Whether you’re a small club or a large non-profit association, you’ve probably heard about GDPR and how it will impact the way we all process information. Here at ClubRunner, we’ve been hard at work ensuring our own operation is GDPR-compliant. And, as a processor of data for over a million individuals, we’re working hard to ensure our platform is set up to help our customers become compliant as well.
 
Disclaimer: Please note that this page is for informational purposes only, and should not be referenced as legal advice. We encourage you to consult with legal counsel to properly understand GDPR and how it may impact your organization.
 

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU Regulation that strives to protect the personal data of European Union (EU) citizens around the world, and places more responsibilities on the organizations who manage and process personal information. It comes into full force on May 25, 2018. More information can be found here.
 

Who does it affect?

GDPR applies to any organization or business, regardless of where it is located in the world, that processes data of EU citizens. This means that it can apply to any organization in the world, across all sectors including non-profits and charities.
 

What is considered “personal data”?

Personal data is considered any information relating to an identified or identifiable individual. So in addition to the more apparent personal data such as names, addresses, emails, birthdays, etc., it also includes information such as IP addresses, behavioral data, location data, financial data, etc. Sensitive personal data, such as health information or data that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your ClubRunner account.
 

What exactly does “processing data” mean?

Processing is referred to in the GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Essentially, it means collecting, managing, using or storing personal data.
 

What is the importance of “controller” vs. “processor”?

There are different requirements and obligations for these two categories. A controller is the organization that determines the specific personal data to collect, as well as the purpose and means of processing it. A processor is the organization that processes the data on behalf of the controller. For instance, a club or district is a controller, and ClubRunner is the processor that houses the data that the organization collects on its behalf.
 


Key Principles of GDPR

Here are the key principles that are of interest, although this is not an exhaustive list.
 

Transparency

While the established EU laws from 1995 require data to be lawfully and fairly processed, GDPR now requires that Controllers and Processors fully disclose how and why data is processed in clear and simple terms. Privacy Policies and Terms and Conditions documents can no longer be written in complex language and hidden in hard to find places. They must be both easy to access and easy to understand.
 

Legitimate Interests and Lawful Basis

While this section of the GDPR (Article 6) can be ambiguous, it states that processing is lawful, as long as the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.” This provides the possibility to develop justification for processing data while avoiding the management of consent, and applies both to the data controller and the processor. While we still recommend updating your membership agreements to gain explicit consent by your members to have their data processed, this would apply to managing your membership database. Keep in mind however, that this only applies if the interests, rights or freedoms of these individuals do not override the legitimate interests.
 
There are some scenarios that do require that you process data for lawful basis, such as the issuance of tax receipts or online payments for event registrations and other eCommerce activities you may carry out on your website. So long as this data is not used for any other purposes without consent, you have justification for doing so.
 

Consent

The GDPR states that consent must be “freely given, specific, informed and unambiguous” and is one of several reasons Processors and Controllers may use to justify the processing of data, along with lawful basis. This must be carefully tracked and managed, and readily available in the event an individual requests to see proof that they consented to their data being processed.
 

What rights do EU individuals have under GDPR?

EU citizens will have several new rights under GDPR. All organizations must ensure that they can accommodate these rights if they process the personal data of EU citizens:
 
  • Right to be forgotten: An individual may request that an organization permanently delete all data pertaining to them within a reasonable time frame and without cost.
  • Right to object: An individual may prohibit certain data uses.
  • Right to rectification: An individual may request that incomplete data be completed or that incorrect data be corrected.
  • Right of access: An individual has the right to know what data about them is being processed and how.
  • Right of portability: An individual may request that personal data held by one organization be transported to another.
 

How will ClubRunner comply with GDPR?

We’ve been busy over the past several months updating various aspects of our platform to help you become GDPR compliant and to fulfil our obligations as data processors. Here’s a snapshot of some of these changes that will affect your users’ experience:
 

Transparency

We’re making it easy for users to become more aware of how their data will be processed, including your non-members that may interact with and be stored on your site. An example of this includes email notifications that are automatically sent whenever a new contact is added to your database, informing them that their contact information has been stored, the reason why, and how they can request for it to be reviewed, updated, or deleted.
 

Consent

We’re making it mandatory that whenever private information is entered into ClubRunner, the person adding the data consents to it, or for those entering data on behalf of individuals, confirm that they have received consent.
 
We’ll be tracking this information so that if your club is ever asked who entered the data or whether it was done with consent, you’ll have a timestamp, IP address, and other useful information to validate it.
 
This has been added into all modules of ClubRunner, such as our Events and Volunteers modules, MyEventRunner, and more.
 

Access and Deletion of Records

Part of GDPR compliance is the ability for anyone to ask to see what data you have on them (search) and ask for this information to be edited, deleted or anonymized. We’ve created a cross-platform search (within your account) for names and emails and a deletion function that will anonymize all personal data.
 

Privacy Policies

We’ve made it easier to have your organization’s privacy policy linked throughout the website, application, signup pages and emails by creating an account-specific holding page for you to enter your privacy notice. We’re also tracking when it was last updated to keep your users aware of any changes that they take note of.
 
To access and update your privacy policy, any administrator can login to your site and access this screen from the Admin menu tab. We recommend that you seek legal advice to draft your privacy policy, and that you ensure you list ClubRunner as a data processor for your organization.
 

How we are ensuring our own compliance

We’ve engaged GDPR experts in the European Union and have been working with them to ensure our compliance not only for our platform but our own operation.
 
We’re also updating our Privacy Policy and subscription agreements to be more transparent about our processing, how data is shared, and the rights that individuals have with their information.
 
We’ve signed Data Processing Addendums with all of our sub-processors, and made sure that any trusted party that we share data with is in compliance with GDPR.
 
We’ve also drafted internal policies and notices outlining all our procedures including internal security procedures, data breach reporting, data retention schedules, and others.
 

Questions regarding ClubRunner's GDPR compliance?

If you have any questions regarding the above information, or to inquire into ClubRunner's compliance, please get in touch with us at:
 
ClubRunner
c/o Privacy Officer
2010 Winston Park Drive, Suite 200
Oakville, Ontario
L6H 5R7  Canada
 
You can also email us at support@clubrunner.ca with your inquiry.
 
 

Learn More

Learn more about how to edit your Privacy Policy
Learn more about the new compliance tools in ClubRunner
Learn More