In April 2017, the European Union passed the General Data Protection Regulation (GDPR). It will take effect in 2018. This law doesn’t only cover businesses, but sports clubs too, since clubs regularly handle personal data of their members.
Here is a guide to GDPR compliance and how it will impact the way your sports club needs to handle data:
How Your Sports Club’s Members Will Benefit from the GDPR
The GDPR will harmonise the data regulations from all its member nations, better protecting EU businesses and organisations, such as sports clubs, from data breaches. The new regulations are designed to ultimately benefit the ‘data subject’ (your members) through improved data management and security.
What Does the GDPR Require of Sports Club Administrations?
Starting from the 25th May 2018, your club must have robust processes and policies in place to manage your members’ personal data. If you haven’t started planning for this date, now’s the time to start because if your club fails to follow these regulations, you may be subjected to GDPR fines greater than €20 million or four percent of your club’s previous year’s revenue.
As a Sports Club, you must ensure the personal data you hold about your members is:
- truly secure
- viewed only by those who really need to view it
- limited to what is needed
- up to date
- only kept for only as long as it is needed
- deleted / destroyed after a period of time
- available to be seen by its owner on request
- not shared with 3rd Parties unnecessarily
- easily amended if incorrect
The Club acknowledges that:
- the committee is aware that Data Protection legislation applies to the Club
- the website informs people of how their data will be used
- all officials, staff and members understand how to handle personal data
- Club officials have given permission for their names and contact details to be made publicly available
- there is a process to follow if any Personal Data is lost or stolen
- changes within the Club that affect the use of Personal Data are communicated
- members understand that broadcast emails can present a security risk
- Personal Data will only be used for Club purposes
- failure to comply with the Data Protection legislation can mean substantial fines as well as reputational damage
- if a breach occurs, you must notify your nation’s data authorities within 72 hours. For UK residents, the proper authority is the Information Commissioner’s Office (ICO).
- if your club fails to follow these regulations, you may be subjected to GDPR fines greater than €20 million or four percent of your club’s previous year’s revenue.