In recognition of the serious compliance challenges posed by GDPR, GolfNow has been working hard to not only comply with GDPR requirements itself, but to be in a position to assist its clubs to do so too. We have adopted a multidisciplinary approach combining our legal, technology and operational resources:
Notice and Transparency
Under GDPR, clubs will have an obligation to inform their members of the manner in which each club collects, uses and shares personal data. GolfNow will be offering clubs the functionality to make their website privacy policies available to members through the GolfNow solution. In addition, GolfNow has prepared a template privacy notice, which each club can adapt and present to its golfers to help them understand how the club processes their personal data using GolfNow. Clubs will still need to review and update their website privacy policies to ensure that they meet the GDPR’s increased transparency obligations, and include new information around the recipients of personal data, how long the club keeps personal data, the existence of individual rights like access and deletion, and the right to complain to a regulator. We strongly encourage clubs to seek specialist legal help in relation to their broader website privacy policies.
GDPR-Compliant Contract Terms
Under the GDPR there is a mutual obligation on clubs and GolfNow to ensure contracts contain a number of important mandatory terms around privacy and data protection. GolfNow has updated its standard terms and conditions to include these and these will be distributed to you over the coming weeks.
GDPR grants individuals (e.g., club members and visitors) a broad range of rights over their personal data, including the right to access, correct and delete personal data (in certain circumstances). Clubs will need to be able to recognize such requests from golfers and address them within 30 days of receiving them. In recognition of the challenge this creates for clubs, GolfNow has put in place appropriate policies and procedures to ensure it is well placed to assist. We are also developing new technology solutions, which we will be rolling out over the next few months.
Data Storage Limitation
We will start sending regular communications to clubs reminding them to delete or anonymise personal data they no longer need. This will help clubs comply with their obligations around data retention, and also will significantly reduce the risk of personal data loss or misuse (e.g., by a club administrator inadvertently sending personal information to the wrong recipient, or through a malicious hacker attack or theft).
GolfNow has in place a robust GDPR governance program. Key features include:
Implementation of a personal data breach management process to ensure that GolfNow is able to respond to security incidents promptly and effectively, including rapid analysis and containment of the incident, providing appropriate notification and assistance to clubs, risk mitigation measures and compliance with any legal obligations that may arise as a result of the incident.
Development and roll-out of training for all personnel with access to personal data.
Implementation of more detailed accountability and compliance practices, including audit procedures and processes, to ensure GolfNow’s compliance is monitored and adhered to on an ongoing basis, and to offer further reassurance to clubs.
European data protection law restricts the transfer of personal data outside Europe to countries whose laws have not been deemed “adequate” by the European Commission. Such transfers can only take place legally if a cross-border data transfer mechanism has been put in place.
GolfNow is part of a larger family of GolfNow companies, some of which are based in the United States and help GolfNow with the provision and management of certain software modules, which your club may have elected to use. We may also at times engage vendors based outside of Europe to help us with the provision of services you have requested. This means that your golfers’ data may be transferred outside of Europe to a “non adequate” country. In order to ensure that your golfers’ data remains protected in the hands of our group companies and vendors, and to allow these transfers to take place legally, we have adopted appropriate cross-border data transfer mechanisms with the recipients. For example, we have entered into the European Commission’s standard contractual clauses for processors with GolfNow in the United States on behalf of our clubs.