Yes, it’s those four letters that we have all come to dread.
But like it or not, General Data Protection Regulations (GDPR) is here and is something clubs who hold member data (name, address, email, phone etc) need to consider.
The nub of GDPR (by no means an exhaustive list) is that you should;
(A) Only hold data you need to hold.
(B) Provide a means for members to have their data removed/updated.
(C) Ensure this data is secure and access is restricted to a need-to know basis.
(D) Have a data protection policy to inform members what data of theirs you will hold, who will have access to it, how it is stored and what you will do with their data. Ensure that this is available to all members to read at the point that they submit this data to the club.
(E) Only use this data for what would be reasonably expected for a caving club.
(F) Most caving club activities enable data actively submitted by members to be held under the grounds of ‘legitimate interest’. If you want to share data between members (i.e. address or email lists) this may go beyond ‘legitimate interest’ and may require specific active consent.
The CNCC has put together a document to help clubs interpret all aspects of GDPR which can be downloaded from the publications page of our website.