GDPR

[Chris_Sav]

Has anyone delved into the subject of data protection in our league associations and websites and got any definitive knowledge?

What's on the net seems terribly confusing to me and conflicting versions exist.

Do leagues need to pay to register with the ICO's office and appoint a data protection officer?

Can my association be described as not for profit when we hire out tables to pubs?

What steps should we take to comply?



None of my sites gather information so I believe that exempts a lot, they are just results services with no more information than a name, though associated photos could need explicit permission.

May apply more to the AEBBA site, I suspect, where they have data gathering through entry forms, affiliation documents, publish player profiles in oarticular and also are a table hire business.

We mostly hold records since the year dot so that contravenes the principle of not storing a person's data for longer than is necessary.

We give out data when we get trophies with players' names engraved by third party suppliers, should we be checking engravers' GDPR compliance?

www.wrighthassall.co.uk/knowledge/legal-guides/2018/08/21/guide-gdpr-sports-clubs/
appears one of the more comprehensive guides (did I need permission to publish that?)

We publish players averages and results, does that require a Data Protection Impact Assessment every week?

Seems a complete overkill piece of legislation to me.
 
I don't believe for one minute that the Information Commissioner would descend upon our small leagues when there are far bigger fish to fry, but this has been a bit of a itch for the last year. I don't particularly want to risk waking the sleeping dragon by contacting the ICO for an answer.

Chris,

I have already taken necessary steps on behalf of AEBBA to be compliant with our obligations under this legislation. In February 2018 I issued emails to all known contacts on our ‘database’ (spreadsheet really!) inviting them to opt in to us holding and using their data for engagement purposes.

Those who did not respond or did not opt in no longer have data stored and no longer receive ‘marketing’ type communications.

Further, of those who pay for event entry via our website - no personal data is retained and Payment information is not recorded as we use PayPal.

We are not required to appoint a DPO under GDPR legislation because we do not process data under the definitions required. Please note the below as this should reassure you about your own organisation:

Under the GDPR, you must appoint a DPO if:

you are a public authority or body (except for courts acting in their judicial capacity);
your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

We are not required to pay a DP Fee as we are not controllers, joint controllers or even processors of personal data.

Historically, Northants used to offer secure login access to various aspects of league affairs - this would have been subject to GDPR compliance - we removed this prior to the 25th May 2018. The AEBBA website does not offer this service either.

For league affairs, unless you operate differently with rental schemes and data processing in that fashion you are likely not to have a GDPR compliance issue. You may want to ensure that everyone has had the opportunity to Opt In to this forum, however, as you store personal information (including DOB) as I recall.

Happy to talk things through.

Lorin

Mar 10, 2019 11:21:08 GMT @reformedcharacter said:

Chris,

I have already taken necessary steps on behalf of AEBBA to be compliant with our obligations under this legislation. In February 2018 I issued emails to all known contacts on our ‘database’ (spreadsheet really!) inviting them to opt in to us holding and using their data for engagement purposes.

Those who did not respond or did not opt in no longer have data stored and no longer receive ‘marketing’ type communications.

Further, of those who pay for event entry via our website - no personal data is retained and Payment information is not recorded as we use PayPal.

We are not required to appoint a DPO under GDPR legislation because we do not process data under the definitions required. Please note the below as this should reassure you about your own organisation:

Under the GDPR, you must appoint a DPO if:

you are a public authority or body (except for courts acting in their judicial capacity);
your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

We are not required to pay a DP Fee as we are not controllers, joint controllers or even processors of personal data.

Historically, Northants used to offer secure login access to various aspects of league affairs - this would have been subject to GDPR compliance - we removed this prior to the 25th May 2018. The AEBBA website does not offer this service either.

For league affairs, unless you operate differently with rental schemes and data processing in that fashion you are likely not to have a GDPR compliance issue. You may want to ensure that everyone has had the opportunity to Opt In to this forum, however, as you store personal information (including DOB) as I recall.

Happy to talk things through.

Lorin

Forgot to add:

We should all be seeking to store any information we have about our players and partners in such a manner so as to be able to respond to a Subject Access Request from anyone who wishes to receive details of all the data an organisation may hold relating to them and how it has been processed. This, for AEBBA, is a monumental task as there has been no consistent approach or thought given to this in the past. We would therefore be vulnerable in this case.

Be assured, however, performance records, scores, breaks, results, winners, losers etc does not constitute personal data if it is unlinked to a data record from which someone may be identified for the purposes of processing their data. At AEBBA we store none of that which would make identification possible.

For example: Having a record in a pdf on our website that states: Chris Saville (Suffolk) 20,190 or 2018 Winner or anything like that is not enough for someone to be able to identify you and utilise this data. That said, if you submitted a SAR then we would need to forward all such records that we have. That would be a challenge as I suspect most of it only exists on spreadsheets or pdfs on people’s computers - some of which we have no way of recovering.

As such - we continue to try to control all of the data we use and will be setting up a central repository in order to be able to meet this challenge.

Thanks,

Lorin

[Chris_Sav]

Thanks Lorin,

Not too worried about Proboards as each user controls their own privacy settings which staff cannot override or view. It does concern me that pictures of event winners are identifyable, for example, thus might need permission.

Could you please advise the date when you sent around the GDPR email as I do not appear to have received it and do not remember replying to it.

My principle concern regarding the websites is publishing names where explicit permission has not been obtained. I don't understand how my own league are not breaching GDPR by publishing names without explicit permission. I would appreciate advice on this.



I'm looking into this now as I've been forced to refamiliarize myself with the programme suite I wrote for our league database some twenty five years ago and have not touched in the last ten, thank heaven I got hold of a copy of the compiler and encyclopaedia. I'd like to overcome any hurdles before I forget it all again, become too doddery or fall off the perch. 


[EDIT] some cross posting from me with your additions

Hi Chris,

You raise a good point regarding images. For the most part, the images used on the AEBBA site have been approved by the individuals concerned and express permission has been sought in each case. This includes player profiles, splashes and many of the event images. That said, presentation images, winners etc. have not been invited to authorise the use of images and so I will remedy that immediately.

For future event entry forms I will add an opt-in and will contact those for who I have images which I’d like to use on the website from the recent Bournemouth event to seek approval.

I also need to think through how this may apply to the use of images on our social media platforms. But will revert soon on this.

[Chris_Sav]

Thanks again Lorin, I too will keep digging.


As owner of the proboards site, I believe the only area I, as the owner, definitely contravene GDPR is the tables map, as I own that as well.