The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) replaced the Data Protection Act, the following is a guide to help clubs comply along with the CMAA policy.
GUIDEANCE FOR CMAA MEMBER CLUBS
Documents and records for ex members should be kept for no longer than 3 years from the date of leaving, this is for insurance reasons. All documents and data must be kept securely. Clubs should appoint a Data Controller who will be responsible for all data and ensuring it is kept securely. This is usually the club owner/senior instructor.
All members should be made aware of your procedures regarding their data, there is a statement at the bottom of the CMAA membership form which explains this as well as their rights so please ensure you are using an up to date version.
If for any reason you share data with a 3rd party, as in a billing company for example, you must ensure that they too comply fully with the GDPR.
Test the security of all data files that you currently use and put in place a procedure for increasing security as and when required, password protecting data files and adding locks to filing cabinets etc.
Under the GDPR members have the right to be forgotten. This means that if they request it you must delete/destroy/remove all traces of them from your databases and files. You should ensure you have a process in place to do this and that it can be carried out swiftly and that it can also be evidenced.
Plan to review/audit your procedures every 12 months so as to ensure that old data is removed and compliance is being upheld.
The following explains how data is stored by the Cobra Martial Arts Association (CMAA).
The CMAA data controller is Andrew Morrell.
Only the following information is stored relating to students. The data is secured by way of pass word protected computer files. Name, Date of birth , Martial Arts Grade and Medical conditions / injuries.
Should a student CMAA membership not be renewed their records will be automatically deleted after a period of 3 years from the date of expiry unless immediate deletion is requested. In the case of under 18s the membership number and date of birth will be retained until the age of 21 has passed. This is for insurance purposes should a future claim arise. Membership forms sent to the CMAA are destroyed by way of cross shredding once the required details have been taken.
Student address, bank details etc. are for club level use only and are not required by the CMAA.
In addition to the data stored for students the home address is stored with regards to club owners/instructors. Instructor training records (if applicable) are also stored. The data is secured by way of pass word protected computer files. Should an Instructor CMAA membership not be renewed their records will be automatically deleted after a period of 3 years from the date of expiry unless immediate deletion is requested.
Disclosure and barring service records are stored by way of pass word protected computer files and automatically deleted after 5 years unless renewed.
Access to Records.
Only authorised personnel have access to the above data, a log is kept relating to these.
No data is shared with 3rd parties.
Data records are audited every June and unrequired data is deleted as per the above.