Many organisations may not realise how the GDPR affects them and how they handle data. Sports clubs and associations are typical of the type of organisation that can run into trouble if they are not careful. This article explains what sports clubs need to do to comply with data protection law. It also offers relevant examples of how GDPR applies to sports clubs.
Are Sports Clubs subject to the GDPR?
The GDPR applies in some way to any organisation which collects and processes personal data. This includes all sports clubs and governing bodies, whatever their size or level of funding.
It covers not only the personal data of a club’s members. GDPR also applies to the data of the club’s employees or volunteers. Clubs must ensure that any third parties engaged to process data on the club’s behalf comply it the law. These are referred to under the law as Data Processors.
What is personal data?
‘Personal data’ is any information that allows an individual to be identified or identifiable. Therefore, this includes name, addresses as well as financial details. It also includes identifiers such as an IP address collected when a website is visited.
Equally important is ‘Special Category Data’. This means data about race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sexual life or orientation. However, unless you need this data, we suggest you don’t collect it.
The six principles of the GDPR
- Lawfulness, fairness and transparency:
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
However. there is a seventh principle, and this is within the Data Protection Act of 2018. It is accountability and is a key element of all six principles. By embedding these principles into its daily operations, the club is showing how it is accountable at the board and senior level. Again, this also applies at an operational level so that a club can prove it meets its GDPR compliance obligations.
What does this mean to your club?
Firstly, it is vital that you understand the lawful basis for your data processing. Differing bases exist for this
For example, a sports club’s lawful basis for processing could be for fulfilling membership obligations so fulfilment of a contract is the reasoning for this. To keep members informed about the clubs activities, the reason is legitimate interest. However, if you’re not sure, ask the member to sign a consent form.
For employees, clubs can rely on the need to comply with their legal obligations as the lawful basis for processing employees’ personal data.
We can help you if you are struggling with creating suitable policies and documenting your legal bases on a Data Asset Register.
Access Rights to Data
One of the cornerstones of the GDPR is people having the right to access the data you hold on them. Would you know what to do if you received such a notice (DSAR)? There is a procedure you must follow. Otherwise you might commit a data breach whilst providing data. Learn more about our DSAR service here.
Children’s rights under GDPR
Many sports clubs are exclusively for children or are adult clubs with junior sections. Cluns need to be very careful when children are involved.
Children are generally less aware of the risks involved. If you are relying on consent as the lawful basis, in the UK only children aged 13 or over are able to provide their own consent. Moreover, if they are under this age then parental consent must be recorded. This also includes situations where online services are offered.
Don’t get caught out. Ensure you have a policy and appropriate recording mechanism for children’s data. It is vital that the data within it is kept securely with limited staff access. We can help you with the problem and bring you peace of mind. You can book a free one hour consultation here if you wish to discuss this.
Privacy Notices – there are many different types
The belief that privacy notices will make you GDPR compliant is a common myth. This isn’t true. There are many types of privacy notices. Each notice should be broken down into component parts.
Firstly, each policy will allow an individual to follow a link for more information about the different types of data being collected. Secondly, why it is being collected and the methods of collection used. For instance, data may be collected via a web site as well as on paper. Thirdly and most importantly, how will the data be used and how long it will be retained.
- Employee privacy notice for staff
- Volunteer privacy notice
- Contractor privacy notice if you are bringing in external coaches for example on a contractual basis
Data Protection Impact Assessments
Clubs should get into a routine of carrying out ‘Data Protection Impact Assessments’ (DPIAs).
DPIAs help to determine the most effective way a sports club can comply with the data protection legislation. A DPIA will help to identify and mitigate risks in their data processing activities.
A DPIA should be carried out if childrens’ data is being processed that is high risk. Examples of when a club might carry out a DPIA are:
- The sharing of information with other organisations
- The sharing of safeguarding information
- If there is a large scale or routine set of data being shared for a common purpose. For example, results from competitions, events, and shows.
- If the club is considering a new IT system for instance. The system might hold individuals’ data. Therefore, the processing may significantly affect the individuals.
If you would like our help then information on our DPIA support service can be found here.
Officers, Contracts, breaches and Fines
Data Protection Officer
Appointing a Data Protection Officer (DPO) is not generally necessary, unless you have over 250 employees. A good idea is to have a responsible person to oversee data protection obligations. Alternatively, you can appoint an external DPO, details of which can be found here.
Contractor and contracts
Many clubs have contracts in place with third parties for the supply of goods and services. Some of these contracts may rely on processing personal data of the club’s members and employees. For instance, the provision of PAYE services.
Therefore, these contractors will need to comply with the GDPR. Clauses relating to data protection must be written into any contract between them and your club. Alternatively, a Data Processing Agreement should be used.
A register of third party suppliers, agencies and/or sport sector bodies that receive data should be created. A compliance request should be issued to each of them. This will ask the how they comply with the GDPR.
Polices and Procedures
Having in place the appropriate internal data protection policies will demonstrate compliance to the GDPR. The provision of training to staff and volunteers must also be carried out regularly. Regular audits must be conducted.
Internal policies and procedures are needed for data protection purposes. These will relate to the management, retention and protection of their members’ and employees’ personal data.
Therefore, you should have a set of policies which show how the club will record lawful bases for processing. Polices for the storage and retention of data are also needed. A policy and description on how they keep the data secure is also needed.