REC GDPR compliance
Revision v.1, 3rd May 2018
Author – Kerry Marsh
Data Asset Register
Data in this context means members’ personal data. Members’ personal data is acquired when taking out or renewing a membership subscription. It is also acquired when placing an order for spares. Lastly it is also recorded when asking the Registrar to add details of members’ motorcycles to the club register.
The subscription personal data is stored on the website server which is managed by a Third Party service provider – Woodlands Design. The website also stores details of orders for New Spares.
The club registrar maintains the register of Rudge Motorcycles, including contact details of those members who register their machines with him. However this contact information is not maintained or updated from the master database of members’ data which is considered to be the subscription database. The Registrar will from time to time help members register motorcycles with the DVLA with at their explicit request and with their consent.
The membership secretary provides lists of members’ contact details to a third party, Pagefast, in order to distribute copies of the club magazine.
Woodlands Design, the DVLA and Pagefast are the REC approved third party suppliers to whom members’ personal data will be shared.
Data Privacy Risk assessment
In providing the legitimate services offered to members, the REC uses members’ contact details to:
- Provide members with access to the website.
- Help maintain members’ subscriptions to the club.
- Send copies of the Radial magazine to members.
- Organise social events and notify members of them.
- Help members register bikes.
- Provide members access to new and used spares and Regalia
- Enable members to access the librarian, the archives and model experts in the club for help.
- Enable members to order new and used spares.
In providing these services the REC use members in key roles to assist the committee. They are data processors.
The REC has identified the following risks to members’ personal data in carrying out these services:
- There is a risk of the website being hacked and members’ personal data stolen.
- There is a risk that Directors or data processors will share members’ personal data with other members without consent or with non-approved third parties.
- There is a risk that our approved third party suppliers may cause our members’ personal data to be shared with other parties.
Governance
The REC has determined that the Data Controller is the General Secretary and the Data Processing Officer is the Treasurer. The data processors are the Membership secretary, the New Spares and Used spares officers, the area representatives, the Librarian, the Registrar, the Archivist and any other committee assistants as identified by the General Secretary.
The REC has prepared and circulated to all members a copy of our Privacy Document. It explains how the REC complies with GDPR and makes clear members rights.
The REC has circulated a notice to all members making it clear that in joining or renewing a subscription, a member is implicitly consenting to the REC using their personal data to deliver the legitimate services of the club.
The REC has written Personal Data Security rules which apply to all Directors of the club and data processors.
The REC has written a procedure with checklists to ensure that our approved third party suppliers will maintain the security of our members’ personal data.
Document revisions
Revision v.1, 3rd May 2018
Author – Kerry Marsh
Revision history:
v.0 – First draft, 5th April 2018
v.1 – Removed reference to Deep Blue Logic as a third party handling new spares orders. That company does not process members’ contact details but does use the website database to transact orders. Therefore Jon Walker is added to the list of data processors.