Ensuring GDPR Compliance
Specific Steps for GAA Units to ensure Compliance
It is imperative that every GAA Club, County and Province understands the principles of Data Protection and how the upcoming changes in legislation will affect them.
GDPR will benefit all of us, it will ensure that our Personal Data is protected from misuse by any organisation. It will also ensure that, as a Data Controller, each GAA Club, County or Provincial Board will be accountable for how it collects, uses and stores information about individuals under their remit. It is critically important that every member is aware of the changes that GDPR have brought and how that impacts them, either as a volunteer working on behalf of the Club or as an individual Club Member.
This awareness will also benefit all of us in our personal lives as GDPR also relates to Banks, Insurance Companies, Utility providers, On-line Marketing etc. Clubs should ensure that information relating to GDPR is made available to Committee Members, Club Members, Coaches, Volunteers or anyone who is in anyway involved with the Club.
As the saying goes, ‘You can’t manage what you can’t measure’ and this is especially true regarding Data Protection. It is imperative that each GAA Club, County and Province understands exactly what Personal Data it holds (and is responsible for). To ensure this is clear, it is important that every club makes an inventory/processing log of the personal data that it holds. A template is available on all administrator’s Microsoft OneDrive accounts. (This content can be viewed by administrators by logging on to OneDrive with their @gaa.ie email address and selecting the following menu option: OneDrive> Shared> Shared With Me > GDPR Repository).
Obviously, the primary source of Personal Information held by a GAA Club is its Membership database. All registered members’ information is stored on the GAA’s central Games Management System (Servasport) and responsibility for this information is jointly held by the GAA centrally. Specific consideration must also be given to paper Membership Forms and how these are managed once they have been completed and received by the Club. It is OK to collect information on paper forms, and to retain them in hard copy after they have been completed, as long as the member is made aware of this at the time they are completing the form. It is vitally important that any completed forms are stored securely in a specified location.
The same logic should be applied to any other system or database used to assist a Club when managing its membership. It is OK to use technology supports in this way but careful attention must be paid to how and where data is stored (it must be secure and should be encrypted) and individuals must be informed if a third party is being used to provide a system for this purpose. Most of the third party providers of these kinds of systems (online registration, text messaging, fundraising) will be well aware of GDPR and will be able to advise on how they are ensuring compliance. If your Club is using a third party system you must ensure a contract/agreement is in place. Guidance for such contracts is available on the Data Protection Commission’s website at http://gdprandyou.ie/wp-content/uploads/2018/05/Guidance-for-Data-Processing-Contracts-GDPR.pdf.
Other likely categories of Personal Information held by GAA Clubs will include:
• Information required for Garda Vetting
• Cul Camp or other training camp applications
• Text or messaging systems
• Email lists or distribution groups
• Teamsheets, training attendance lists
• Information captured on club websites
There may also be others, depending on individual clubs, and it is important that each club has a record of all of the Personal Data that it ‘controls’.
As noted above, it is required that individuals are made aware of certain information such as why their data is being collected and who will have access to it, before their data is obtained. Official Membership Forms have been updated to include this requirement, and other forms used to collect data (e.g. Garda Vetting) must also be updated to specifically tell individuals the following:
• The Club/County/Province’s identity
• The reasons for collecting the information
• The uses it will be put to
• Who it will be shared with (third parties – e.g. Servasport)
• If it’s going to be transferred outside the EU
• The legal basis for processing the information
• How long it will be retained for
• The right of members to complain if they are unhappy with the implementation of GDPR
• Other specific personal privacy rights relevant under GDPR (as outlined in Personal Privacy Rights section)
Ensure Personal Privacy Rights
GDPR enshrines certain rights for individuals that must be supported by every Data Controller, including all GAA Units. It should be noted by members that these rights extend to any organisation that holds your information including Financial institutions, utility companies etc. These rights include:
- The Right to be Informed
You have the right to receive information relating to the processing of your personal data and this should be provided to you at the point your personal data is collected.
- The Right to Access
You have the right to receive a copy of your information.
- The Right to Rectification
If your personal data is inaccurate, you have the right to have the data rectified without undue delay. If your personal data is incomplete, you have the right to have data completed, including by means of providing supplementary information.
- The Right to Erasure
This is also known as the ‘right to be forgotten’. You have the right to have your data erased, without undue delay, by the data controller under certain circumstances.
- The Right to Data Portability
In some circumstances, you may be entitled to obtain your personal data from a data controller in a format that makes it easier to reuse your information in another context, and to transmit this data to another data controller of your choosing without hindrance.
- The Right to Object to Processing
You have the right to object to certain types of processing of your personal data. You have a stronger right to object to processing of your personal data where the processing relates to direct marketing.
- The Right of Restriction
You have a limited right of restriction of processing of your personal data by a data controller. Where processing of your data is restricted, it can be stored by the data controller, but most other processing actions, such as deletion, will require your permission.
- Rights in relation to Automated Decision Making
You have the right to not to be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you.
Report Data Breaches
If unauthorised access to Personal Data occurs or Personal Data is lost or stolen, this must be notified to the Data Protection Commission within 72 Hours of being identified. This is a requirement for all paper information and all electronic information if the breach is a risk to the individual(s) affected (unless the data is encrypted or anonymised). If the breach is high risk to the individual(s) (identity theft or breach of confidentiality) then the individual(s) must also be informed without undue delay. A procedure to detect, report and investigate data breaches should be in place.
It is imperative that Data Breaches or possible Data Breaches are not ignored in the hope that no one will notice, they must be investigated and reported if appropriate to do so. Advice can be obtained by emailing email@example.com.
Note: The 72 hour deadline for notification to the Data Protection Commissioner applies irrespective of any steps being taken to understand the causes of the breach.
Identify Data Protection Coordinators
Every GAA Club, County and Province should identify someone/a team to coordinate their approach to meeting their Data Protection obligations. This will include identifying and recording the specific locations where data is held in each club, ensuring that consent is obtained in the appropriate manner and maintained accordingly. The GAA centrally has a Data Protection Officer who will provide expertise and guidance for any Data Protection queries that require additional / legal advice. Queries of this nature can be submitted to firstname.lastname@example.org.
Further guidance for GAA Clubs is available in the “GDPR for GAA Clubs” document on this page and within the Microsoft OneDrive of all administrators. This content can be viewed by administrators by logging on to OneDrive with their @gaa.ie email address and selecting the following menu option: OneDrive> Shared> Shared With Me > GDPR Repository.”