In April 2017, the European Union passed the General Data Protection Regulation (GDPR). It will take effect in 2018. This law doesn’t only cover businesses, but sports clubs as well, since clubs, too, handle sensitive personal data their members trust them with. Here is a guide to GDPR compliance and how it will impact the way your sports club needs to handle data:
How Your Sports Club’s Members Will Benefit from the GDPR
The GDPR will harmonise the data regulations from all its member nations, better protecting EU businesses and organisations from data breaches, all too common in today’s digital environment.
What Does the GDPR Require of Sports Club Administrations?
Starting from the 25th May 2018, your club must have a secure way to archive your members’ sensitive personal data. You also must track your audits of these data. If a breach occurs, you must notify your nation’s data authorities within 72 hours. For UK residents, the proper authority is the Information Commissioner’s Office (ICO). If your club fails to follow these regulations, you may be subjected to GDPR fines greater than €20 million or four percent of your club’s previous year’s revenue – a hefty sum.
If your club handles a lot of sensitive data, you must appoint a data protection officer. It will be important for your club to provide that officer with effective tools for proper data governance.
Potential Members Will Look at Your Ability to Protect Their Data
With the EU’s attention laser-focused on better data protection, potential members will look at your sports club’s data governance policies and practices with more scrutiny. Don’t risk your club’s reputation with shoddy, outdated data governance. Your competitors, too, will be quick to take advantage of your failure to bring your club up to current best practices. Update and keep your members’ trust.
How Will Brexit Impact These Regulations?
Since the legal separation of the UK from the EU will not occur until 2019, these regulations will, of course, apply to UK clubs until that time. It would be a grave error, however, for UK clubs to slack off on tightening their data protection policies simply because they may not apply in the future. In fact, if anything, UK clubs should go beyond the EU’s regulations to provide the finest data protection for their members.
Sports Organisations Not Immune from Cyber-Attacks and Data Leaks
Sports have become big business. Even smaller clubs handle massive amounts of personal data—their members’ names, their bank accounts or credit cards when members pay subs, buy uniforms, or conduct other transactions. Larger sports organisations have suffered massive data losses—the most well-known being the World Anti-Doping Association (WADA)’s huge breach caused by Russian hackers. This data breach sent shockwaves through the sports world since it affected major world-class athletes, most notably Olympic gold medallist Simone Biles and tennis stars Serena and Venus Williams.
How to Shore Up Your Club’s Data Protection
Designate, inform, train: Not only should you appoint a data protection officer to take responsibility for compliance, but you should also inform and train all the people on your club’s board, as well as employees who handle sensitive data, about the GDPR statutes and what they mean for your club’s operation.
Review policies and procedures: Look over your data protection policies, including privacy notices, and the language you use on documents to make sure they are at least compliant with GDPR regulations, if not even stricter. You’ll need to review your contracts to make sure they include data processing requirements compliant with the new rules.
Assess and document your current data and data requirements: Look at the points at which your club collects personal data, what types of data it collects, and from which types of people—vendors, members, or officials. Document all your data processing, including the legal basis for using the data. You’ll also need to check to see if you have any inaccurate data that you’ve shared with other organisations, such as faulty medical records for athletes, incorrect or outdated information on members who transfer to other clubs, and similar situations.
Review consent policies and procedures: Look at your current procedures for obtaining consent from members and others. How does your club document that consent? If these procedures and policies aren’t at least as stringent as those of the GDPR, you need to revamp them to become compliant.
Review data breach procedures: Because of the new requirement to notify the ICO within 72 hours of a data breach, you need to examine your procedures closely to make sure they comply. Detection procedures, reporting procedures, and investigation procedures—all should come under tight scrutiny to make sure your club is compliant.
Assess any international contacts: If your club deals with data flows that cross borders, you’ll need to take a good look at what protections you have for international data transfers, since the GDPR regulations represent a huge change, with many complex requirements. Deal with this issue early to give your club time to research the new statutes and adapt your policies to the changes.
Assess your policies regarding children’s data: If your club works with children, you need to scrutinise your current policies to make sure they are up to the GDPR’s exacting standards, designed to protect the data of the most vulnerable among us. The GDPR’s rules require the consent of a parent or guardian to record and process children’s data, as well as other rules. Look at the new policies to make sure that your organisation takes children’s data protection seriously.
Don’t risk huge fines and loss of reputation that could devastate your club. Use this checklist to make sure your club is ready for GDPR compliance:
- Make sure that sensitive documents are filed immediately after printing.
- Create anonymous print file names.
- Avoid duplication of sensitive documents.
- Encrypt data where possible.
- Document changes to documents, as well as who changes them.
- Update data often to keep it current and avoid errors.
- Create stricter user permissions and protocol settings.
- Review and update international data transfer policies.
- Review and update your club’s handling of children’s data.
How Pay Subs Online Can Help You
Having a reliable online admin system has a wealth of benefits, especially in relation to the upcoming changes in GDPR.
Pay Subs Online take’s the security of your information very seriously. Data is stored securely on dedicated servers housed in a 2000 m2 purpose-built data centre. When transferring data between our servers and the user’s computer (administrators and members), we use the same technology as banks and financial institutions – SSL (Secure Socket Layer) to protect the information. As a result, you can sleep easy knowing your data is safe in our hands.
If you are looking to get ahead of the game and make sure you are covered for the upcoming GDPR changes, book a free demo of our software where one of our dedicated team members can show you how it works and explain in more detail how we can help you. To book a free, no obligation demo, click here.