UK: Guide To The GDPR For Sports Clubs

Last Updated: 29 August 2018
Article by Paula Tighe
On 25 May 2018, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) came into force.

This short guide sets out the key changes that the GDPR has made to the UK data protection regime, what sports clubs need to do to comply with data protection law and relevant examples of how GDPR applies to sports clubs.

  • Who is subject to the GDPR?
  • What is the point of GDPR and the DPA18?
  • Individual Rights
  • Children's rights under GDPR
  • Privacy Notices
  • Data Protection Impact Assessments
  • Appointing a Data Protection Officer
  • Reviewing and updating contracts
  • Internal policies and procedures
  • Data breaches and fines
  • What should you be doing now?

WHO IS SUBJECT TO THE GDPR?

WHO:

  • The GDPR applies in some way to any organisation which collects and processes personal data. This includes all sports clubs and governing bodies, whatever their size or level of funding.
  • It covers not only the personal data of a club's members but also the data of the club's employees or volunteers.
  • Sports clubs receiving individuals' personal data and deciding what they do with it are deemed 'Data Controllers' under the law.
  • Clubs must ensure that any third parties engaged to process data on the club's behalf, referred to under the law as Data Processors, also comply with the law. A data processor could be a marketing company engaged to carry out a campaign or survey on behalf of the club's members (e.g. SurveyMonkey or Mailchimp), a website host or data storage platform in the cloud that manages the club's data collection and storage.

WHAT:

  • 'Personal data' is any information from which an individual can be identified or is identifiable. This will include name, address, and financial details. It also includes identifiers such as an IP address collected when an individual visits a website.
  • The law also covers 'Special Category Data' such as race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sexual life or orientation.

WHAT IS THE POINT OF GDPR AND THE DPA18?

The legislation is a product of the digital age: more and more organisations of all types and sizes are processing and sharing individuals' information in the course of delivering a service or product. The law recognises that individuals are entitled to have their personal data protected and to be in control of that data regardless of how it is used or who is using it. The GDPR governs how data controllers process, obtain and use data to ensure it is managed in a fair, lawful and transparent manner.

For breaches of the GDPR, a data controller or processor can receive a fine of up to 4% of its annual worldwide turnover or €20 million (whichever is the higher). Individuals also have the right to claim compensation for financial loss or distress resulting from a data breach.

The DPA18 preserves the enforcement powers of the UK data protection regulator (the ICO – Information Commissioner's Office) so that it can issue an assessment notice, undertaking an enforcement notice to bring about compliance with the law in a timely manner. The ICO wants to work with all forms of organisations and a fine is the last resort. They key is to get your club 'in order' to prevent any penalties from the ICO.

There are six principles on which the lawful bases of processing personal data rest:

  1. Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly, and transparently
  2. Purpose limitation: data should only be collected and processed for a specific, legitimate purpose and not used any way that is not compatible with that purpose
  3. Data minimisation: only that data that is necessary in relation to the specific requirement should be collected and processed
  4. Accuracy: personal data should be accurate and, where necessary, kept up to date
  5. Storage limitation: the personal data should identify the data subjects to enable accurate record keeping so that it is kept for no longer than is necessary
  6. Integrity and confidentiality: appropriate security measures should be put in place (such as encryption, passwords, and securely locked cabinets) to protect against unlawful or unauthorised processing, and against loss, destruction, or damage.

Accountability is a key element of all six principles. By embedding these into a club's daily operations and showing how it is accountable at the board and senior level as well as operationally, a club can prove it meets its GDPR obligations.

For a sports club processing data, this means:

  • Before a club obtains and starts to use an individual's set of data, it must identify the lawful basis on which it will rely before it proceeds and document this accordingly.
  • There are different lawful bases for personal and special categories of data. A good starting point is to review the ICO's section page.For example, a sports club's lawful basis for processing could be for fulfilling membership obligations as part of its membership application form (performance of a contract or to enter into a contract). A further example: those who sign up as members of sports clubs will expect to be kept informed about the club's activities so the lawful bases of performing a contract and legitimate interests to keep them informed on club events, competitions and products could apply.
  • However, if there is any doubt, clubs will need to obtain informed consent (outlined below).
  • For employees, clubs can rely on the need to comply with their legal obligations as employers as the lawful basis for processing employees' personal data.

INDIVIDUAL RIGHTS

GDPR and DPA18 give individuals the following rights in relation to their personal data:

To be informed Access their data Rectification Erasure
Restrict processing Data portability Object Automated decision making and profiling

These are the bedrock of a data controller and processor's obligations to demonstrate accountability. A sports club should ensure its policies, procedures, training and notices are fully compliant with these rights and inform individuals in a manner they would understand about what these rights mean to them and how to exercise them.

The right to access is a key change introduced by the GDPR. An individual has a right to access their data. It can be requested by any means and there is no fee unless the request is deemed manifestly unfounded or excessive. If the request is deemed manifestly unfounded or excessive, the one month timeframe to supply the data can be extended by a further two months. It is important to have a procedure and a trained person in place to carry out the assessments when such requests (called Subject Access Requests) are received.

INFORMED CONSENT

The DP Regulator published useful and easy to follow ' fact from fiction' notes. The note on consent will help at grass roots level. If sports clubs have to rely on informed consent as the basis for processing personal data, then there are specific rules of which they need to be aware:

  • Consent must be given freely, be specific, informed and unambiguous.
  • When collecting consent for marketing, make sure the individual knows exactly what they are consenting to receive and how to withdraw consent.
  • Any request for consent must be:
Prominent, concise, separate from any other terms, and be easy to understand.
Pre-ticked boxes or opt-out boxes which presume consent must not be used.
An individual must be given the option to consent to different types of processing if their personal data needs to be processed for different purposes.
Keep records of the consent being given; and make it easy for people to opt out (using a preference management tool is a simple way to do this).
Keep consents under review and update when required.
An individual has the right to withdraw their consent to data processing at any time. This means that clubs need to prove that they have obtained affirmative consent and record that they have informed the individual of the following:
  1. The name of the sport club as the data controller
  2. How their data will be held, processed, shared, retained, and secured
  3. Why their data is being processed
  4. Who their data will be shared with or obtained from
  5. Their rights in relation to the use and storage of their data
  6. How to activate their right (for instance how they can have their record erased)

CHILDREN'S RIGHTS UNDER GDPR

  • Children need particular attention because they will be less aware of the risks involved. A sports club needs to think about the need to protect children from the outside and design all sporting operations on this basis.
  • When relying on consent as the lawful basis, and where online services are offered direct to the child, in the UK only children aged 13 or over are able to provide their own consent. If they are under this age parental consent must be recorded.
  • Sports clubs must also ensure that their privacy notices are in a language understood by children.
  • When collecting data, make sure there is an effective means of determining the age of the people from whom the data is collected and, if necessary, ensure that parental consent mechanisms are put in place.

The ICO supplies useful information on how to obtain and use childrens' data

PRIVACY NOTICES

Privacy notices allow data controllers and processors to set out all the necessary information relating to the collection and processing of individuals' data.

  • Such notices need to be posted on club websites or otherwise made accessible to all so that an individual has every opportunity to receive and read it.
  • Provide clear, simple ways for people to indicate their agreement to the different types of processing.
  • Keep privacy notices up to date and review regularly, particularly if complaints are received or when new forms of processing take place.
  • Explain to club members why their data is being collected. Usually this will be as a record of their membership/attendance at the club as well as keeping them informed about activities and fixtures.
  • Inform people if their information will be shared with any third parties e.g. volunteers, sponsors, governing bodies or local authorities, website hosts or data storage platforms.

As a minimum, a privacy notice must include the following:

  • the identity of the controller and categories of processors the club uses;
  • how the club intends to use their data;
  • the legal basis for processing their data;
  • who the data will be shared with
  • the security arrangements to protect their data;
  • the club's data retention periods;
  • individuals' rights; and
  • information about the individual's right to complain to supervisory authorities (i.e. the ICO).
  • The privacy notices need to be broken down into their component parts, allowing an individual to follow a link for more information about the different types of data being collected, why it is being collected and how, and for how long the data will be retained.

Data Protection Impact Assessments

Clubs should get into a routine of carrying out 'Data Protection Impact Assessments' (DPIAs).

  • DPIAs help to determine the most effective way a sports club can comply with the data protection legislation and help to identify any risks to the processing of the data and put measures in place to mitigate these risks.
  • The legal requirement is to complete a DPIA when the sports club deems that the processing of the data is likely to result in a high risk to individuals.
  • DPIAs are particularly recommended when implementing new IT systems or if the data is going to be used or shared for a new purpose.
  • A DPIA must be carried out whenever a club is planning to carry out "high risk" processing (which would include profiling individuals and processing special categories of data on a large scale). If the risk is high there may be a need to consult with the ICO who will supply written advice within eight weeks, or 14 in complex cases. Where they deem the risk to be too high they may issue a formal warning not to process the data, or ban the processing altogether.
  • Consider how childrens' and young peoples' data is being processed by the club and its data processors and if there are high risks, carry out a DPIA.

Examples of when a club might carry out a DPIA are:

  • when they engage in an information sharing operation with another organisation(s) (e.g. regional, local and national governing bodies) for a common purpose;
  • when safeguarding information is to be shared;
  • when there is a large scale or routine set of data being shared for a common purpose e.g. results from competitions, events, and shows.
  • when a club is considering undertaking or engaging a new form of technology which will hold individuals' data and where the processing may significantly affect, or have an impact on, the individuals.

APPOINTING A DATA PROTECTION OFFICER

  • In some circumstances organisations have a statutory requirement to appoint a Data Protection Officer (DPO).They help to monitor internal compliance, inform and advise on data protection obligations, provide advice on DPIAs, and act as point of contact for the ICO and individuals.
  • The obligation to appoint a DPO is dependent on certain conditions and every club should check to see if its meets those conditions. The conditions are based on whether the organisation is a public body or authority; if a large volume of personal and special category data is held and processed; or if the processing operations 'require regular and systematic monitoring of data subjects'.
  • Depending on a club's resources and the amount of data it handles, it should consider appointing a DPO voluntarily. The law would expect this person to still comply with the tasks of the DPO as outlined in the GDPR and DPA18.

REVIEWING AND UPDATING CONTRACTS

  • Many clubs will have contracts in place with third parties for the supply of goods and services. Some of these contracts may rely on processing personal data of the club's members and employees (e.g. the outsourcing of PAYE).
  • If this is the case, these contractors, as data processors, will need to comply with the GDPR and clauses relating to data protection considerations must be written into any contract between them and the sports club.
  • Create a register of all third party suppliers, agencies and/or sport sector bodies that obtain and receive data, and their compliance regime. Issue a compliance form asking them to demonstrate how they will comply with the law.

INTERNAL POLICIES AND PROCEDURES

  • Clubs are advised to create, retain and review their internal policies and procedures relating to the management, retention and protection of their members' and employees' personal data. Depending on the scale of their data processing activities, most clubs will need a set of policies which inform how the club will record lawful bases for processing, how they store data and for how long, how they keep the data secure, and how they ensure they keep their staff up to date with the requirements of the GDPR.
  • Clubs can also demonstrate compliance by having in place appropriate internal data protection policies, providing training to staff and conducting audits. A useful guide can be found on the ICO website.

Data breaches and fines

  • Data controllers and processors must report certain types of breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. The ICO has a useful set of information which is clear and concise, and you can view the recent webinar on reporting data breaches.
  • Reporting a breach is necessary where there is a high risk to an individual, for instance if they are likely to suffer damage (such as identity theft, financial loss, harm or discrimination).

The ICO has made it clear that it will not levy punitive fines on organisations that can demonstrate they are actively working towards compliance.

WHAT SHOULD YOU BE DOING NOW?

If your sports club has not yet assessed how it will comply with the GDPR and the DPA 2018, you must address this immediately. However, if you are already compliant with pre-GDPR data protection law, updating your policies to comply with the new regime should not be overly onerous.

Besides obvious changes such as determining the need to appoint a Data Protection Officer, and updating privacy statements and policies, clubs must check that they have sufficient internal procedures in place to comply with the new rules. For example, is there an effective internal procedure for identifying when a Privacy Impact Assessment is required?

We can help protect your organisation by carrying out a review of your existing policies and practices and advise on how to comply with the GDPR. We can also train and advise on all GDPR-related matters.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Shepherd and Wedderburn LLP
Waterfront Solicitors LLP
MacRoberts
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Shepherd and Wedderburn LLP
Waterfront Solicitors LLP
MacRoberts
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions