This information, created by The Kennel Club's data protection team, provides guidance on the EU's general data protection regulation (GDPR). We wish to address any confusion around the application of GDPR to the usual activities of a club or society, and, in particular, the need to obtain consent.
You do not have to follow this guidance, it is merely our intention to try to keep matters as simple as possible.
The principles of protecting data have not changed. However, there is now a need to demonstrate compliance to a greater extent and so we are providing some of the main tools a club or society will need, mainly:
- a data audit template, to record who/what/why/when and where you may process data
- a privacy notice template, to inform members/judges and exhibitors/competitors as to how data is used
GDPR came into effect on 25 May 2018. There are important sections of this regulation which were subject to consultation by the ICO, in order for the ICO to issue guidance to assist organisations of all sizes. This consultation closed in February 2020.
The issue is further complicated by Brexit. After Brexit, the UK will then pass its own updated data protection laws which must incorporate the GDPR requirements but there may be further changes.
Whilst there are compliance issues, the principles of data protection will be largely and broadly as now.
GDPR principles for processing data
- Lawful/fair and transparent
- Accountable; demonstrate compliance
- Purpose limited
- Adequate/relevant/limited data
- No longer than necessary
- Data security - technological etc. protection from breach/notification of breach/planning
To some extent, registered clubs and societies are likely to have fairly limited data processing activities. The first step is to assess the data processing activities. The five Ws are a good place to start with a data mapping exercise.
This will actually be beneficial in helping to secure compliance under the new data protection law. It is important that the registered club or society knows what it does with data. The data map will then help develop an information notice which will serve as the rationale and legal basis for processing data – a requirement under the GDPR.
A club or society needs to complete an overview of how it handles data by asking five key questions:
- Why? - The purpose/reason for holding data
- Who? - Whose data are you holding?
- What? - What data is being held?
- Where? - Where is the data being held?
- When? - For how long is the data held?
If your club has any queries or wishes to ‘walk through’ a data mapping document, please email the data protection team.
More information about GDPR
The aim of GDPR is to remove uncertainty and bring consistency and harmonisation in data protection throughout the EU, and to make data protection important and to embed it throughout organisations.
It is a 'regulation', meaning it is directly applicable in each EU member state, including the UK. It will not be affected by Brexit as to exchange data/trade with the EU the UK will have to be granted an adequacy status (so will need at least the equivalence in data protection requirements to the GDPR).
The regulation applies only to personal data of “natural persons” i.e. living individuals.
Lawful bases of data processing
At least one of the following conditions is required for processing or storing of personal data to be lawful:
- Consent of the data subject:
- Freely given, specific, informed and unambiguous
- If processing for multiple purposes; specific, granular, unbundled
- Consent must be affirmative – silence or inactivity does not constitute consent, it requires ‘opt-in’ rather than ‘opt-out’
- Written consent must be clear, intelligible and easily accessible
- Consent can be withdrawn at any time, and it must be as easy to withdraw consent as to give it
- Necessary for the performance of a contract:
- Or steps preparatory to such a contract
- Necessary for compliance with a legal obligation
- Necessary to protect the vital interests of the data subject
- Necessary for the performance of a task carried out in the public interest of in the exercise of official authority
- Necessary for the purposes of legitimate interests:
- Where there is a valid legitimate interest in processing an individual’s data e.g. for purposes directly related to the purpose for which it was collected
- The individual should reasonably expect their data to be used in this way
- A balancing test is required; legitimate interests can be overridden by interests or fundamental rights and freedoms of the data subject
Data subject rights
The GDPR confirms and expands rights in current data protection law:
- Right to withdraw consent:
- It must be as easy to withdraw consent as to give it
- Individuals must be able to withdraw their consent at any time
- Right of access:
- To confirm if and how an individual’s personal data is processed and provide a copy of the data if an individual makes a subject access request
- Right of rectification:
- To rectify inaccurate or incomplete personal data
- Right of portability:
- For an individual to have data transferred to another data controller
- This right is limited and only applies in specific conditions
- Right to object:
- Individuals can object to specific types of processing
- These are: direct marketing, those that are based on legitimate interests or the performance of a task in the public interest/exercise of official authority, and processing for research/statistical purposes
- Right of restriction:
- In certain circumstances an individual can request their data be stored but any further processing restricted; e.g. whilst a complaint is being resolved
- Right of erasure:
- Except in certain circumstances, individuals can require data to be erased where there is a problem with the underlying lawfulness of processing or where consent is withdrawn
- Automated decision making:
- Individuals have a right to be informed of the existence of automated decision making, including profiling, and the anticipated consequences
- Individuals have a right not to be subject to automated decision making, except where necessary for a contract, authorised by law or based on consent
- Right to lodge a complaint with the ICO
Personal data breaches and reporting
A personal data breach will include the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
There is a strict, short time limit to notify the ICO of the breach without undue delay and should be no later than within 72 hours.
Reporting is only required where there is a risk to the rights/freedoms of data subjects. However, the risk is wide ranging, so consider reporting any suspected breaches.