Your email inbox may be flooded with information on the European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25, 2018. Because Rotary staff members process the personal data of European members, Rotaractors, program participants, and others, Rotary International is obligated to comply with this new data privacy law.
But what about clubs? Are individual clubs subject to GDPR?
Most clubs capture and maintain information on individuals that are relatively close, and not subject to GDPR. However, as an international organization, there are instances where clubs may need to ensure they are in compliance.
For instance, if your club maintains contacts or any personal information from Rotarians that reside in the EU, that data falls under GDPR. If sponsorships or relationships involve entities that are based in Europe (such as Shelterbox UK, RIBI, etc.), or if grants are undertaken with other Rotary clubs in the EU, GDPR may apply. Even youth exchange students coming from countries in the EU could trigger a need for a club to come into GDPR compliance.
Rotary International respects your privacy and works hard to protect your information. With GDPR coming into full effect, this is the perfect opportunity to reinforce data privacy and security methods for anyone who shares personal information with Rotary — no matter where they live.
Here are some FAQs about GDPR:
What is the General Data Protection Regulation?
GDPR is a new European Union law that strengthens data protection rules for EU residents. The law applies to all companies that process data within the EU but also to foreign organizations, like Rotary International, that offer goods and services to EU residents. GDPR has been on the books since 2016, and companies have been working to comply with the law before it takes effect across the EU on May 25, 2018, effectively replacing the EU’s 1995 Data Protection Directive.
What does Rotary International do to protect personal data?
Long before GDPR, Rotary’s policies took great care to protect your information. Rotary.org’s Website Privacy Policy explains what information Rotary collects, how Rotary collects it, and how Rotary uses it. Rotary International also strives to give you control over your data so you can decide what personal information to share and review, whenever you want.
The measures Rotary takes to safeguard personal data includes using password-protected databases on secure servers utilizing SSL certificates. These servers are behind firewalls for protection. Rotary International also requires all staff to attend information security awareness training each year.
How has Rotary International prepared for GDPR?
Rotary International completed a readiness assessment and risk analysis. These helped Rotary understand how the new regulation will affects processes, and what the organization needed to change to comply with GDPR. That analysis led Rotary to focus on the following areas:
Process inventory. Rotary inventoried all personal data processing activities in order to comply with GDPR’s Article 30.
Lawful basis. Rotary reviewed all data processing to ensure that there was a documented legal basis, or reason, for every process, according to GDPR.
Policy and notices. Rotary updated the Website Privacy Policy to meet GDPR expectations. Rotary is also making those notices about how personal data is used more specific.
Records management. Rotary created and updated schedules for retaining records that contain personal data to make sure record keeping took only as long as necessary.
Data breach procedures. Guidelines for responding to a breach were modified in accordance with GDPR expectations for notifying constituents of a breach.
What does GDPR mean for us?
Rotary is applying these new standards globally, not just for European members and constituents. No matter where you live, if Rotary processes your personal data, you will have the following rights:
Right to be informed: Rotary will regularly disclose to you what personal data gets collected and for what purpose.
Right to object: Individuals can tell Rotary if they no longer want personal data to be processed in a certain way, such as for direct marketing.
Right to rectification: Individuals can write data@rotary.org to correct errors in your personal data.
Do I need to give Rotary International consent to use my personal data?
Broadly speaking, no. Under GDPR, consent is just one of six legal bases used to determine that processing someone’s data is lawful. Rotary will generally rely on “legitimate interest” as the lawful basis for processing personal data, because doing so is necessary to effectively manage and operate Rotary and won’t unduly infringe an individual's legal rights. Rotary International will ask for consent only when it is truly appropriate.
Being part of District 5340, my club is not in the EU. Do I need to do anything?
Possibly. Even though your club is not in the EU, you are required to follow GDPR rules if you process the personal data of EU residents. There are many instances where clubs may retain or collect the personal information of EU residents, in the normal course of club operations. Club members may also need to comply with GDPR if they welcome European attendees at events, host exchange students from Europe, or partner with European members on events or service projects.
What about my website? Do I need to update my privacy policy?
Taking a fresh look at your privacy policy is always a good idea. For clubs that use ClubRunner to manage their websites, ClubRunner has already posted a revised privacy policy that addresses some of the questions raised with GDPR. The privacy policy has already been automatically pushed out to your website, and is already live. For information, check out the Rotary District 5340 Privacy Policy by clicking here.
For clubs that maintain their own websites or use another provider, you should check with the website administrator to ensure that the privacy policy is in full compliance with GDPR.
What else is Rotary as an organization doing to help clubs with GDPR?
While the new regulations go into effect May 25, 2018, Rotary has updated the rotary.org Privacy Policy with terms that align with GDPR. Rotary will also hold a breakout session at the Rotary International Convention in Toronto, where participants can learn more about our compliance efforts. It’s Data Privacy and Data Protection: Rotary’s Compliance with GDPR on 27 June, 13:00-14:00. And you can write privacy@rotary.org with any questions.