With only 10 days to go until The General Data Protection Regulation (GDPR) comes into force there appears to be much confusion about what is involved and there are many dangerous myths, writes Matthew Orwin of Promote Training
According to a recent article in The Golf Business, 70% of hospitality and leisure companies are unaware of the new fines imposed under the General Data Protection Regulation (GDPR). What’s more, 22% stated that they would go out of business if they were to receive the maximum punishment, this being 4% of turnover or €20 million, whichever is greater. At present, there is a significant focus on the financial penalties that a business could incur should they have a data protection breach.
GDPR, what is it?
The General Data Protection Regulation (GDPR) will come into force on 25th May 2018. The legislation will impact on any golf and leisure business that is either based in, or do business in, the EU. Citizens will have great individual rights and controls, including rights to access, correction and deletion of personal data.
Do you know what personal data your golf business collects?
One very early myth to bust is the belief that the GDPR does not apply to your golf club. If you collect, store and move personal information on members (including children), employees, patrons or suppliers in membership database(s), booking management systems, HR database(s) and paper; finance and accounting systems; health records (on employees and members), marketing systems (Customer Relationship Management system) and CCTV or other digital imagery, the regulation applies to you.
Who should be involved?
As you will have gathered already, implementing GDPR compliance cannot simply be the responsibility of IT or HR, it needs to be an organisational approach, one that has the full support of the management team, golf club committee and all levels of Directorship.
Where should I start?
A good first step is to complete the Information Commissioner’s Office online GDPR self-assessment (https://ico.org.uk/for-organisations/data-protection-reform/getting-ready-for-the-gdpr/ ). This will provide you a clear overview of what tasks you need to complete before 25th May 2018.
What other steps should I consider?
- Conduct a Data Protection audit to determine what personal data is held by your organisation and identify where it is located, justify your reason for holding it, how long you hold it for and how you would permanently delete the record.
- Raising awareness across the business and training your staff should be high up on your list of priorities. Consider engaging expert help and then start to develop processes and procedures which will ensure that your business is managing and protecting personal data according to the requirements of the regulation.
But should I quickly get my current customers to “opt-in” again so I’m compliant?
STOP!
There certainly is a lot of ‘hype’ surrounding GDPR and lots of advice coming from many different sources. What this appears to have created is almost a panic amongst some golf clubs – mostly surrounding their current database of customers and prospects. Group emails are flying out in an attempt to gain “consent” to communicate using this medium by asking customers to “opt-in”.
One club recently went through this very process and reduced their database by 99% – yes, only 1% of customers re-confirmed their consent to be sent emails from the club. However, it’s highly unlikely that 99% of customers were simply not interested in the club any more. It’s more likely that a high percentage just didn’t respond and that could be for any number of reasons, nothing to do with their desire to cease communications with the club via email.
Hopefully, seeking “Consent” in this way doesn’t amount to commercial suicide for some clubs – because in many cases it may not be necessary. The new legislation offers potential alternatives, including a legal basis for continuing to email customers called “Legitimate Interests”. The legislation goes further to even highlight some examples of what this may be, and Direct Marketing is listed.
If you would like to learn more about GDPR or want to train your staff on their responsibilities to the new legislation, Promote Training, in partnership with data-specialists Databasix, has launched two new courses that will help achieve this.
Read more on their website:
GDPR in Golf – https://www.promotetraining.co.uk/gdpr-in-golf/
GDPR for Staff – https://www.promotetraining.co.uk/gdpr-for-staff/
Promote Training are also offering Golf Business News readers a limited-time-only offer of 20% off these two GDPR courses. Use the coupon code “GBN1” during the online checkout. (Offer expires 31st May 2018)