Skip links

Data Privacy Compliance

It’s another beautiful day at the club and guess what you just found out? An incident with loss of personal information (PI) has occurred. In the last few years companies such as American Golf, Arcis Golf, Billy Casper Golf, Golf 18 Network and many others have shared this very unfortunate experience.  Think that a small club is immune? Loss of PI occurs every day and everywhere without regard to size of an organization or location.

So why should clubs care? Your club could be the subject of loss of confidence by your members, reputational risk as well as civil and criminal penalties.

Clubs are never going to prevent all types of loss of the PI with which they are entrusted. Whether accidental, malicious or nefarious, loss will occur. The only question is: If civil and criminal suits and charges start to pile on, will your club have a defensible position or not?

There are more than 300 regulatory agencies in the United States that could be involved in a case of a data loss. In addition, the regulators who come knocking at your door are not just the ones down the street but are in every jurisdiction where your members reside. For example, the average club has between 300 and 400 members and the number of legal jurisdictions represented among your members can easily be in the dozens. Welcome to the real world of PI litigation.

So, what are the some of the regulations? They include CCPA, COPPA, the Communications Act, FCRA, FERPA, GDPR, GLBA, HIPPA, NY Shield Act, and all 50 states. Dizzy yet?

There are steps that every club can take to determine if they are in regulatory compliance.  One solution is to utilize an ongoing online integrated approach. A critical factor is that the solution offers significant ongoing logging of activities in a manner that is automated and does not require daily intervention. Without significant logs you have no defensive position.

The key areas of PI compliance that every club must be competent in are:

  • Controller/Processor
  • Consent
  • Data Subject Access Request (DSARS)
  • Regulatory Response
  • Breach Notification
  • Data Flow Mapping (DFM)
  • Privacy Statement

Steps to compliance

  1. Analyze the privacy laws and regulations of the following (remember, you need to be compliant with laws where your data subjects reside, not where your business is located):
    • The state where you do business
    • The states where your members are residents
    • The countries where your members are resident
  2. Maintain continuous, automated logging of all your member, employee and vendor data flow PI actions between the club and your third-party relationships is a must to provide a defensible position when an event occurs, or a regulator examines.  
  3. Provide an adequate Incident Response Plan:
    • Did the club define, in specific terms, what constitutes an “incident”?
    • Does it provide a systematic process for your employees to follow when an incident occurs? Remember all plans must be tested!
  4. Have a plan to handle Data Subject Access Requests (DSARs).
  5. Maintain a security program that covers how your club protects personal information:
    • Who has access to physical and/or electronic assets?
    • Computer systems protected with anti-viruses, malware, etc.?
    • Server protected from hacking and intrusion?
    • Devices password protected?
    • Locked and secure physical assets that has PI on it?  These include paper files, printers and FAX machines among others.
  6. Do you ask for consent on how you collect and or distribute PI?
    • “Explicit consent” is the gold standard. 
    • “Implied consent” is obtained when the individual passively accepts or rejects acceptance of privacy terms.
  7. Complete and accurate disclosure of your Privacy Policy/Notice:
    • How you gather PI
    • How you use PI
    • How you manage PI
    • How you disclose PI
  8. Members, guests and employees have PI:
    • General contact information
    • Financial information
    • Human resources
    • Medical, health, insurance, sexual orientation
  9. All business—including clubs—are held accountable for the actions of their vendors:
    • 21% of all data breaches happen at the vendor level.
    • Vendors are required to protect the data you share at the same standards as your Privacy Policy states.
    • Controllers MUST validate vendors’ (processor) compliance.

Robb Smyth is VP of Product & Operations at CSR Privacy Solutions, which has been helping clubs and businesses be compliant with data and privacy regulations for 20 years. He can be reached at [email protected] or 772-232-7575.

X