If you’re involved with running an amateur radio club in the UK, you’re probably aware that there’s a deadline fast approaching… The 25th of May 2018 is the date for compliance with the new GDPR legislation.
As there’s surprisingly little out there in the form of help and advice for clubs, I thought I’d put up this page to summarise my understanding, and to get some thoughts from other clubs looking to get compliance by the 25th of May. This page will be updated based on feedback, and suggestions in our new GDPR discussion group.
Disclaimer – I’m no lawyer. This is my personal take, based on reviews of material discovered online, and information received at a GDPR workshop I attended in April. Please make your own decisions!
Pete M0PSX
What is GDPR
This stands for General Data Protection Regulation, and is a “beefing-up” of the UK’s Data Protection Act 1998. It relates to collecting, storing, protecting, using and sharing personal data, and has a much wider scope (and tougher penalties) that the old Data Protection Act.
Does GDPR apply to amateur radio clubs?
from my understanding, “yes”. Amateur Radio clubs that hold personal data need to be compliant by the 25th of May. GDPR applies to everyone (individuals, groups, companies) who is “processing personal data”, unless the information is for household/personal use only.
There is a misconception that “not-for-profit groups” are exempt from GDPR, but that’s referring to the need for groups to register with the ICO (which is a different thing). Exceptions for registering with the ICO do include certain not-for-profit groups. There is an online self-assessment test, and when we ran it, Essex Ham was exempt from formal registration (See ICO Registration Self-Assessment)
My take is that whilst most UK amateur radio clubs may be exempt from registration with ICO, they are still obliged to comply with GDPR
What club data do we need to worry about?
The definition is Personal Data is “data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used.”
From an amateur radio club position, this could reasonably include:
- Club membership lists (current data, backups, old versions)
- Lists of training / exam candidates
- Newsletter / Mailing lists
- Contact / distribution lists
- Website content (names in articles, lists of members)
- Website feedback / forum comments
- Club email archives
- Club minutes
- Social media
Potentially, the following too, as they contain personal information:
- Paper & electronic Club logbooks (Name, QTH, Callsign)
- Paper & electronic QSL cards (Name, QTH, Callsign)
What do clubs need to do?
The first step appears to be to audit the data that you hold. What information does your club hold? Do you need it? Who can access it? Is it safe? Was consent given? Do you still have a valid reason to keep it?
Once you know what data you hold, here is a list of some of the issues that your club probably needs to consider:
- Have a named person responsible for the data protection policy
- Make sure all data (and backups) are technically secure / encrypted / protected
- Make sure those with access to the data, know the rules
- Have a mechanism for members / visitors to get access to data you hold on them, as well as to get the data changed or deleted
- Ensure that all data held is done so with consent (and get consent again if necessary)
- Provide a method for a person for withdrawing consent
- Provide a mechanism for removal of data
- Publish a visible, clear and transparent privacy policy
- Regularly review data that you hold (removing un-necessary data)
- Address the special issues around consent and children
- Have a policy for communicating data breaches / loss of data to affected parties
- Regularly review data protection policies
GDPR Club Poll [poll id=”7″] |
What happens if our club is not compliant?
Potentially, fines. Whether the authorities would go after small hobby clubs, is yet to be seen!
GDPR – What next?
The RSGB has released a statement, pointing to various online guides and resources. The statement makes it clear that the RSGB can’t help with specific advice, as each club is different. See RSGB GDPR Statement
We’ve set up an email group to discuss UK GDPR and how it affects amateur radio clubs. If you’re involved in running a club and care about GDPR… feel free to sign up and share a few thoughts and tips…
Food for thought?
Which of the following contain personal data (name, callsign, etc), and therefore may be a GDPR concern?
- APRS – Sites and gateways holding callsign & location data
- QRZ.com (and others) – Although QRZ.com is based in the US, GDPR applies to all companies that process the personal data of people residing in the European Union
- QSL cards – Data-sharing through “3rd party” bureaus
- Radcom – lists of callsigns in each issue, and club reports containing callsigns
- Callbooks & electronic callsign lookup databases. Can you opt-out?
- D-Star and DMR repeaters that log traffic (and share online)
Ham Radio GDPR Discussion Group To subscribe, send an email to GDPR+subscribe@hamclubs.groups.io, or go to hamclubs.groups.io/g/GDPR The group is hosted on groups.io – See the Groups.io Privacy Policy |
Essex Ham & GDPR
What is Essex Ham doing for GDPR? This impacts our membership database, mailing lists and online training. We’ve already completed a data audit and implemented some changes around consent. Expect a few more changes in the run-up to 25th May.
Any thoughts or comments, please add them below, or in our GDPR group
what about data in the callbook?