GDPR – We Answer Your Questions
Well, that was some response to our article GDPR – What is it and what does it mean for our club. From the many questions, comments and info requests we have pulled all of those together and put them below with answers that we have found, along with some of our templates.
I’ve read your article but am still a little confused …What is GDPR?
GDPR (General Data Protection Regulation) is Europe’s new framework for data protection laws that come into effect on 25th May 2018 – it replaces the previous 1995 data protection directive, which current UK law is based upon.
This will mean
- Enhanced personal privacy – more rights for your members, supporters and volunteers
- Sports Clubs will have to have more defined processes in place for dealing with data of its members
- your Club will have to be more transparent as to why and how you use personal data.
- All volunteers and staff need to be up to speed on the new regulations.
- Financial penalties can be imposed for breaches.
What do our Sports Clubs Administrators need to do for the GDPR?
As with previous Data protection legislation, your club must have a secure way to receive, store and dispose of your members’ sensitive personal information (see what is personal data infographic). Your clubs secretary (or other administrators) must continually keep track of who has access to these details, what they have for it’s for and monitor if the information is up to date.
If any information is misplaced or accessed by someone who shouldn’t have access, this is called a “breach”; if this happens, you must contact your countries (i.e. UK, Ireland, Spain etc.) Information Commissioner or authority as soon as possible (ideally within 72 hours).
Your club could be subjected to GDPR fines higher than €20 million or four percent of your club’s previous year’s revenue – a hefty sum if they don’t follow these regulations.
If your club is very large and therefore receives a lot of personal data for its members, you should appoint a data protection officer, who will oversee this information and how its used or distributed
What does our clubs committee need to do now?
Have a look at what information your club already has on its members, where this information is stored, who is responsible for collecting, storing and distributing this information at present, then look at what process your club has in place for current data protection.
You can find our GDPR Audit Template DOWNLOAD AUDIT TEMPLATE HERE
2. Clarify Whats needed
Once you have found out what information you currently have, look at what information your club needs. For example, your club may need names, dates of birth and medical details for registration…but does it need or have ever used information on their religious beliefs?
Where is your member’s information stored? Could it all in one place? Saving it in one place, i.e. Dropbox/Google Drive will make it simpler to track breaches and then entirely delete information once it is no longer needed.
3. Safeguard the information
Make sure the clubs passwords and documents are protected and safeguards for these are in place such as
- Documents and databases which hold personal information are password protected
- Protect the passwords for these are kept in a secure location. You could use things like LastPass or Dashlane
- When you send a document via email, send the password differently Ie LastPass, text, phone call
4. Let your members know
Let your members know why you are collecting their information, and what you will do with it, when and where.
Here is an example from the ICO
Below is a more in-depth Privacy Notice Mockup
Your Personal Data:
What we need
The ABC Sports Club will be what’s known as the ‘Controller’ of the personal data you provide to us. Our club only collects basic personal data about you which does not include any special types of information or location-based information. This does, however, include name, address, date of birth, email etc.
Why we need it
We need to know your basic personal data in order to provide you with information about the club, along with to provide The Our Governing Body player registration information in line with your overall membership of the club. We will also collect information that may assist us in applying for Funding. We will not collect any personal data from you we do not need. if we need further information we will contact you directly.
What we do with it
All the personal data we process is processed by our Staff/Committee in the Club however for the purposes of IT hosting and maintaining this information is located on servers within the European Union. No 3rd parties have access to your personal data unless the law allows them to do so or you have given permission.
We have a Data Protection regime in place to oversee the effective and secure processing of your personal data. More information on this framework can be found on our website.
How long we keep it
We are required under tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed. Your information we use for marketing purposes will be kept with us until you notify us that you no longer wish to receive this information. More information on our retention schedule can be found online.
What we would also like to do with it
We would, however, like to use your name and email address to inform you of our future events and updates from the club. This information is not shared with third purposes and you can unsubscribe at any time via phone, email or our website. Please indicate below if this is something you would like to sign up to.
Please sign me up to receive details about future offers from ABC Sports Club.
What are your rights?
If at any point you believe the information we process on you is incorrect, you a request to see this information and have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).
Our Data Protection Officer is Notey McNoticeface and you can contact them at [email protected]
The ICO go as far as to say
“silence, pre-ticked boxes or inactivity should not constitute consent”.
Your club will, therefore, have to explain precisely why you need this personal information, how your club intends to use it.
If you want to make any of the information, you have gathered available to third-parties (such as Governing Bodies, Local Authorities or Potential Funders) you will have to gain explicit consent for you to do this.
We have made up a sample club membership form, that includes a GDPR statement, for you youth members please feel free to use and adapt to suit your club.Sample Club Membership Form With GDPR Statements
Consent for the use of personal information will need to be freely given, specific, informed and your club must give a clear indication via a statement or a precise action, such as having to tick a box.
You can find a consent checklist DOWNLOAD CHECKLIST HERE
Will we still be able to send our e-newsletter to our members and supporters?
The ICOs Guidance is
“You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’”
The ‘soft opt-in’ it applies if the following applies;
- Your club has obtained a person’s details in the course of a sale or negotiations for a purchase of a product or service; such as membership
- where the messages are only marketing similar products or services; i.e. anything to do with your club and not just your sponsors latest deal
- where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.
We’ve prepared a flowchart to help you decide whether you have consent and what to do.
Will my club be affected by GDPR after Brexit?
In considering that the UK leaving the EU will not occur until 2019 according to Article 50, GDPR will, of course, apply to UK clubs until that time, and beyond if they have members who live in other countries, i.e. Ireland/Northern Ireland.
It would be a huge mistake, however, for clubs to be dismissive of the way they handle their data merely because they may not apply in the future.
In fact, like we are sure happens in other areas of your club, UK clubs should go above and beyond the EU’s regulations to provide the most exceptional data protection for their members.
We suspect your club doesn’t go for average on the pitch/court…so why should it off it.
We don’t think that clubs should be panicking. However, you need to be prepared for GDPR, as its an evolution, not a revolution of the current/previous Data Protection Act. This act currently makes it necessary that your member’s personal information is handled fairly and lawfully, so sports clubs shouldn’t have too much more to do other than a few tweaks to your documents
So don’t panic – Use this as an opportunity to look at how your club handles its member’s details currently and ensure the club has plans and procedures in place to make any changes that you need to be ready for next May.
This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult a lawyer if you’d like help on your interpretation of this information or its accuracy.
In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.