The document outlines Rotary's compliance with the GDPR, a major privacy regulation effective since May 25, 2018, which affects all organizations processing personal data of EU data subjects. It details the responsibilities of Rotary in terms of data protection, including appointing a Data Protection Officer, maintaining records of processing activities, and adhering to lawful data processing principles. Rotarians are advised to understand their obligations regarding data handling, including the rights of data subjects, and to consult local privacy experts as needed.

1. ROTARY’S COMPLIANCE WITH GDPR
27 June 2018

2. INTRODUCTION
Mikael Ahlberg
Treasurer 2017-18

3. • WHAT IS GDPR?
• WHAT HAS ROTARY DONE TO COMPLY?
• WHAT DO ROTARIANS NEED TO KNOW?
• Q&A
PROGRAM

4. WHAT IS GDPR?
Maureen Ninneman
Deputy General Counsel

5. What is GDPR?
GDPR is the most
significant global
privacy regulation
passed in the last
20 years
For more than four
years, EU
authorities have
been working on a
complete overhaul
of EU data
protection rules.
The GDPR replaces
EU Directive
95/46/EC, which was
passed in 1995
when the internet
was still in its
infancy.
“GDPR” = General Data Protection Regulation
Who does GDPR
apply to?
All companies that handle
personal data of EU data
subjects
When did it go into
effect?
It was signed into law in
mid-May 2016, but
companies had two years
to comply. Full
enforcement began 25
May 2018.
What changed? A LOT! Next pages
provide more information

6. Whose personal data is protected?
These
protections
apply to: anyone
who is in the EU,
any processing
of personal data
in the EU, and in
cases where
personal data is
collected from
EU data
subjects.

7. What organizations are impacted?
Applies to organizations outside of the
EU who process “personal data” of
people in the EU if the activities are
related to:
Offering goods or services to EU
data subjects
Monitoring EU data subjects’
behavior
All companies
that handle
personal data of
EU data subjects
are expected to
comply with the
new GDPR
requirements.

8. What is personal data?
Personal data
"Personal data" means any
information relating to an
identified or identifiable natural
person ("data subject");
• An identifiable person is one who
can be identified, directly or
indirectly, in particular by
reference to an identifier such as
a name, an identification
number, location data, online
identifier or to one or more factors
specific to the physical,
physiological, genetic, mental,
economic, cultural or social
identity of that person.
Special categories
“Special categories” of personal
data are personal data
revealing:
• racial or ethnic origin
• political opinions
• religious or philosophical
beliefs
• trade-union membership
• data concerning health or sex
life and sexual orientation
• genetic data or biometric data

9. What is notice?
Personal data shall be processed
lawfully, fairly, and in a transparent
manner in relation to the data subject
(‘lawfulness, fairness and transparency’
principles).
Providing notice discloses
processing to data subjects
Using clear and plain language
keeps data subjects informed and
builds trust

10. Lawfulness of processing
Consent Contract
Legal
obligation
Vital interest
Public
interest
Legitimate
interest

11. Relying on consent as a lawful basis
Consent is not always the most
appropriate lawful way to process
personal data. But it is one of a few
bases available for certain cases,
including:
Processing special categories of
personal data
Processing personal data for children
under 16

12. Definition of consent
• Consent must be freely given,
specific, informed,
unambiguous
• Ensures consent is not implied,
or hidden within contracts or
agreements
• Requires explicit definition of
processing activities
• Requires data subjects know
their rights under GDPR

13. Data subject rights
Right to data portability
Right to erasure
Right to object
Right of access
Right to rectification
Right to restriction
Right not to be subject to decisions based
on automated processing

14. Additional operational requirements
Appointment of a
Data Protection
Officer (DPO)
Breach
Notification
Privacy Impact
Assessments
(PIAs)
Records of
processing
activities
International data
transfers

15. WHAT HAS
ROTARY DONE
TO COMPLY?
Kate Pichon
Manager IT Business Operations

16. •Readiness assessment
•Risk analysis
•Remediation
Rotary’s compliance

17. Risk-based approach
Reduce risk
Promote a
reasonable and
practical approach

18. Focus areas of compliance project
Process inventory Lawful basis Policy and notices
Records
management
Data breach
procedures

19. Key decisions we made
Data processor/controller
Records of processing
Data Protection Officer
Legitimate interest
Policy updates

20. Data processor or data controller
Rotary
International is a
data controller ‘controller’ means the natural or
legal person, public authority,
agency or other body which alone or
jointly with others, determines the
purposes and means of the
processing of personal data
‘processor’ means a natural or legal
person, public authority, agency or
other body which processes
personal data on behalf of the
controller

21. Records of processing activities
• Data
controllers
required by
Article 30 to
maintain
records of
processing
activities
• Requirement
does not apply
for enterprises
or
organizations
with 250 or
fewer
employees

22. Data Protection Officer (DPO)
Data Privacy and
Security
Committee will
take on data
protection tasks

23. Legitimate interest as lawful basis
• Only using
consent when
required by
regulation.
• Documenting
Legitimate
Interest
Assessment
(LIA)

24. Updates to policy
• No longer
allowing
children under
16 to create
website
accounts
• Adding Data
Processing
Addendum to
third-party
agreements
• Updating
record
retention
schedules

25. WHAT DO
ROTARIANS
NEED TO
KNOW?
Maureen Ninneman
Deputy General Counsel

26. •Provide notice
•Minimize and secure data
•Get consent when appropriate
•Consult local privacy experts
For clubs & districts
in EU

27. Consider your obligations if you:
• Welcome European members at events
• Host exchange students from Europe
• Partner with European members on
service projects
For clubs & districts
outside EU

28. •Right to be informed
•Right to object
•Right to rectification
For everyone

29. We know you trust Rotary to
respect your privacy and
protect your information,
and we take this
responsibility seriously.

30. Questions?
privacy@rotary.org

31. This presentation and others
from throughout the convention
are available through the
convention mobile app and on
SlideShare at
www.SlideShare.net/Rotary_International.

32. Rate this session in the Rotary
Events app, available in your
Apple or Android app store.