Guidance for clubs on GDPR compliance

It is imperative that every club understands the principles of Data Protection and how the upcoming changes in legislation will affect them. The following are key steps clubs should take:

Increase Awareness

As a Data Controller, each athletic club, county or provincial board will be accountable for how it collects, uses and stores information about its members. Every member should be aware of the changes that GDPR will bring and how that impacts them, either as a volunteer working on behalf of the club or as an individual club Member. Clubs should ensure that information relating to GDPR is made available to committee members, club Members, coaches, volunteers or anyone who involved with the Club.

Ensure Understanding

Athletic Clubs should understand exactly what personal information it holds (and is responsible for). To ensure this is clear, it is important that every club makes an inventory of the personal data that it holds and examines it under the following headings:

1. Why is it being held?
2. How was it obtained?
3. Why was it originally gathered?
4. How long is it being retained for?
5. How secure is it?
6. Is it shared with any third parties?

Consideration must be given to paper membership forms and how these are managed once they have been completed and received by the club. It is permissible to collect information on paper forms, and to retain them in hard copy after they have been completed, as long as the member is made aware of this at the time they are completing the form. Tick boxes (or similar) should be used to obtain the person’s explicit consent to process their information. It is vitally important that any completed forms are stored securely in a specified location.

The same logic should be applied to any other system or database used to assist a club when managing its membership. It is permissible to use technology in this way but careful attention must be paid to how and where data is stored (it must be secure and should be encrypted) and individuals must be informed if a third party is being used to provide a system for this purpose. Most of the third party providers of these kinds of systems (online registration, text messaging, fundraising) will be well aware of GDPR and will be able to advise on how they are ensuring compliance. If your club is using a third party system you should contact them to verify that they are in compliance with GDPR and request their Privacy Policy.

Other likely categories of Personal Information help by athletic clubs will include: 

• Information required for Garda Vetting
• Text or messaging systems
• Email lists or distribution groups
• Attendance lists
• Information captured on club social media and websites
• There may also be others, depending on individual clubs, and it is important that each club has a record of all of the Personal Data that it ‘controls’

Clear Communication

As noted above, it is required that individuals are made aware of certain information such as why their data is being collected and who will have access to it, before their data is obtained. Under existing Data Protection law, it has always been a requirement to provide some of this information to individuals. GDPR builds on this requirement and expands the information that must be given to Individuals in advance of collecting and using their data.

Existing membership forms, and other forms used to collect data must be updated to specifically tell individuals the following:

• The Clubs identity
• The reasons for collecting the information
• The uses it will be put to
• Who it will be shared with
• If it’s going to be transferred outside the EU
• The legal basis for processing the information
• How long it will be retained for
• The right of members to complain if they are unhappy with the club’s implementation of GDPR
• Other specific personal privacy rights relevant under GDPR (as outlined in Personal Privacy Rights section)

Ensure Personal Privacy Rights

GDPR enshrines certain rights for individuals that must be supported by every organisation.

• Access to all information held about an individual (Subject Access Request) – This allows for any member to request a copy of all information held about them. This must be provided within 30 days.
• To have inaccuracies corrected
• To have information erased (right to be forgotten)
• To object to direct marketing

Downloads

References

• Alice Turley, (2018), Ardee & District AC, Privacy Policy and Privacy Statement.
• Data Protection Commissioner, (2018), Sports club 7’s do’s.
• Data Protection Commissioner, (2017), GDPR and You.
• England Athletics, (2018) GDPR and data protection advice.
• GAA, (2017), Ensuring GDPR compliance.
• London Marathon, (2017), Privacy Policy.