What you need to know about new data protection rules

The European Union’s General Data Protection Regulation (GDPR) takes effect 25 May. Because Rotary staff members process the personal data of our European members, Rotaractors, program participants, and others, we’re obligated to comply with this new data privacy law.

We know you trust Rotary to respect your privacy and protect your information, and we take this responsibility seriously. That’s why we’re using this opportunity to reinforce our data privacy and security methods for anyone who shares personal information with Rotary — no matter where they live.

Here is what you need to know about GDPR.

What is the General Data Protection Regulation?

GDPR is a new European Union law that strengthens data protection rules for EU residents. The law applies to all companies that process data within the EU but also to foreign organizations, like Rotary International, that offer goods and services to EU residents. The law takes effect 25 May and replaces the EU’s 1995 Data Protection Directive.

What does Rotary International do to protect personal data?

Long before GDPR, Rotary’s policies took care to protect your information. Rotary’s Website Privacy Policy explains what information we collect, how we collect it, and how we use it. We also strive to give you control over your data so you can decide what personal information to share and review it whenever you want.

The measures we take to safeguard your personal data include using password-protected databases on secure servers behind firewalls and requiring all staff to attend information security awareness training each year.

How has Rotary International prepared for GDPR?

First, we completed a readiness assessment and risk analysis. These helped us understand how the new regulation will affect our processes and what we need to change to comply with GDPR. Our analysis led us to focus on the following areas:

  • Process inventory. We inventoried all of our personal data processing activities in order to comply with GDPR’s Article 30.
  • Lawful basis. We reviewed all data processing to ensure that we have a documented legal basis, or reason, for every process, according to GDPR.
  • Policy and notices. We’re updating our Website Privacy Policy to meet GDPR expectations. And we’re making our notices about how your personal data is used more specific.
  • Records management. We updated our schedules for retaining records that contain personal data to make sure we’re keeping records only as long as necessary.
  • Data breach procedures. We revised our guidelines for responding to a breach in accordance with GDPR expectations for notifying constituents of a breach.

What does GDPR mean for me?

Rotary is applying these new standards globally, not just for our European constituents. So no matter where you live, if Rotary processes your personal data, you will have the following rights:

  • Right to be informed: Rotary will regularly disclose to you what personal data we collect and for what purpose.
  • Right to object: You can tell us if you no longer want your personal data to be processed in a certain way, such as for direct marketing.
  • Right to rectification: You can write us at data@rotary.org to correct errors in your personal data.

Do I need to give Rotary International consent to use my personal data?

In general, no. Under GDPR, consent is just one of six legal bases used to determine that processing someone’s data is lawful. Rotary will generally rely on “legitimate interest” as the lawful basis for processing personal data, because doing so is necessary to effectively manage and operate Rotary and won’t unduly infringe your legal rights. We will ask for your consent only when it’s truly appropriate, for example, when we are processing special categories of personal data, like health information.

My club or district is in the EU. Do I need to do anything?

Yes. If your club or district is in the EU and is processing the personal data of your members or other program participants, you are obligated to follow GDPR requirements. This may mean:

  • Providing notice to your members about how their personal data is used
  • Minimizing the personal data that you have and keeping it secure
  • Getting consent when it’s appropriate (for example, for personal data of youths under the age of 16)

Further information can be found at EUGDPR.org or on one of the many EU country data protection authorities’ websites. You may also want to consult with local privacy experts to better understand your responsibilities under the law.

I’m not in the EU. Do I need to do anything?

Possibly. Even if your club or district is not in the EU, you are required to follow GDPR rules if you process the personal data of EU residents. You may also need to comply with GDPR if you welcome European attendees at events, host exchange students from Europe, or partner with European members on service projects.

What is Rotary doing to help clubs and districts with GDPR?

Before the law takes effect, we have updated Rotary’s Website Privacy Policy with terms that align with GDPR. We will hold a breakout session at the Rotary International Convention in Toronto, where participants can learn more about our compliance efforts. It’s Data Privacy and Data Protection: Rotary’s Compliance with GDPR on 27 June, 13:00-14:00. And you can write us at privacy@rotary.org with any questions.



#1   Submitted By Ken Horleston on 4-May-2018 05:47 am

One or two of us in Rotary are members of other organisations like Golf clubs, Gun clubs, Freemasons etc,. all these organisations have published reams of information on the new Data Protection. We have had templates for Privacy Policies, Membership forms, Forms explaining the privacy a member reads before signing. All these designed for the oppropriate organisation. We have received nothing from Rotary, when is such information going to be published as it is only three weeks away. 

#2   Submitted By Sam Sinclair on 8-May-2018 04:30 am

Same question as asked by Ken Horleston, please.

#3   Submitted By Ivan Milman on 8-May-2018 09:31 am

Is there guidance for individual clubs and for Club Runner/Facebook/Twitter?

#4   Submitted By Marion Long on 10-May-2018 03:16 pm

Also the same question asked by Ken Horleston, please. Will there be something published soon?

#5   Submitted By Gerolamo Agulli on 13-May-2018 01:04 pm


#6   Submitted By Gerolamo Agulli on 13-May-2018 01:05 pm


#7   Submitted By Elaine Sefton on 14-May-2018 11:45 am

My Area Presidents are very concerned on what they need to fill in, for each of their club members. How are the members and spouse/partners to respond?  Whilst we are not a lagre organization unlike large corporates we do have to be compliant in all aspects. Current Privacy notices from RIBI are only part of GDPR compliance. When can we expect difinitive protocols to avoid none compliance?  Why are we waiting till the 27th June, as this is UK/EC legislation Data protection. It seems irrelavent when clubs are waiting to understand their responsiblities and potential liabilites of managing personal Data for Rotarians by the 25th May 2018 when the regulation becomes law.


#8   Submitted By Tom Harrigan MB... on 16-May-2018 03:04 pm
Having just 'glanced' through the recent RIBI Privacy Notice (29th March2018) I am a little concerned when reference is made to Data Sharing e.g. "there may be a need for us to share, or give access to, your personal date to third parties that provide us with services or host our applications/software that you may access." However, it goes on to state that RIBI "will ensure that data processing agreements, compliant to GDPR, are in place before sharing with, or giving access to, your data with any of our service/host providers." It then goes on to state " We will only ever share your personal data in other circumstances, if we have your explicit and informed consent at time of collection." In my opinion there are far to many 'variables' e.g. who are these 'third parties' that our data is being shared with and who are these 'services providers' ? I would like to know where and to whom my data is being shared! Because we are an International organisation, there is a clause which states - "Rotary International run its operations outside the European Economic Area (EEA). Although they may not be subject to the same data protection laws as organisations based in UK, we i.e. RIBI will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law." It then goes on to state " By submitting your personal information to us you understand your personal data will be transferred, stored and processed at a location outside the EEA. It then directs you to view RI's privacy notice on their website...... It is all very well providing these reassuring statements that processes and policies will be put in place to monitor and protect our data, but what happens in the real world is not as clear cut!
#9   Submitted By Rotary Privacy on 19-May-2018 12:51 pm
We have shared some general guidelines in the responses to frequently asked questions above for how clubs and districts, particularly those in the EU, should prepare for GDPR. Review how you are processing personal data to ensure that it is lawful. Provide notice to your members about how their personal data is used. Minimize the personal data that you have and keep it secure. Get consent when it is appropriate to do so. You may also want to consult with local privacy experts to better understand your responsibilities. As the processing of Rotarian data by clubs can differ significantly depending on the club and where it is located, we have not developed any templates for general use. --Rotary International GDPR project team--
#10   Submitted By Christopher Paino on 20-May-2018 11:07 am
At the foot of this Rotary Weekly section of the articles on Privacy and the EU's General Data Protection Regulations the following paragraphs give rise to some questions about how we should be handling the personal information of any EU based Rotary exchange student hosted by our club, a fact brought into focus by the fact that our incoming student due to arrive 3rd week of July here in perth,western Australia is a young man from Italy. We are seeking advice from RI regarding any legal requirement that may apply to Rotary Club of Matilda Bay ?
#11   Submitted By Onyebuchi Onuoha on 21-May-2018 06:44 am
its ok
#12   Submitted By Oscar Venuti on 21-May-2018 11:28 am
Estoy de acuerdo