General Protection and Data Regulation (GDPR) is a comprehensive set of measures governing the protection of data for all individuals in the European Union.
In the UK, the Data Protection Act came into force, on 25 May 2018, effectively locking into our laws all the GDPR requirements for organisations managing personal data.
How does GDPR affect my sports club is a theme already covered on the Pitchero blog, giving background to what GDPR is, explaining the legal references and what clubs are expected to do. It’s vital that all clubs read up thoroughly on GDPR and get a good understanding of it.
Here, we’ll look at the first essential steps a sports club must take towards becoming GDPR-compliant relating to the rights of individuals. It can seem daunting; after all, a club is run by volunteers who aren’t all legal experts - but help is at hand with a range of resources from Pitchero.
1. Use Pitchero’s GDPR tools
As a website platform, Pitchero will be GDPR-compliant by the 25 May deadline and offers a suite of tools to assist sports clubs too. Clubs not yet on Pitchero can explore the many reasons to join from boosting revenue to attracting and retaining players.
In relation to GDPR, Pitchero is a prime solution to storing and managing your members’ data online securely. The company is also working towards offering:
- A facility for your club to gain consent from users of your Pitchero website (Already live across Club, League & County sites)
- Tools to help access data needed for subject requests (to be released soon)
- Audit information for membership database exports to show who has exported what and when (to be released soon)
- Clearly display of who has access to data and functionality to add or remove access where appropriate (to be released soon)
2. Understand the flow of data
First, review all the different ways your club collects, stores and processes personal data. An audit should include how data is currently managed, by whom and what the offline or online systems are that assist with this.
3. Get to grips with consent
With GDPR, a sports club must get explicit consent to collect an individual’s personal data, whether that’s paper registration or an online form. It includes anything that identifies that person so it could be a name, email, age, phone number, address, photo or video.
The individual agreeing the consent (it could be to join as a member or register sponsorship details) should agree with an action that clearly shows consent (a tick-box - not pre-filled in - or a signature are most common).
Consent to have personally identifiable information (PII) collected must be “freely given, specific, informed and unambiguous.”
Sports clubs can’t assume consent has been given, there must be a record kept and it should be specific for that singular purpose - so, one consent to join a supporter newsletter list and another to collect data of parents of junior members as examples.
Individuals must be informed in advance of their right to withdraw that consent. This is most obviously achieved in a privacy or data policy on a webpage where consent is being asked or in the terms and conditions of a registration form.
4. Update your privacy and data protection policies
Pitchero has a GDPR toolkit that gives advice on updating your club’s privacy and data protection policies and what needs to be included.
Each sports club must write its own policy relating to GDPR and add it to their Pitchero website. There is now a specific location to do this where you can save and display it at the base of your homepage (see Dashboard > Site Content > Policies).
A data protection policy is for internal use within your organisation and should include a club contact (see ‘appoint a data protection officer’ below).
5. Understand the 'right to be forgotten' and Access requests
Under GDPR legislation, there are two new rights for individuals (or data ‘subjects’ as GDPR refers to them as) - ‘the right to be forgotten’ and the ‘right to data portability.’
With the ‘right to be forgotten’, a sports club could be asked (verbally or in writing) to delete all the data that they hold on an individual. GDPR states that this should be done in a month.
The point of the ‘right to data portability’ is to allow any individual to ask an organisation for a copy of all of the personal data (in a readable format) held about him or her (again within a month).
This presents challenges for clubs to work out a process for dealing with these ‘subject requests’ and determining what personal data is stored and how to collate it into a useful composite (like a .csv file).
6. Consider appointing a Data Protection Officer (DPO)
This might be one person or a small team at a sports club but the purpose is to:
- Give an individual a point of contact with any data queries or requests
- Illustrate your club takes data protection seriously
Much as a club will have a child welfare officer, a data protection officer can be a focal point both externally but also internally as others at your club are bound to have questions relating to data processing.
A DPO is more common in larger organisations but with a sports club, it would mean there was someone to review GDPR moving forwards, to potentially do relevant training and keep updated on developments.
For advice on all aspects of GDPR, explore the Information Commissioner’s Office (ICO) website that includes a self- assessment toolkit.