact [check-box]
  • managing your membership [check-box]*
  • managing your purchases (track-days, SS entry fees, events, etc) [check-box]*

Technically how this will work is going to be a PITA

*If one declines these then I guess it means you can't technically be a member or register and pay for track days and other events...

quite a few of these aren’t necessary from an individual consent point of view; they are implicit in being a club member. It must of course be spelled out that these are part of club membership, which you are correct, does imply that if you don’t want them, you can’t be a member.

There is an interesting set of MSA documents being published currently, the latest is here

What isn’t implicit in membership, and does need a positive opt in, is the ability to process and contact members with information the club feels of interest/benefit to its members. For instance the recent consultation on IVA emissions changes.

Link to comment
Share on other sites

Thanks Dave, that feels simpler.

Link to comment
Share on other sites

Just to elaborate; the things that are effectively consented too as part of membership, need to be spelled out, ideally in the privacy statement, that is both viewed and agreed to as part of sign up for new members, (and retrospectively for existing members), and must remain accessible for anyone to view subsequently.

Here for instance, is the MSA guidance bulletin on Privacy Notices. Note I’m not necessarily saying these are word for word, the best solutions. But as they are provided by the MSA for its member clubs, they seem to be a better fit as a starting point, than some generic template from the Internet!

 

Link to comment
Share on other sites

I think there are a couple of things that we need to consider, first to a degree there is nothing new as we should have been following the data protection act guidelines already, the second is that for the club to hold the information is fine as it's implicit implied by being a member of the club. 

I'm no GDPR expert but have had to get involved recently as I work in IT (databases) and am currently involved in a couple of projects where it's a key aspect.

the key questions are

What information does the club request and can each item be justified as being needed

How is that information stored, what processes and procedures are in place to protect it and audit access to the information and do these meet the requirements.

Then we have the issue of passing the information on to third parties.

It has been said that the club mag is an intrinsic part of the club so as long as the correct processes and procedure are in place for protecting the data then it should not be an issue either. I suspect that the publisher has  procedures in place (or it won't in business long) but we need to have a process for checking and auditing they have and then to follow it.

Passing the info on to the AOs I see as a potential issue, and needs further discussion and investigation. It may be that the AOs don't have the info in the present form as I can see that opening a whole can of worms. It may be more appropriate that AOs have access to the data via the forum in some way. It could also be that all club officials (AO include) need to undertake some sort of GDPR training to support the clubs GDPR processes and acceptance.  If the data is stored centrally then the correct measure can be put in place to make sure it's secure and access is audited and it can be downloaded etc. 

If the club does do mail shots then we need to understand are they intrinsic to the club or not as we may need permission to send emails that are not intrinsic. 

we then need to understand what else to do we do with the data if anything.

If the club is putting together a group to look into this then I would offer my services to assist where I can.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

Please review our Terms of Use, Guidelines and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.