Data Protection and GDPR Some significant changes to Data Protection legislation came into effect on 25th May 2018 which had an impact on how the LGFA, at all levels, engages with its members. It is important that every LGFA & GAA Club, and indeed every member, is aware of how these changes in the law affect the ways in which members’ personal information can be collected and used for LGFA and/or GAA purposes. What is Data Protection? • Data Protection legislation is intended to protect the right to privacy of individuals (all of us) and seeks to ensure that Personal Information is used appropriately by the LGFA, the clubs and any authorised third parties that may have access to it. • In essence Data Protection relates to any information that can be used to identify a living person such as Name, Date of Birth, Address, Phone Number, Email address, Membership Number, IP Address, photographs, etc. • There are other special categories of information which require more stringent measures of protection and these categories include religion, ethnicity, sexual orientation, trade union membership, medical information, etc. What is GDPR? • The General Data Protection Regulations (GDPR) is new EU legislation that came into effect on May 25th 2018. • It very clearly sets out the ways in which the privacy rights of every EU citizen must be protected and the ways in which a person’s ‘Personal Data’ can and can’t be used. • It places the onus on the person or entity that collects a person’s information (Data Controller) to comply with the legislation and to be able to demonstrate compliance. Data Protection can be summarised in the following ‘7 Principles’’ Lawfulness, Fairness, Transparency Purpose Limitation Data Minimisation Accuracy Storage Limitation Integrity and Confidentiality Accountability What does Data Protection Legislation mean to me? The legislation sets out rules about how this information (Personal Information) can be obtained, how it can be used and how it is stored. Each organisation processing such data must be able to justify the processing with reference to a lawful basis, permitting their data to be collected and processed for a specific purpose or purposes. A list of these lawful bases is provided within the Regulation. Where organisations rely on individual consent to legitimise the processing, individuals must specifically Opt-In and must be allowed to Opt-Out at any time. They must also be given the opportunity to review the consent they have given on a regular basis (i.e. Yearly) Data must be kept safe and secure and must be kept accurate and up to date as necessary in order to achieve the intended objectives. An Individual can request a copy of all of the personal information held about them (this is called a Subject Access Request) and can request to have all of their data deleted or returned to them, as long as there is no legal barrier to doing so. GDPR Support For Clubs389 KBGDPR Definitions527 KBLGFA Data Inventory Log15 KBLGFA Data Protection 10 Point Checklist153 KBLGFA Privacy Notice122 KBLGFA Data Retention Policy103 KBLGFA Subject Access Request Policy and Procedure670 KBLGFA Data Breach Policy and Procedures306 KBLGFA Data Incident Notification Form261 KB