Data Privacy and Data Protection: Rotary’s Compliance with GDPR Handout
Download as DOCX, PDF0 likes275 views
Rotary International has taken several steps to prepare for the new European Union General Data Protection Regulation (GDPR) which strengthens data protection rules for EU residents and applies to organizations that offer services to EU residents. Rotary conducted a readiness assessment and risk analysis which identified key areas of focus including updating processes and policies around lawful data processing, data breach response, records retention, and providing more transparency around how personal data is used. Rotary is applying these new standards globally and constituents will have new rights under GDPR such as access to their data, rectifying errors, and objecting to certain uses of their data. Clubs and districts located in or serving the EU must also comply with GDPR requirements.
Data Privacy and Data Protection: Rotary’s Compliance with GDPR Handout
- 1. 1 ROTARY AND THE GENERAL DATA PROTECTION REGULATION (GDPR) Whatis GDPR? GDPR is a new European Union law that strengthens data protection rules for EU residents.The law applies to all companies that process data within the EU but also to foreign organizations, like Rotary International, that offer goods and services to EU residents. The law takes effect 25 May and replaces the EU’s 1995 Data Protection Directive. Whatdoes Rotary International do to protect personaldata? Long before GDPR, Rotary’s policies took care to protect your information. Rotary’s Website Privacy Policy explains what information we collect, how we collect it, and how we use it. We also striveto give you control over your data so you can decide what personal information to share,as well as review it whenever you want. The measures we take to safeguardyour personal data includeusing password-protected databases on secure servers behind firewalls and requiring all staffto attend information security awareness training each year. How has Rotary International prepared forGDPR? First, we completed a readiness assessment and risk analysis. These helped us understand how the new regulation would affect ourprocesses and what we needed to change to comply with GDPR. Our analysis led us to focus on these areas: Process inventory. We inventoried all ofour personal data processing activities in order to comply with GDPR’s Article30. Lawful basis. We reviewed all data processing to ensure that we have a documented legal basis, or reason, for every process,according to GDPR. Policy and notices. We’re updating our Website PrivacyPolicy to meet GDPR expectations. And we’re making our notices about how yourpersonal data is used morespecific. Records management. We updated our schedules for retaining records that contain personal data to make sure we’re keeping records only as long as necessary. Data breach procedures.We revised our guidelines for responding to a breach,according to GDPR expectations for notifying constituents ofa breach.
- 2. 2 Whatdoes GDPR mean for me? Rotary is applying thesenew standards globally, not just for our European constituents. So no matter where you live,ifRotary processes your personal data, you will have the following rights: Right to be informed: Rotary will regularly disclose to you what personal data we collectand for what purpose. Right to object: You can tell us ifyou no longer want your personal data to be processed in a certain way, such as for direct marketing. Right to rectification: Y ou can write us at data@rotary.org to correct errors in yourpersonal data. Do I need to give Rotary International consentto use my personaldata? In general, no. Under GDPR, consent is just one ofsix legal bases used to determinethat processing someone’s data is lawful. Rotary will generally rely on “legitimate interest” as the lawful basis for processing personal data, because doing so is necessary to effectively manage and operateRotary and won’t unduly infringe yourlegal rights. We will ask for your consentonly when it’s truly appropriate,for example, when we are processing special categories ofpersonal data, like health information. My club or district is in the EU. Do I need to do anything? Y es. Ifyour clubor districtis in the EU and is processing the personal data ofyour members or other program participants, you areobligated to follow GDPR requirements. This may mean: Providing notice to yourmembers abouthow their personal data is used Minimizing the personal data that you have and keeping it secure Getting consent when it’s appropriate(for example, for personal data ofyouths under the age of16) Further information can be found at EUGDPR.org or on one ofthe many EU country data protection authorities’ websites.Y ou may also want to consult with local privacyexperts to better understand your responsibilities underthe law.
- 3. 3 I’m notin the EU. Do I need to do anything? Possibly.Even ifyour club or district is not in the EU, you are required to follow GDPR rules if you process the personal data ofEU residents. Youmay also need to comply with GDPR if you welcome European attendees at events, hostexchangestudents from Europe, or partnerwith European members on serviceprojects. Whatis Rotary doing to help clubs and districts with GDPR? We have updated Rotary’s Privacy Policy with terms that align with GDPR. And you can writeus at privacy@rotary.org with any questions.