GDPR for Clubs
What is the GDPR
The General Data Protection Regulation (GDPR) is a new law which will replace the current Data Protection Act. Basically, the GDPR will govern how personal data is used and will increase the protection of individual’s privacy.
Why change from the Data Protection Act 1998?
Changes to data protection regulations are needed as technology has advanced. Personal data is now processed (collected, stored, shared etc.) in different and more sophisticated ways since the Data Protection Act 1998 was implemented, and this new technology needed to be included.
When does the GDPR apply?
The GDPR becomes effective on 25 May 2018. The UK Government is also legislating to make sure that the GDPR passes into law before the UK leaves the European Union.
However, don’t panic – data protection legislation has been around for years and the GDPR is an update of existing requirements rather than something completely out of the blue. The Information Commissioner has emphasised that GDPR compliance should be seen as a journey requiring ongoing effort rather than a race ending on 25 May 2018. While the ICO will be regulating against GDPR from this date, the Commissioner is clear that “those who self-report, who engage with the ICO to resolve issues and who demonstarte effective accountability arrangements can expect this to be taken into account when we consider any regulatory action”.
Does the GDPR apply to Member Clubs?
Yes. Member Clubs will be “controllers” of personal data of their members (for example, name, address, telephone number, date of birth, gender, emergency contact details or medical information (i.e. knowing that someone has an allergy) etc. that they collect, store, use, share and delete (this is known as “processing” of personal data).
The GDPR will apply to Member Clubs whether they have four members or 1,000 members, whether they pay staff or are all volunteers, whether they have a club house or not, or whether they’re incorporated (e.g. as a company) or not.
How should my Club prepare?
There is a great deal of information on the web that you may find worrying or confusing, so we have brought together a range of resources and guidance in partnership with sportscotland and Harper Macleod LLP, to help you understand the GDPR and your responsibilities as a Member Club.
It may seem like a lot of work at first, but using the provided templates may help Member Clubs meet the GDPR requirements when they come into effect.
Data protection principles
The GDPR includes six data protection principles that Member Clubs need to be aware of whenever they collect or use personal data (for example, signing up a new member, sending an email to a member or volunteer, etc.).
The six principles of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
In order to comply with these principles, Member Clubs need to:
- ensure they identify a lawful basis to process the personal data and provide a privacy notice to the individual, which tells individuals how the club uses their personal data (we have provided you with a template should you wish to use it);
- only collect, use and keep personal data for specific purposes – i.e. only use a member’s personal data for membership purposes;
- only collect, use and keep personal data that clubs actually need;
- keep personal data up-to-date where possible;
- only keep personal data for as long as clubs need it – i.e. when a member leaves a club, clubs should review all the member’s personal data held to see whether they still need it after a specific period of time (for example, three years); and
- protect personal data and keep it secure.
Paper or electronic records?
The GDPR is mainly concerned with electronic personal data. However, if a Member Club uses a paper filing system that allows information to be picked from specific criteria then the GDPR will apply to this paper filing system.
Most Member Clubs use email and any personal data included in emails will be caught by the GDPR.
Lawful basis for processing
There is a specific list of “lawful bases” for processing personal data in the GDPR, and Member Clubs will need to identify which one applies before collecting and/or using personal data.
Once Member Clubs have identified their lawful basis, they must explain this to individuals in privacy notices.
What is the lawful basis for members’ personal data?
When processing members’ personal data (for example, membership admission, membership fee payments, AGMs, etc.) Member Clubs will have a “contractual” lawful basis.
This is because the Member Club needs to use members’ personal data to comply with the terms of their membership, and the Member Club should only use such personal data for this purpose.
A Member Club may also be legally required to process members’ personal data for specific purposes, e.g. health and safety or equality monitoring. This lawful basis is known as the “legal obligation” lawful basis, as it applies when a “controller” needs to use personal data to comply with a legal obligation.
What is the lawful basis for employees’ personal data? This only applies to Member Clubs who employ staff:
Again, Member Clubs will have a “contractual” lawful basis, as employees will have a contract of employment. Member Clubs should only use employees’ personal data to comply with their obligations under that contract of employment.
Member Clubs will also need to process employees’ personal data for legal reasons under the “legal obligation” lawful basis. For example, Member Clubs will need to report details of employees’ income to HMRC for tax reporting purposes.
What are “legitimate interests”?
Another lawful basis is where a Member Club has legitimate interests for processing personal data. However, the catch with this lawful basis is that any such legitimate interests cannot be outweighed by the interests of the relevant individual.
This might apply where Member Clubs issue newsletters to members / other individuals or communications promoting upcoming events / competitions, which is seen as ‘direct marketing’. Member Clubs should always make sure that individuals can stop receiving such newsletters or communications by contacting the Member Club.
What about asking for consent?
Asking individuals if they consent to the Member Club using their personal data is a lawful basis under the GDPR. However, there are specific requirements for asking for consent, which means it will be more difficult going forward and Member Clubs should use one of the other lawful basis if more appropriate.
If Member Clubs do want to ask individuals for consent then they must use a consent statement that:
- is a clear affirmative action: opt-in rather than opt-out and no pre-ticked boxes;
- is separate from other terms and conditions and not a precondition of signing up to a service;
- provides granular options for different processing operations; and
- is easy to withdraw.
Where Member Clubs use social media pages, it is likely that social media websites will have updated privacy policies as the providers will consider that they are “controllers”. Member Clubs should hopefully not notice much of a difference. However, Member Clubs are advised to check these privacy policies.
What about “special category personal data”?
Special category personal data, is a separate category of personal data under the GDPR and includes data revealing a person’s disability (if any), racial or ethnic group; health; sex life or sexual orientation; or religious or philosophical beliefs.
Where Member Clubs process special category personal data they must have a lawful basis and meet at least one condition for processing special category personal data. The Clubs template privacy notice wording WORD | PDF document includes some examples of these conditions and we would recommend that Member Clubs seek advice if they process other special category personal data and want to check the conditions.
There will also be separate conditions in the new UK Act for processing personal data relating to actual or alleged criminal offences, which are still to be finalised.
A “privacy notice” is a statement by a “controller” (Member Club) explaining to individuals what they do with personal data. We are providing you with a Clubs template privacy notice wording WORD | PDF document which includes general wording with examples for members and participants, and a Clubs template privacy notice wording for employees WORD | PDF document – only relevant to Member Clubs which employ staff.
We are also providing you with an example of a completed privacy notice Member Clubs can tailor and give to their members – Clubs template privacy notice for members WORD | PDF. We hope this document will meet the needs of the majority of our Member Clubs.
When do we need to give people privacy notices?
When collecting or receiving personal data from anyone, Member Clubs must give a privacy notice to the individual whose personal data the Member Club is processing. For example, the privacy notice should be included in applications for membership, membership renewal forms, booking forms, and employment / volunteer forms.
Member Clubs should also put their privacy notice(s) on their website (if they have one) and provide individuals with the link to the relevant page or send an attached document.
What needs to be included in a privacy notice?
The Clubs template privacy notice wording WORD | PDF document we have provided sets out all of the headings (in bold) that the GDPR states should be in a privacy notice. However, the text under the headings can be tailored by Member Clubs. It is important for Member Clubs to cover all of their data processing activities in privacy notices.
Member Clubs will pass membership data or other personal data to Scottish Curling, so Scottish Curling will become a “controller” of that personal data. Each Member Clubs’ privacy notice must tell individuals that Scottish Curling will receive their personal data and become a “controller” of it. This could also apply to other third parties;
If Member Clubs publish any personal data on a website or within a clubhouse then this must be stated within the privacy notice. An example of this is that the Annual produced by Scottish Curling contains the names of every clubs’ members and contact details for office bearers of Member Clubs.
Rights of data subjects
Individuals (known as “data subjects”) have rights regarding their personal data under the GDPR. Member Clubs need to consider requests from data subjects and respond within one month.
We would recommend that if a Member Club receives a request from an individual and it is unsure how to respond, it should take advice. Member Clubs need to be aware of the one-month timescale and make sure that they comply.
Data subjects (individuals) can ask Member Clubs to:
1. provide a copy of their personal data and information on how the Member Club processes the data (basically what is included in a privacy notice – a “subject access request”);
2. correct or complete any incorrect/incomplete personal data held– the “right to rectification”;
3. delete all personal data held by the Member Club (in some circumstances) the “right to erasure”;
4. stop or limit the processing of their personal data (only in some circumstances) – the “right to restrict processing”; and
5. provide all personal data in a particular format for their re-use (only in some circumstances) – the “right to data portability”.
Data subjects (individuals) can also object to a Member Club processing their personal data, which is known as the “right to object”. This right only applies in some circumstances – for example, members can object to receiving the Member Club’s newsletter and the Member Club should stop sending the newsletter to the member immediately.
If Member Clubs use any third party suppliers they should check if they are given or have access to any personal data held by Member Clubs, as such suppliers are defined as “processors” under the GDPR. Member Clubs may use suppliers to send mailshots, administer online systems, process payments, host websites, online surveys, etc.
Member Clubs should have such suppliers sign the Template data processing agreement WORD | PDF or enter into a contract or terms and conditions, which should include the template data processing clause found in the Guidance notes for Clubs using the data processing agreement template WORD | PDF. We would recommend you read the Guidance notes before the data processing agreement.
Accountability and governance are important principles of the GDPR. What this means is that Member Clubs have an overall duty to demonstrate that they are complying with the requirements of the GDPR.
What information do Member Clubs need to keep?
Member Clubs should keep a document recording (such as a spreadsheet or table) the following:
- the purposes of processing – for membership, competitions, lessons, etc.;
- the categories of individuals and personal data – members, volunteers, etc. and name, address, date of birth, etc.;
- the categories of recipients – details of who the Member Club shares personal data with, such as Scottish Curling, local Area, Province or Ice Rink etc.;
- details of any personal data if transferred or hosted outwith the EU safeguards – for example, MailChimp, which has Privacy Shield certification;
- retention periods – how long different records of personal data are kept; and
- details of security measures in place to keep personal data secure – for example, passwords, locked cabinets, restricted accounts, etc.
Member Clubs should also keep copies of privacy notices and consent statements, so they can evidence that these have been provided to individuals.
If a Member Club loses personal data or suffers a data security incident, then this would result in a personal data breach. Examples of breaches include: access to personal data by an unauthorised person; sending personal data to the wrong person; or losing computer or mobile equipment containing personal data.
If the breach is severe and could affect individuals (i.e. – risks their rights and freedoms) then Member Clubs will be under an obligation to notify the Information Commissioner’s Office (the ICO) within 72 hours of becoming aware of a breach. Member Clubs will also have to notify the affected individuals if there is a risk to their rights and freedoms.
If a Member Club fails to notify either the ICO or affected individuals of a breach when required to do so, they could suffer a significant fine.
Member Clubs that breach GDPR may be liable to a fine (up to £20m or 4% of turnover (whichever is greater) for serious compliance failures). Individuals can also sue Member Clubs for compensation.
Accordingly, it is important for Member Clubs to prepare for GDPR to reduce the risk of breaching it.
Suggested action plan for Member Clubs
- Identify all personal data that is held by the club and what it is used for – create a table or spreadsheet, which can be used to maintain the required records of processing activities.
- Use the template sample wording to create privacy notices and update club forms, websites, etc. to include the new privacy notices and issue these to current members, employees, etc.
- Ensure that everyone within the club with access to personal data held by the club has a basic understanding of data protection and the club’s obligations under the GDPR.
- Adopt higher standards of data security – for example, good practice would be to create specific club email accounts to limit the use of personal email accounts for club business.
- Use the template wording to get suppliers to sign up to written data processing contracts.
The above represents the proposed law and guidance as at March 2018.
Whilst we have tried to provide relevant information about the GDPR to help Member Clubs comply with the new legislation, they are ultimately responsible for ensuring their compliance. We would recommend Member Clubs seek alternative advice should they require further guidance or clarification of their responsibilities.
Should you have a question about any of the information provided on this page and subsequent links to relevant documents please email email@example.com stating your name, club, position in club and your question. We aim to answer questions within one week.
Note: The above information and templates have been produced in partnership with sportscotland and Harper Macleod LLP.