With the new GDPR bill coming into force on 25th May, it’s important that all clubs are aware of the new laws.
Currently, we rely on the Data Protection Act 1998, which was brought in before the internet and cloud technology created new ways of sharing and holding data. The EU’s new GDPR will bring data protection legislation into the 21st century. Many of the GDPR’s main concepts and principles are the same as those in the current Data Protection Act (DPA), so if you are already complying properly then you won’t have to make too many changes. However, it is important to bear in mind that there are some new elements and changes, so you will have to do some things for the first time and other things differently.
The Sport & Recreation Alliance have produced some useful toolkits, while the Information Commissioner’s Office (ICO) will help you work out the main differences between the current law and the new GDPR to ensure your club is prepared for the change on 25th May.
We’ve also covered GDPR on Club Natters, our new podcast, so be sure to check that out too!
Here are 10 steps you can follow to make sure your club meets the requirements for the new bill:
Make sure that key people at your club are aware that the law is changing. Implementing the GDPR could take up a fair amount of time, so it's best not to leave it til the last minute.
2. Information you hold
Make a record of what personal data you hold at your club, where it came from and who you share it with. We suggest creating a list of all the information you hold on staff, members, participants and volunteers.
3. Communicating privacy information
Take a look over your current privacy notices - messages you send people confirming how their personal data will be used and stored by the club - and make any necessary changes.
4. Individuals' rights
Check your data procedures to ensure they cover all the rights club members have, including how you would delete personal data or provide data electronically.
5. Data access requests
Update and plan how you will handle data access requests to take account of the new rules. Under the new rules, you will only have a month to comply, rather than the current 40 days.
6. Lawful basis for processing personal data
Under GDPR, your club must be able to prove and describe how you will handle personal information. Identify the lawful basis for the way you use personal data, then update your privacy notice to explain it.
Review how you record consent and whether you need to make any changes. Refresh any existing consent forms you hold if they don't meet the GDPR standard.
Start thinking about whether you need to put systems in place to verify individuals' ages and if you need to obtain parental or guardian consent.
9. Data breaches
Ensure you have the right procedures in place to detect, report and investigate a personal data breach. It may be helpful to assess the types of personal data you hold at your club and be aware of when you would be required to notify the ICO or affected individuals if a breach occurred.
10. Data Protection Officers
Designate someone involved with your club to take responsibility for data protection compliance.
Once you have followed these steps, have a look at the ICO checklist to see if you are GDPR compliant