The General Data Protection Regulation (GDPR) is an extensive law that went into effect in the European Union as of May 25, 2018. It is a replacement for the Data Protection Directive which set minimum standards for data processing, with updated and additional laws surrounding the protection of consumers’ personal data. Taking a “consumer-first” approach, the new laws give individuals more rights and control over their own data. It impacts any business, whether a part of the EU or not, that handles EU citizens’ personal information. At a high level, the laws require businesses to be transparent about what data they are collecting from their customers and how they plan to use it, as well as ensuring accuracy of this information moving forward.
The new stringent rules being put into place with GDPR mean there are various factors that need to be considered for a business to be labeled compliant. How customer data is secured, where it’s stored, how long it’s kept and ultimately how it’s used are tightly regulated. If you do not comply, you face a fine of 4% of revenue or €20 million, whichever number is larger.
Preparing for the GDPR
In order to be transparent with your customers in regard to their data collection and usage, you must first assess and document all the information you have, where it came from and how it is shared. You should also assess the current privacy notices you give to customers and update them to clearly state how data will be processed, how long you retain that data, and the customers’ rights to their data.
Create a process for your organization to detect, report and investigate a data breach. Under GDPR, you are obligated to report a breach to the Information Commissioner’s Office (ICO) within 72 hours if it could result in discrimination, financial loss, loss of confidentiality or other severe social or economic impact.
Clubspeed is proud to be the only GDPR-compliant software in our sector. We share the anxiety about these new government regulations with our customers, which is why we have been preparing for them for several months and have implemented all necessary precautions to ensure you and your customer data are compliant and secure. Our development team has quickly and efficiently updated our already high-quality software and is devoted to this ongoing endeavor.
The new laws under GDPR were a huge undertaking for our organization to navigate and ensure our customers were covered when it came into effect. However, it was an opportunity for us to convey our commitment to working in the European Union and to be a leader in our industry. We want to show that we take great care in handling the data of European citizens and that they ultimately have a say in how it is used and maintained.
Clubspeed is here as for you as a partner to help in the handling of personal information, starting with the servers that store it. Servers purchased from Clubspeed will have their hard drives encrypted by our support team; keep in mind that if you purchased your own server, you are responsible for ensuring it is compliant. All backups will be stored via Amazon Web Services in Europe. In addition, we’ve appointed a Data Protection Officer to oversee our compliance and ensure the transition is as smooth as possible for our organization as well as our clients.
When you first gather a customer’s information at registration, we have included additional opt-in preferences for them to select, giving consent for certain uses of their data, such as receiving marketing emails, appearing on public results (leaderboards), receiving text notifications and more. If you gathered a customer’s information before the GDPR took effect, they will be directed to update these preferences the next time they visit your facility before making any product or service purchases. The consent must be freely given, specific and unambiguous in order to be considered compliant. For more detailed information about consent, read the ICO’s guide here.
After you’ve collected their data, customers may reach out to you requesting the following:
- Right to erasure (deletion of information)
- Right to restriction (freezing of information)
- Right to data portability (export of information in machine-readable format)
- Right to rectification (update of information)
- Right to be informed (export of information and how that information is used in human-readable format)
- Right of access (confirmation that you have collected information; copy of personal information)
If you receive one of these requests, first verify identification then forward the request to us at firstname.lastname@example.org. We have one month to comply and fulfill the request.
Navigating the new laws associated with the GDPR may seem overwhelming, but it doesn’t have to be a headache. Leverage Clubspeed as a tool to help you keep your customer data safe. We are here to help and make your job easier; contact us with any questions you may have in regard to our GDPR-compliance and changes we have made to our software.