New data protection laws – what your club needs to know
29th March 2018
Some of you will have heard of new General Data Protection Regulation (GDPR) which is coming into force on May 25, 2018. The new rules are an update of the Data Protection Act and sets out news standards expected of businesses and organisations when handling personal data.
In the modern and increasingly digital world, how our personal data is used is ever more important. So the Government has adopted the European Union GDPR to individuals more control over their details. At the heart of the new rules is consent. Individuals must give organisations permission to take, use and share personal data. Personal data is very broad and can include name, email address, and telephone number.
It is easy to see why big companies need to adopt tighter controls on personal data. However, have you thought though about the impact of the regulations on your volleyball club? GDPR applies to any ‘data controller’ or ‘data processors’ – which means if your club collect any personal data then the new rules apply. That is almost all of the hundreds of volleyball clubs in the country.
Here’s top ten tips to GDPR: Getting Data Protection Right!
1. If you club has members, the rules apply
No matter how big or small your club is, if you collect, handle or keep people’s data you need to do it correctly. Any personal details which you ask for from players, coaches, volunteers – in fact anyone associated with your club – must be taken and stored correctly. This is even if it is just their name or an email address.
2. How to use personal data
Your club needs to have a rigorous process when it comes to handling data. Data should be:
- Processed securely
- Only what your club needs
- Updated regularly and accurately
- Only shared if the individual has given consent
- Only used for the purpose for which it was collected
3. Tell people how you will use their data
As soon as you start collecting data from someone who joins your club, you need to make it clear what data you’re collecting and what you will do with it. It is a good idea to create a Privacy Notice for your club. This document needs to outline:
- What personal data you will hold
- Why you need it – including to sharing it within the club to organise training and competition, to manage individuals’ club membership, any anonymous data your club uses to apply for grants, and any marketing or communications you will send them for which you will need prior consent.
- Who you will share their data with – you cannot pass on personal data without permission. So for example, if your club secretary registers all your club’s players on the Volleyball England website, you will need to make this clear and get their consent.
- How long you will hold the data for – just during their membership or for a period afterwards?
- The individual’s rights to their personal data – a person can request access to their data or that it is deleted.
Once you have this document, you can attach it to your club’s membership form and ask people to read it and give their consent for you to use their data as you have outlined. You can also display in on your website so people can go back and access it easily.
4. Running events
If you decide to run a tournament or volleyball event you should add some wording to the booking form stating how you will use the data and if you plan to share it. For example, if you want publish results or share the information with affiliated organisations make it clear that by signing up to the event, that people are agreeing that you can do that.
5. Retaining data
Part of the new GDPR states that data should only be stored for as long as is necessary. So you can’t keep it indefinitely and you need to tell people how long you will keep it for. If a player leaves your club and it is unlikely they will return in the near future then their data should be deleted.
6. Sharing data
For many volleyball clubs to operate, they will need to share their members details with other organisations. For example, a club will need to register its players with leagues organisers or Volleyball England. As a club, you must gain a member’s permission if you plan to share their personal data with anyone. It is best practice to explain in writing, how you plan to share a member’s details and gain their consent when they first join the club.
As a club, you are not (unless you have their expressed consent in writing) permitted to share people’s data to allow other organisations to contact them for marketing purposes, even if it is a club sponsor or a business connected to your team.
7. Getting consent
If you do want to contact your members with marketing notices, for club events for example, then there will be further rules to comply with. Previously, you could have an opt-in box on membership forms where individuals can be contact with ‘marketing information by email, post and SMS’. Under the new GDPR, the contact options of email, post and SMS must be separated out giving members more of a choice as to what they have opted in to. The boxes need to be ticked by individuals rather than pre-populated.
8. Use secure software
Most clubs data will be stored on laptops or on cloud systems. You need to ensure passwords are kept safe and that files containing personal data are encrypted. If your club still uses paper records, these must also be managed in accordance with data protection regulations. Paperwork should be stored securely and transferred safely. This can be trickier than with some digital formats, so the new regulations may inspire you to update some of your current filing systems.
9. Under 18s – need permission from their guardians
If you have juniors at your volleyball club, then you will need to be even more careful with their personal data. Consent to collect, store and use the data of someone under 18 must be granted from their legal guardian.
10. Think about the data you are receiving from others
Sometimes you might be passed data from third parties. For example, if you are running a tournament, another club might send you a list of contacts. Think carefully before you use this data. If that club hasn’t got the relevant consents for you to use the data, your club could still be liable. Therefore, only use data from a reliable and trustworthy source.
For more details about GDPR, you can visit https://ico.org.uk/