If your club collects and stores personal data on members, which means information that can  identify them, you will need to comply with the new General Data Protection Regulations  (commonly known as GDPR) which come into force on May 25th, replacing the current Data  Protection Act. 

Following enquiries from several clubs, I have delved into the requirements of the GDPR as  they affect clubs and societies, and indeed Probus magazine, because of necessity I store  electronically the details of those who receive the magazine or who register to use the  website. 

GDPR may seem onerous and heavy-handed for social clubs, but I’ve no doubt it is designed  to help put a stop to unscrupulous companies selling on customers’ details to others so we all  then get plagued with junk mail, spam and telephone calls asking us about an accident we’ve  never had or debts we don’t have. I have found it is very simple for clubs such as Probus. 

Even if we feel it is unnecessary there is a general accountability obligation to demonstrate  compliance with the data protection principles, the absolute basic requirement being a lawful  reason to collect personal data. 


You can collect and process personal data if: 

  • You have the consent of the data subject. 
  • It is in the legitimate interests of the data controller (eg club secretary). • It is necessary for the performance of the contract with the data subject (ie you need to  send members details of meetings, events etc as part of their membership). 

So – what do you need to do to comply with the GDPR after May 25th? To begin with you do NOT have to register with the Information Commissioner’s Office  (OCI), although you may if you wish. Whether or not you register, this is the body to whom  people can complain if they think you are mishandling their personal details, at which point  you may need to demonstrate how and why you store and process personal data. 

PERSONAL DATA is defined as: 

“Any information relating to an identified or identifiable natural person (referred to as the  Data Subject). A person is identifiable if they “can be identified, directly or indirectly, in  particular by reference to an identifier such as name, an identification number, location  data, an online identifier or to one or more factors, specifically the physical, physiological,  genetic, mental, economic, cultural or social identity of that actual person”.  Information you gather on membership application forms, such as names, dates of birth,  addresses, telephone numbers and email addresses is all personal data. So too is the  information you collect about visitors, and it can include references to people in emails. This data can only be processed lawfully, fairly and transparently. 

PROCESSING is defined as: 

“Any operation or set of operations which is performed on personal data or on sets of  personal data, whether or not by automated means, such as collection, recording,  organisation, structuring, storage, adaption or alteration, retrieval, consultation, use,  disclosure by transmission, determination or otherwise making available, alignment or  combination, restriction, erasure or destruction”. 

So keeping a list of club members and their contact details whether in a book or on a 

computer is processing. You must assume that any use you make, or wish to make, of  the personal data, as well as your collection, storage and destruction of it, will be  governed by the GDPR. 

If you already comply with the Data Protection Act, you are likely to be well on the way to  complying with the GDPR, but you should establish whether your current policies and  procedures are suitable to comply with the GDPR and, if they are not, you should alter  them. 


The most obvious starting point is a review to assess: 

  • What personal data you hold. 
  • Whether you really need it. 
  • Where it came from and the basis on which it was collected. 
  • What you do with it and what you are planning to do with it. 
  • Where and how you store it. 


It is most likely that you obtained the consent of each individual when you collected their  data, after all they probably filled in an application form for membership. If so you should  have told them at the time what you would use this information for. This, for example,  would be to allow you to communicate with them as part of their membership. It is very  important that the data is only used for the purposes that were made clear at the time it  was collected. It would NOT include publishing their details in a membership directory – a separate consent would be needed for that if it were not specified on the membership  application form. 

If you do not have consent to use their data for all the purposes you subsequently intend  then you will have to collect it again with the appropriate consent request. And it needs to be explicit consent so they must “opt in” by ticking a box or providing a  signature indicating they have read why this data is being collected, what it will be used  for and how it will be stored, plus that they can have it removed within xx days (you  decide what is practical) on request. 


The strict obligations on maintaining records specified in the GDPR are unlikely to apply  to Probus clubs but a prudent approach would be to formulate a club data protection  policy which records: 

  • The purposes of the processing. 
  • The categories of data subject (members/honorary members/widows/widowers of  members etc) and categories of personal data relating to them (names, addresses,  telephone numbers, email addresses, date of birth etc). 
  • The recipients/categories of recipients of the data (club officers/fellow members). • Any transfer of data, for example to a holiday company if the club were organising a  group trip. 
  • A general indication of time limits for erasure – for example of members who do not  renew – and how it will be destroyed. 
  • A description of any security you use. 

This information needs to be identified in any case to decide what steps you need to take  (if any) to comply with the GDPR. 

Whilst it’s not essential, it might be a good idea to give the role of data protection officer  to someone in the club to ensure your policy and procedures are adhered to.


I recommend that on your membership application/renewal forms you include  paragraphs (obviously appropriate to how you store and use your members’ personal  data) along the lines of: 

‘The information you have provided on this form will be used by the club for purposes  only in connection with the running of the club, which includes communicating by post,  telephone and email. It will never be disclosed for marketing purposes. The data is stored on a memory stick/computer and/or in a ledger and may be provided  to committee members and other members by email or telephone when it is needed to  facilitate the running of the club and provide the benefits of membership to you. The committee intends to produce a directory of members, available only to members, in  which this information will be published. 

Your details can be removed from our stored records within 28 days of a written request  to the address on this form, but not from a published club directory. 

You have a right to complain to the ICO if you believe there is a problem with the club’s  handling of your data.  

Please print and sign your name below to indicate that you have read and accept these  terms.’ 

And, if you allow people to pay their membership by direct debit, the part of your form  asking for their bank details should be stored separately from their personal details. 

PRACTICALITIES for club secretaries/membership secretaries 

  • Only collect the information you really need and be clear on the application form  what you will use it for. 
  • Store the forms securely and consider who needs to see them and how long they  will be kept (bearing in mind you may need to be able to show they consented  before they next renew). 
  • If you ask for bank details, separate the financial information from the rest of the  form and store it separately (eg give it to the treasurer to store securely). • Make sure you keep membership information up to date. Ask members to check  their information at renewal and provide an easy way for them to update it.  Destroy their previous forms. 
  • Store information about former members separately, destroy any financial  information and consider if and why you need to retain it. If you do retain it, record  the reasons why and for how long it will be retained. 
  • Destroy information about former members in line with the time period you  decided. 
  • You must provide your identity and contact details on the form – this will likely be  your letterhead. 

For more detailed information about the GDPR as it affects organisations, visit

amb hosting Logo