General Data Protection Regulation

On 25th May the 1998 Data Protection Act will be replaced by the new EU-wide General Data Protection Regulation (GDPR). The Government has made clear that the changes to British law to implement this will still remain in effect after Brexit, and organisations holding personal information relating to private individuals must comply with them. This affects all societies and clubs, no matter how small, holding information about their members. Failure to comply could result in a fine of up to €20 million, so it is prudent to ensure that the procedures used by the IRS are fully compliant with the new regulations. The aspects of these regulations which affect the IRS, and the actions taken to comply, are:-

1) Members have the right to know what personal information is held about them:. The IRS holds the names and addresses of all its members, and also for many of them an email address. It does NOT retain any payment card information for either customers or members. Card payments through the E-Shop are processed by a licensed service provider (SagePay) which does not pass card numbers to the IRS. Payment slips from the card reader used at Society Sales Stands are stored securely and destroyed when the payment has been verified.

2) The information cannot be passed to a third party without the knowledge and consent of the member: Until March the address labels printed for IRR and Bulletin distribution were produced by a third party organisation who therefore had a copy of the membership list. However, they had already made clear that they did not wish to continue with the production of labels, so from the current (May 2018) distribution the Bulletin Editor will be responsible for printing the mailing labels. This removes the need to pass the member list to any third party.

3) Personal information must be stored securely, making reasonable provision to prevent unauthorised access: As a result of the changes for printing mailing labels the Bulletin Editor will now keep the member list on his computer, in password-protected, encrypted files. The following Society Officers will have access to it: the Chairman, the Secretary, the Treasurer, the Administrator, the Sales Officer, and those involved in Record/Bulletin distribution and Membership renewal (in particular S.C.Robinson, M.Shill and D.Kitching). E-mail addresses are also held within the E-Shop, and are protected by the security arrangements covering the website. 

4) Personal information will only be used for the purposes for which it was provided and will not be retained longer than is necessary: The membership list will only be used for IRR/Bulletin/Notice distribution, and for correspondence relating to annual subscription renewals. The ‘live’ list will only contain those who are currently members or who were members the previous year. There may be older backup copies of the list retained for archive purposes on the Bulletin Editor’s computer, but this would only be made available to answer a legitimate query.

 
These arrangements should be sufficient to make the IRS GDPR compliant, 
but any member who still has concerns is welcome to contact the Society Treasurer:-
treasurer@irsociety.co.uk