Sports and Leisure Management (SLM) who trade under the names of Everyone Active, Everyone Health and Everyone Events already adheres strictly to the Data Protection Act. We are now working towards full adherence to the new GDPR which came into force on 25th May 2018.
The General Data Protection Regulation (GDPR) will replace the current Data Protection Act (DPA) governing the processing of personal data. SLM is working hard to ensure that it is fully prepared for these changes when they come into effect and will be documenting the progress along way through our GDPR statement.
A lot of the concepts and principles wil remain the same as those stated in the Data Protection Act but with more emphasis on accountability and how businesses are demonstrating compliance. GDPR still applies to ‘personal data’ but there is a lot more detail included. The details makes it clear that personal data can be something that indicates location such as an IP address.
The GDPR applies to both electronic systems storing and holding personal data and to manual filing systems where personal data is accessible. This is wider than the scope of the Data Protection act and includes chronologically ordered sets of manual records containing personal data.
The GDPR refers sensitive personal data as ‘’special categories’’ of ‘’personal data. These special categories mirror those included in the DPA with some minor changes, they specifically include data used to identify an individual such as genetic and biometric data.
Unlike the DPA, the GDPR applies to both controllers and processors of data. The definitions mostly remain the same with the controller saying how and why data is used and the processor acting on behalf of the controller.
At times SLM act as both the controller and the processor. Where we are the controller we will document who is the processor and where we are the processor we will document who is the controller.
Our software is risk managed through the use of strong passwords that are changed periodically, permission groups and document control such as password and access protecting. Our customers database includes an event log where we can track any changes that have been made to a members account and see who has made the changes. In addition to the control measures, access will be denied by default, unless a specific, valid, business case results in an authorised request for access to specific systems. All of our systems operate on needs only access including both customer and supplier systems which is controlled by a small central team.
All of our employees are required to sign an E-comms policy designed to promote acceptible use. All colleagues will have to completed data protection training and this will be reviewed annually or with any changes to legislation.
David Brougham (Head of IT) has been designated to take responsibility for the management of compliance and security breaches.
In order to achieve full compliance we have
- Set up a steering group of senior managers and specialist consultants under the direction of the Company Directors to oversee our compliance
- A programme of data audits underway to ensure we fully adhere to the new regulations,
- Started to document fully how and why personal and sensitive data is used in the company
- Undertaken a review of policies and procedures and are in the process of amending these to ensure they are compliant
- Reviewed colleague training and are in the process of amending this and rolling out to relevant colleagues
- Reviewed software requirements and are working with those suppliers where amendments are necessary to ensure compliance
Document last updated: May 29th 2018