The General Data Protection Regulation (EU) 2016/679 (the GDPR) will directly apply in EU member states from 25 May 2018. The GDPR will govern how organisations use personal data and increase the protection of individual’s privacy. There will also be a new UK Act to replace the Data Protection Act 1998.
Clubs will be “controllers” of personal data (for example, name, address, date of birth) that they collect, store, use, share and delete (this is known as “processing” of personal data). Clubs will process personal data of their members, parents, volunteers, committee members, etc. The GDPR will apply to clubs, regardless of size.
For further guidance on the implications of GDPR for your club please download and read the GDPR – club briefing paper prepared by Harper Macleod LLP, on behalf of sportscotland, to support sports clubs.
Harper Macleod LLP have also prepared a number of resources to support sports clubs in preparing for the implementation of GDPR. All these resources have already been e-mailed to Club Secretaries so in the first instance please approach your Club Secretary for access to the templates. If you require the templates to be sent to you then please e-mail firstname.lastname@example.org.
When does the GDPR come into effect?
The GDPR will apply from 25 May 2018.
What does our club need to do in preparation for GDPR?
Firstly, the club needs to read the briefing paper prepared by Harper Macleod LLP for sports clubs in Scotland. In summary, you need to review all the information you hold and your reasons for holding it, identify the lawful basis for collecting and storing that information, prepare a privacy notice (or notices, where applicable), identify a process and accountability for monitoring compliance within your club, and ensure all individuals managing data in your club are fully aware of the GDPR and its requirements.
What are the implications for failing to apply with GDPR?
Organisations can be fined up to 4% of annual global turnover and there is a tiered approach to fines. Whilst fines are relative to the size of your business it is important to ensure you are fully compliant to safeguard your club against data protection breaches.
What do we do if there is a breach?
Any personal data breaches should be reported to the ICO within 72 hours of becoming aware of the breach. Further information on personal data breaches, including how to avoid a breach and how to report a breach can be found here. On reporting of any breach, whether from the organisation themselves or from an individual or other party, the club may be required to show what steps they have taken to manage data safely and in line with GDPR. This is why it is extremely important you take the time to review the briefing paper and prepare accordingly.