A Sports Club’s Guide to GDPR Compliance

GDPR Compliance

In April 2017, the European Union passed the General Data Protection Regulation (GDPR). It will take effect in 2018. This law doesn’t only cover businesses, but sports clubs too, since clubs regularly handle personal data of their members.

Here is a guide to GDPR compliance and how it will impact the way your sports club needs to handle data:

How Your Sports Club’s Members Will Benefit from the GDPR

The GDPR will harmonise the data regulations from all its member nations, better protecting EU businesses and organisations, such as sports clubs, from data breaches.  The new regulations are designed to ultimately benefit the ‘data subject’ (your members) through improved data management and security.

Download our free club's guide to GDPR Risks and Mitigation here!

What Does the GDPR Require of Sports Club Administrations?

Starting from the 25th May 2018, your club must have robust processes and policies in place to manage your members’ personal data.  If you haven’t started planning for this date, now’s the time to start because if your club fails to follow these regulations, you may be subjected to GDPR fines greater than €20 million or four percent of your club’s previous year’s revenue.

As a Sports Club, you must ensure the personal data you hold about your members is:

  • truly secure
  • viewed only by those who really need to view it
  • limited to what is needed
  • accurate
  • up to date
  • only kept for only as long as it is needed
  • deleted / destroyed after a period of time
  • available to be seen by its owner on request
  • not shared with 3rd Parties unnecessarily
  • easily amended if incorrect

The Club acknowledges that:

  • the committee is aware that Data Protection legislation applies to the Club
  • the website informs people of how their data will be used
  • all officials, staff and members understand how to handle personal data
  • Club officials have given permission for their names and contact details to be made publicly available
  • there is a process to follow if any Personal Data is lost or stolen
  • changes within the Club that affect the use of Personal Data are communicated
  • members understand that broadcast emails can present a security risk
  • Personal Data will only be used for Club purposes
  • failure to comply with the Data Protection legislation can mean substantial fines as well as reputational damage
  • if a breach occurs, you must notify your nation’s data authorities within 72 hours. For UK residents, the proper authority is the Information Commissioner’s Office (ICO).
  • if your club fails to follow these regulations, you may be subjected to GDPR fines greater than €20 million or four percent of your club’s previous year’s revenue.

 

Potential Members Will Look at Your Ability to Protect Their Data

With the EU’s attention laser-focused on better data protection, potential members will look at your Sports Club’s data governance policies and practices with more scrutiny. Don’t risk your club’s reputation with shoddy, outdated data governance. Your competitors, too, will be quick to take advantage of your failure to bring your club up to current best practices. Update and keep your members’ trust.

How Will Brexit Impact These Regulations?

Since the legal separation of the UK from the EU will not occur until 2019, these regulations will, of course, apply to UK clubs until that time. It would be a grave error, however, for UK clubs to slack off on tightening their data protection policies simply because they may not apply in the future. In fact, if anything, UK clubs should go beyond the EU’s regulations to provide the finest data protection for their members.

 

How to Shore Up Your Club’s Data Protection

Designate, inform, train: Make it a role of a member of the committee to become your GDPR expert.  Perhaps that’s your safeguarding officer, may be someone else.  That person should inform and train all people within the club on how to manage data to ensure GDPR compliance runs from top to bottom.

Review policies and procedures: Look over your data protection policies, including privacy notices, and the language you use on documents to make sure they are at least compliant with GDPR regulations, if not even stricter. You’ll need to review your contracts to make sure they include data processing requirements compliant with the new rules.

Assess and document your current data and data requirements: Look at the points at which your club collects personal data, what types of data it collects, and from which types of people—vendors, members, or officials. Document all your data processing, including the legal basis for using the data. You’ll also need to check to see if you have any inaccurate or out of date data that you’ve shared with other organisations.

Review consent policies and procedures: Look at your current procedures for obtaining consent from members and others. How does your club document that consent? If these procedures and policies aren’t at least as stringent as those of the GDPR, you need to revamp them to become compliant.

Review data breach procedures: Because of the new requirement to notify the ICO within 72 hours of a data breach, you need to examine your procedures closely to make sure they comply. Detection procedures, reporting procedures, and investigation procedures—all should come under tight scrutiny to make sure your club is compliant.

Assess any international contacts: If your club deals with data flows that cross borders, you’ll need to take a good look at what protections you have for international data transfers, since the GDPR regulations represent a huge change, with many complex requirements. Deal with this issue early to give your club time to research the new statutes and adapt your policies to the changes.

Assess your policies regarding children’s data: If your club works with children, you need to scrutinise your current policies to make sure they are up to the GDPR’s exacting standards, designed to protect the data of the most vulnerable among us. The GDPR’s rules require the consent of a parent or guardian to record and process children’s data, as well as other rules. Look at the new policies to make sure that your organisation takes children’s data protection seriously.

GDPR Checklist

Don’t risk huge fines and loss of reputation that could devastate your club. Use this checklist to make sure your club is ready for GDPR compliance:

  • Legacy data – do you know where all your information is right now?  For example, think past officials.
  • Security / Confidentiality – Do you know with whom your information is shared?
  • Retention – Do you know how long you are entitled to store your members’ information?
  • Inform – When people register for the club, are you making them aware of your privacy policy?
  • Security / confidentiality – Do you send personal information via email?
  • Access – Are members able to keep their information up-to-date easily?
  • Security – Do you back-up your members’ information?
  • Security – Are your members’ information encrypted?
  • When sending group emails, do you always use bcc?
  • Does the club remove all personal data when members leave the club?
  • Do you have a policy of notifying members of a data breach?
  • Are paper forms always stored in a secure place?

How PaySubsOnline Can Help Your Sports Club

Having a reliable online admin system has a wealth of benefits, especially when it comes to data protection and GDPR.  It keeps all the information about your members in one secure place so, at any one time, you know where your data is and who has access to it.

Working example: When you’re using PaySubsOnline and a member leaves the club, you’ll know their data isn’t sitting in multiple spreadsheets on different computers or in email sent folders of club officials.  You simply delete that record and information relating to that member, including any personal data sent in emails are deleted too, satisfying one of the 6 key principles of GDPR – ‘Storage Limitation’.

That’s just one example of how our service can help your club.  To further help you, we’ve put together a list of common club admin tasks that may fall short of the 6 guiding principles of the GDPR (General Data Production Regulation) compliance. These principles are:

1. Lawfulness, Fairness & Transparency
2. Purpose Limitation
3. Data Minimisation
4. Accuracy
5. Storage Limitation
6. Confidentiality
& Integrity

Though not all tasks may apply to your club, the likelihood is many will and this document is designed to help you identify problem areas and how PaySubsOnline can help your club become GDPR compliant. Download your free copy now!

 

Download our free club's guide to GDPR Risks and Mitigation here!

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *