The GDPR applies to you if you collect any personal data in running your club/association (which you definitely will do if you have any members). This includes searchable paper records. GDPR refers to data controllers (those who own and control the data) and data processors (anyone who processes data on behalf of a data controller).
Data must be:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- accurate and kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
Things to consider
-
Consider how you collect details of an individual so that they can become a member of your club. You cannot simply use that information to allow your affiliates and sponsors to contact them for marketing purposes. You also need to tell people when they join your club if you are going to transfer their data, for example to an umbrella organisation or even within your club if it is not held in a central system. You can still transfer data and send group emails but you need the right consents. For example league tables could be shared with club websites, club officials' data could be shared with leagues to avoid constant re-inputting.
-
Retention policies need to be clear. You cannot keep data for longer than is necessary for the purpose for which it was collected. You also need to inform people how long you will keep their personal data and you cannot keep it indefinitely so decide how long you need to keep data. It must be reasonable.
-
If you are planning on putting in place a new system or electronic portal, then you need to consider whether the service provider you choose has adequate security to protect personal data.
-
If you rely on consent from individuals to use their personal data in certain ways, for example to send marketing emails, the consent must be explicit, positively given for each separate use and can be removed at any time. It should be expressed in simple, easy to understand terms and avoid legal jargon.
-
There are additional protections for children’s personal data. If you collect children’s personal data then you need to make sure that your privacy policy is written in plain simple English. If you offer an online service to children aged 13-15, you may need to obtain consent from the parent or guardian to process the personal data.
-
You need to make sure that personal data is held securely, i.e. that electronic documents are encrypted and password protected and that they are backed up on a regular basis. Consider restricting the storage of personal information to GDPR compliant secure systems and not keeping personal details on spreadsheets etc. You also need to make sure that your volunteers can identify when a breach has happened and that they know what they should do and who they should talk to. Pay particular attention to any sensitive information such as health records. You are expected to keep this sort of sensitive data particularly safe.
You have 72 hours from being aware of a breach to report it to the ICO. This includes the loss of any personal data.
