Do not panic about the General Data Protection Regulations

Data is a precious thing – Tim Berners-Lee (creator of the Internet)

On 26th February 2018 the Kennel Club published a press release about the new General Data Protection Regulations (GDPR) which come into effect on the 28th of May.  One paragraph states, ‘It is important for clubs and societies to be aware of the way in which data must be handled in line with the requirements under the GDPR. Whilst it may seem complex, there are some relatively straightforward immediate steps which will help clubs to get in shape for GDPR’.  This release was clear and accurate as far as it went but it would appear that Clarges Street has had a number of queries from secretaries of canine associations since then for there has been a further press release designed to ‘clarify’ what clubs need to do and a further ‘guidance sheet’ both of which, it has to be said, has done little more than provide a layer of confusion.  May I bring some clarity to the situation?

But to begin at the beginning: few associations will still have a formal hand written members register or card index.  Occasionally snail mail might be used but the vast majority of communications between secretaries, committees and members is likely to be via email using easily readable/printable attached files and records of members will be on a spreadsheet.  However, the details held have usually been simple and practical.  The original Data Protection Act was not much interested in small organisations that just held names, addresses, phone numbers and email addresses on a database for most of the information was in the public domain but as from May 28th, 2018 this is no longer the case and any data held in whatever form (even on a card index) is subject to the new General Data Protection Regulations (GDPR).  You will no doubt have received many letters over the last few weeks from almost every government and commercial organisation which holds data about you explaining what data they hold and why they hold it and given the pages of small print it is is not surprising that those who are responsible for the data held by canine societies might be beginning to worry that they may fall foul of the bureaucratic nightmare which appears to be approaching.  The Kennel Club’s intervention will not have helped ease their minds.

Don’t Panic

Do not panic: although everyone responsible for data held on behalf of any organisation is subject to the act the vast majority if not all breed or general canine societies do not even have to register.  The reason is that data held for a not-for-profit organisation is exempt.  If you need evidence then you only need to go to https://ico.org.uk/for-organisations/register/self-assessment/ and complete the short and simple questionnaire.  It is a simple survey at the end of which you are informed whether or not you need to register – and if you do, you can go directly to the registration page.  Even when you get there it only takes about 15 minutes to complete so it is quick and certainly not complicated.   However it is unlikely you will be required to register and you will be presented with information:

‘If your organisation was established for not-for-profit making purposes and does not make a profit or your organisation makes a profit for its own purposes, as long as the profit is not used to enrich others. You must:

  • only process information necessary to establish or maintain membership or support; 
  • only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it; 
  • only share the information with people and organisations necessary to carry out the organisation’s activities. Important – if individuals give you permission to share their information, this is OK (you can still answer ‘yes’); and
  • only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration.

If you can answer yes to all those questions you do not need to register but you are informed that you may voluntarily register if you prefer.

Voluntary registration

If you think about it, data protection is all perfectly straightforward and reasonable and the aim is sensible: it is to allow individuals to stay in control of their personal information and to ensure that those organisations that hold personal data protect it, use it responsibly and do not sell it or distribute it without your permission.  As I have explained, registration will not apply to your club under normal circumstances but if, say, an insurance company suggests perfectly reasonably that they pay your club a fee to circulate all the members with a special offer, and you accept you would immediately find yourself in the data protection minefield so it would be wise to refuse such requests whether you are registered or not.

Your committee may feel they should register voluntarily even though your society fulfils all the criteria above but either way your organisation has a duty under the regulations to keep your data safe and the following summarises what you need to do.

Your committee should first identify one person within your society that is going to be responsible for data protection.  This does not automatically have to be the secretary.  It will not be an onerous role and it would make life easier for secretaries if they had someone on the committee (it could be the chairman, treasurer or any other member) to whom they could refer when they were communicating with members if it was not in the normal course of the society’s activity.  This is likely to happen very seldom for the circulation of minutes, AGM notices, newsletters and the like would carry on exactly as usual.  However, it is important to ensure whoever it is thoroughly understands what is required of them.  There are fines for not fulfilling the role properly but again there is no need to worry.  The director of the DGPR has made it quite clear that all monitoring activity will be proportional, registration is voluntary in any case and the likelihood of any canine society seriously misusing the data of its members is pretty remote.

What you need to do

The next stage is for you to list all the data about your members which you actually need.  I totally approve of this requirement because I get extremely irritated with those intrusive requests for information such as my age, education and ethnicity, whether it is from government or any other source.  You may find that you are, without realising it already asking for more detail than you need.   Name, address, telephone numbers, email address and contact details is all the personal information you should need about members. What you do not need and must not keep, are details of their peccadillos: in fact you are now not allowed to keep personal notes about anyone on a database for which you are responsible (‘always “picky”- handle with care’ or ‘hates X with a vengeance’ are not acceptable however useful they may be as a memo for you or a future secretary) and as you are duty bound to provide all the information you hold about a member on request it is probably not wise in any case!

Many societies now may include details of judges, litters, potential puppy owners and extensive databases regarding health which also requires the asking of legitimate questions but this is all still within the bandwidth of a ‘not-for-profit’ organisation so falls within the definition of ‘normal activity for a not for profit organisation’.

Safety and security

All data must be held securely so your computer must have a password, filing cabinets or card indexes holding data must be locked and keys kept safely and, registered or not, you should also be very careful about allowing others access to your database.  It may well be that your treasurer or newsletter editor has a perfectly good reason to have a copy but they, too, must understand that it may only be used for the precise reason they need it and the same security and safety measures that you, as the holder of the data, should be in place.

The fact that someone has ‘joined’ your association means that by definition, they are happy to receive information from you about it and its activities but if you want to circulate your members with commercial advertising, charitable or other material then you should make arrangements for any of your members who do not wish to receive such information to opt out.  This is not likely to be a very common occurrence and is easy to do if you are going to email them all: you simply include an ‘opt out’ clause and you should make sure that anyone who does so does not receive such emails in the future.

You should inform your members about what data you are storing and why.  There is nothing complicated about this you can just send them an email.  To help I have put form together which should be sufficient to fulfil the requirements of the Act.  I have tried to include all the points demanded by the legislation so you do not have to keep any other records of what you do and how you do it.  ‘Keep it Simple’ has always been my mantra and just because the legislation seems complicated does not mean we have to do any more than absolutely necessary. I have included ‘marketing activates’ for completeness but if you are not going to do this you can simply delete the italicised lines.

Data Protection Notice and Permission to hold contact details for all members of (insert association’s name)

To comply with the current legislation on data protection we must tell you what personal data we hold about you, why we hold it and have your permission to retain it.  We securely store data about members to ensure we can contact them by mail, telephone or email:

  • in an emergency
  • about the activities and meetings of the club, reminders of closing dates for shows and events, requests for assistance at club events
  • our regular newsletter
  • any special offers we believe will be of interest to you

You can opt-out of any marketing contacts if you wish by informing the secretary.

Any data we hold will not be provided to any other person or business except as required by law.

  • You may request to see all the personal data we hold on you (we are allowed 30 days to provide it)
  • We only keep your data for the reasons outlined above
  • We destroy your data if we have had no contact with you for (x) years
  • For the smooth and efficient running of our association we need to keep a record of
    • Your name
    • Your Address
    • Your landline and mobile telephone numbers
    • Your email address
    • Contact details of another responsible person in case of emergency

______________________________ (Insert name, telephone number and email address of the person responsible for data protection within the Association)

PS: I have researched this article thoroughly  and I will be taking my own advice but please note I am not a lawyer and the information should not be regarded as a formal legal opinion.

Explore posts in the same categories: pedigree dogs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: