There must be a few people on here who have knowlage of the new data protection rules and how they apply to a small club.

My issue is that I help run an archery club.  We communicate with the menbership once a week by email.  currently this is done through a simple mail sent from gmail with the members BCC’d.  We’ve been advised this isn’t going to be acceptable under the new rules (even with an opt in) as this leaves the gmail account with access to all the email addresses, it’s also only a click away from sharing all the email addresses.

The solution would seem to be a group mail service like mail chimp.  However these all require the emails to have a phisical address for anti spam compliance.  The issue here is we shoot in a field, there is no address appart from the persional addresses of the commitee menbers.  It seems bonkers to divulge this persional data in the name of ‘data protection’!

I could look into a PO box that’ll never be used or some other fudge, but surely there’s a right way to do this?

Scocial media’s not really a solution as even with facebook, instagram and twitter we’d only captue half the people we want to.

Any suggestions?

You need a lawful basis for processing data. In your case, as in the case of the club I’m involved with, the most appropriate is (probably) “legitimate interest”.

If you have your gmail protected by a password then I don’t think you have to do any more, if all you hold is email addresses.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

You also need to do a Legitimate Interests Assessment. Is there an umbrella body for archery clubs? They can probably supply a template for this.

+1 on speak to ArcheryGB about their advice – they must have hundreds of clubs going through this.

You have a lawful basis – they are members, they have opted in.

We only have passwords to get in to our email system (cloud based) and CharityEmail that we use for our mass mail-outs. This is acceptable.

Things we have worked on:

Who has access to our mass email system – and how to we manage / clean up that access on a regular basis to make sure only staff who NEED and are trained have access have it? We have a simple, recorded system now of passwords that are on two levels of password, rather than same passwords for everything we did….

How do we clean up and manage our membership / sign ups – again we are reliant for some on CharityEmail doing the unsubscribing and delete thing, some of which is our archaic CRM system that needed a data sort and delete of old records. We again have had to record that although not a finished process, we have ways and a plan to remove all old or uneeded data by July – and will then do it annually from there.

Biggest thing –  was working out that even as a small organisation data can ‘leak’ easily, and we found we had it all over the place. e.g. I ran a course this morning and the register with names and emails is on my desk. That *has* to be processed into CharityEmail today and then shredded. We have shut down two Dropbox Accounts as they are not GDPR, and despite only meant for sending big files, some folk had stored personal information in there. We also worked out that much as we are good, we have other organisations that keep sending or sharing personal data with us, that we just need to delete…The classic bit of paper can ‘escape’ physically and digitally and cause a data breach.

Most of it has been simple – we do have locked office and filing cabinet already of sensitive info, we use a cloud system and not our own laptops to hold 99.9% of our work data and information, a reminder to all to have passwords on phones/computers etc and to never auto sign in.

Legitimate reasions for holding the data is not an issue, there’s a clear need to have menbership details.  Likewise there’s a clear need to communicate with the members and email serves this function.  We can obtain explicit opt in to receive this and maintain the contact list on this basis.

Archery GB do have guidance, as do the county associations, it was actually via this route that the potential email issue was raised.

Having run into the address issue I’m now getting mixed info off the internet suggesting that even a simple e-mail to the members could require an address and an unsubscribe link or it’s unlawful.  Obviously no oen actually does this!  I’ve had a look at my work inbox and about half the newletters is get don’t have a phisical address on.

Obviously no one actually does this!

All our mass emails (more than 20 people, other than staff) goes via CharityEmail so that we do have an unsubscribe and our box with charity and address information is on the bottom.

I think a lot of organisations are going to be caught out shortly….

You don’t have to do anything fancy. You have a legitimate reasons for holding the data and then you all you need is a process for removing someones email address if they request it. you only need to worry about opting in going forward. There is nothing wrong with using a gmail account as you are currently. GDPR doesn’t says you have to do everything possible to protect someones data. You have to just do something proportional. Its an email newsletter for a club so nothing complicated is needed.

It is email newsletter good practice to have an unsubscribe and an address. This is not a legal requirement either now or when GDPR is in place. It is a legal requirement to have an address on a website if you are selling something under distance selling regs.

GDPR is going to be like when they brought the Cookie rules in. For the majority of companies it isnt going to make adifference

You just have to show that you have a process to protect customers data (such as password protected computers and email) and that you have a process to delete data either when asked to or when you have no need for it. There is nothing that says how you should do this.

The problem for small organisations/clubs is that regulations like GDPR are aimed at large corporations where data breaches can run to millions of individuals and the clubs get caught in the fall out trying to apply the same set of standards. That’s not to say that you shouldn’t take care and have a general duty to protecting the information you hold. As Matt says, they are club members so you’ve a lawful basis to contact them etc.

Unsubscribe link? Just put some text at the end of the letter saying something like “If you don’t wish to receive this email newsletter please contact the membership secretary” and then you just take their email out of the list. It doesn’t need a whole web back end to do it. Don’t over-complicate things, so long as there’s a way for recipients to opt out. Similarly for address, you’re in a club, most members will be reasonably local and are likely to have the phone numbers, email address and possibly physical address of the club’s officers.

I’m membership secretary of a club, emails are in a database with a different password to the account on the computer. We deliberately limit the personal information we hold about members – Name, email address, gender and age is about the gist of it – as there’s no valid reason for us to hold more.

Most of the things already mentioned were required with the historic DPA.

Two of the big changes that GDPR bring is the right to ask what processing you have carried out of the data and the right to be forgotten.  I would just put together a quick policy (or get one from the membership body) and check that your email provider has a method for you to enact someone’s request to be permanently forgotten from their system.

The secretary of my local BMC group has addressed this in the following way.

He’s sent out an email to all the regular & irregular attendees at the (roughly) 3-monthly meetings, saying “Please reply to this email, including the following text in your reply:-
“I hereby consent to my personal data being held by the Midland Area of the BMC as required by the General Data Protection Regulation for the purpose of electronic, printed and hand-written communications from  Midland Area of the BMC  to me to keep me informed as to what events or activities are being organised in the region.    I also understand that I may cancel this consent at any time by sending an email to the Secretary of the Midland Area with the word UNSUBSCRIBE in the subject line.
(Please add your full name here)”
I duly ran this past our GDPR expert at work, and she confirmed that was an excellent way of dealing with the whole subject from a small club/charity perspective, and was, frankly, a good bit more than a lot of big business has done so far. There appear to be a lot of heads in the sand on this one.

Having run into the address issue I’m now getting mixed info off the internet suggesting that even a simple e-mail to the members could require an address and an unsubscribe link or it’s unlawful. Obviously no oen actually does this! I’ve had a look at my work inbox and about half the newletters is get don’t have a phisical address on.

When you say “an address” do you mean a postal address or an email address? If it’s the former then I think you have been misinformed. Our club has no physical address, though the membership secretary obviously does. As mentioned before you need to complete a Legitimate Interests Assessment, which effectively says you’ve given some thought to what you are holding, rather than just storing all sorts of bits of information gathered over the years. You also need a means for the members to contact to you view the information you hold on them, and for them to ask you to remove that information. An email address should do that just fine.

I think this is one of those Y2K type issues where a sensible and well-meaning attempt to deal with a problem has caused panic in the minds of people who really don’t need to do anything much.

Thanks for the replys:

It’s a postal address that’s the issue as the club doesn’t have one.  I’m not worried about an unsubscribe facility, that’s easily managed.

The nub of the issue for me is that it appears I can’t use a group email service without a postal address going on the email and I don’t want to use anyone’s persional address.  We don’t have an address on the website but as we’re not selling anything that not an issue as far as I’m aware.

Regarding the other issues I’m pretty comfortable that with only a little work we’ll be compliant with the regs, as has been mentioned up there ^ sensible policy and some basic procedures should be enough.

The only thing you might want to add with Gmail is deleting all old emails, say more than a year old, so that no one could harvest the addresses if the was a breach of your Gmail. Switch on two factor authentication as well

All the above is fairly sound advice, another way of thinking about it is from the Material Damage perspective i.e. what material damage can occur to the individual if the data was lost?

In many cases there is little material damage.

Interesting to see how smaller organisations are getting ready to comply..

I finished a large organisation (except the last privacy statements the lawyers are handling) and it was quite complex.

Some good advice on here, you do have to log what steps you have taken and how you are applying the rules to your organisation so they can be audited by the ICO if a breach was to occur.

Good work..

We should start a GDPR sticky then  I can do GDPR 24 hours a day…..

Sad when PCI DSS and ISO27001 make a pleasant change….

By the way anyone fancy some GDPR consultancy work as we have projects coming out of our ears.

Sounds like you do need to get a postal address of some kind – are you an incorporated charity? If so, you have to also have that on I believe.

We should start a GDPR sticky then I can do GDPR 24 hours a day…..

Sad when PCI DSS and ISO27001 make a pleasant change….

By the way anyone fancy some GDPR consultancy work as we have projects coming out of our ears.

Hopefully not like any of the consultants I’ve had darken my doors. I know little enough about GDPR to know i need professional help but the last few we’ve had in masquerading as consultants knew less than me when pressed for a yes/no answer.

Its a bigger fiddle than SEO was back in the day IMO, can see a few businesses being screwed over.

Its fast becoming a massive pain in my ass.

/rant over

grrr

Holy thread resurrection, Batman!

So, our cycle club have been thinking about GDPR for some time, but I suspect we’re taking things a bit too far and shooting ourselves in the foot.

We email our members periodically about strictly club-related matters – mostly, in truth, advertising committee meeting dates and circulating minutes and agendas, although we also let people know about upcoming races and other strictly club-related events. My view is that (at the very least) the committee meetings notifications are part of the club’s rules and that to not notify members of it would probably be a worse sin. BC’s guidance appears to tally with ours, stating that providing there’s no overtly marketing content and that the information is strictly club business related, then it’s assumed that a paid-up club member would want to receive it under the boxes they’ve already ticked when they joined the club through BC:

https://www.britishcycling.org.uk/zuvvi/media/bc_files/gdpr/GDPR_SUPPORT_FOR_CLUBS_AND_GROUPS_Final.pdf (bottom of page 4 and into page 5 is quite explicit here)

Would any other cycling club members want to share their own thoughts or experience here, before we start purging our membership records?

Read below –

<u>These are the ICO words </u>

This can be broken down into a three-part test:

1. Purpose test: are you pursuing a legitimate interest?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest? Individuals are provided the opportunity to opt out at any time

A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.

The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.

‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.

You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.

What is a ‘soft opt-in’?

The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out – both when you first collected their details, and in every message you send.

The soft opt-in rule means you may be able to email or text your own customers, but it does not apply to prospective customers or new contacts (eg from bought-in lists). It also does not apply to non-commercial promotions (eg charity fundraising or political campaigning).