Rotary International has taken several steps to prepare for the new European Union General Data Protection Regulation (GDPR) which strengthens data protection rules for EU residents and applies to organizations that offer services to EU residents. Rotary conducted a readiness assessment and risk analysis which identified key areas of focus including updating processes and policies around lawful data processing, data breach response, records retention, and providing more transparency around how personal data is used. Rotary is applying these new standards globally and constituents will have new rights under GDPR such as access to their data, rectifying errors, and objecting to certain uses of their data. Clubs and districts located in or serving the EU must also comply with GDPR requirements.

1. 1
ROTARY AND THE GENERAL DATA PROTECTION
REGULATION (GDPR)
Whatis GDPR?
GDPR is a new European Union law that strengthens data protection rules for EU residents.The law
applies to all companies that process data within the EU but also to foreign organizations, like Rotary
International, that offer goods and services to EU residents. The law takes effect 25 May and replaces the
EU’s 1995 Data Protection Directive.
Whatdoes Rotary International do to protect personaldata?
Long before GDPR, Rotary’s policies took care to protect your information. Rotary’s Website Privacy
Policy explains what information we collect, how we collect it, and how we use it. We also striveto give
you control over your data so you can decide what personal information to share,as well as review it
whenever you want.
The measures we take to safeguardyour personal data includeusing password-protected databases on
secure servers behind firewalls and requiring all staffto attend information security awareness training
each year.
How has Rotary International prepared forGDPR?
First, we completed a readiness assessment and risk analysis. These helped us understand how the new
regulation would affect ourprocesses and what we needed to change to comply with GDPR. Our analysis
led us to focus on these areas:
 Process inventory. We inventoried all ofour personal data processing activities in order to
comply with GDPR’s Article30.
 Lawful basis. We reviewed all data processing to ensure that we have a documented legal basis, or
reason, for every process,according to GDPR.
 Policy and notices. We’re updating our Website PrivacyPolicy to meet GDPR expectations. And
we’re making our notices about how yourpersonal data is used morespecific.
 Records management. We updated our schedules for retaining records that contain personal
data to make sure we’re keeping records only as long as necessary.
 Data breach procedures.We revised our guidelines for responding to a breach,according to
GDPR expectations for notifying constituents ofa breach.

2. 2
Whatdoes GDPR mean for me?
Rotary is applying thesenew standards globally, not just for our European constituents. So no matter
where you live,ifRotary processes your personal data, you will have the following rights:
 Right to be informed: Rotary will regularly disclose to you what personal data we collectand for
what purpose.
 Right to object: You can tell us ifyou no longer want your personal data to be processed in a
certain way, such as for direct marketing.
 Right to rectification: Y ou can write us at data@rotary.org to correct errors in yourpersonal
data.
Do I need to give Rotary International consentto use my personaldata?
In general, no. Under GDPR, consent is just one ofsix legal bases used to determinethat processing
someone’s data is lawful. Rotary will generally rely on “legitimate interest” as the lawful basis for
processing personal data, because doing so is necessary to effectively manage and operateRotary and
won’t unduly infringe yourlegal rights.
We will ask for your consentonly when it’s truly appropriate,for example, when we are processing special
categories ofpersonal data, like health information.
My club or district is in the EU. Do I need to do anything?
Y es. Ifyour clubor districtis in the EU and is processing the personal data ofyour members or other
program participants, you areobligated to follow GDPR requirements. This may mean:
 Providing notice to yourmembers abouthow their personal data is used
 Minimizing the personal data that you have and keeping it secure
 Getting consent when it’s appropriate(for example, for personal data ofyouths under the age of16)
Further information can be found at EUGDPR.org or on one ofthe many EU country data protection
authorities’ websites.Y ou may also want to consult with local privacyexperts to better understand your
responsibilities underthe law.

3. 3
I’m notin the EU. Do I need to do anything?
Possibly.Even ifyour club or district is not in the EU, you are required to follow GDPR rules if you
process the personal data ofEU residents. Youmay also need to comply with GDPR if you welcome
European attendees at events, hostexchangestudents from Europe, or partnerwith European members
on serviceprojects.
Whatis Rotary doing to help clubs and districts with GDPR?
We have updated Rotary’s Privacy Policy with terms that align with GDPR. And you can writeus at
privacy@rotary.org with any questions.