GDPR: resources you can use
7th January 2019
When the new General Data Protection Regulation came into force in May 2017, it set out new standards about how organisations use people’s personal data. The term organisation includes all not-for-profit sports clubs and teams.
At your volleyball club, you will likely have created data privacy notices to tell your members, volunteers and players how the club will use their data. You’ve also probably had to chase up lots of people to sign consent forms! Gaining their permission about how you use their personal data is a bedrock of the law.
However, GDPR is very detailed and even some big businesses struggled to make a smooth transition back in May. Most of us will have received tons of emails from anywhere you had ever purchased anything from asking for you to agree to their new data protection policy! So, it is no surprise that some volleyball clubs have found tackling GDPR a little daunting and are perhaps are still not completely comfortable with the regulation, even if they are compliant. GDPR was one of the areas our members flagged up in the Club Survey 2018 that they could do with more help with. So as well as clubs being able to find lots of information on the GDPR Guidance section of the website, here we delve deeper into the help you can get with GDPR.
The Sport and Recreation Alliance are a membership organisation, which Volleyball England are a part of, who are the voice of the sport sector with the government, policy makers and the media. As part of its work to improve opportunities and delivery of sport in the country with the support of Sport England, it has done a lot of work to help not-for-profit organisations, such as volleyball clubs, with GDPR. It has created toolkits, guidance and templates documents for sports clubs to use.
Here we take a look at some of the key resources your club can use to ensure it is compliant and remove some of the stress related to GDPR:
1) GDPR compliance questionnaire
The quickest way to find out whether your volleyball club is complying with GDPR is to complete the questionnaire, which is available under the heading of Compliance Questionnaire section of the Club GDPR templates area of the website. It takes club members through different areas of the law such as how data is processed, gaining consent and data retention. The form asks the relevant questions and gives tick boxes for the things your club needs to do in each facet of the regulation.
2) Creating privacy notices
A privacy notice sets out how individuals data will be collected and processed. It means club members know what to expect about how your club will handle their personal data. The privacy notice should be accessible to all members so it is a good idea to post these on your club website or make it explicit about how people can access them.
The Sport and Recreation outlines what they should include as a minimum, including how the club intends to use members’ data, who it will be shared with, the security of their data and individuals’ rights. To see the full list of what Data Privacy Notices need to feature, check out the Privacy Notices section in Sport and Recreation Alliance’s ‘Guide to the GDPR for Sports Clubs’.
There is even more help on offer too. The Sport and Recreation Alliance has created template Privacy Notices for clubs to use. The great thing about these templates are that they clearly signpost how your club can implement them as their own. There are sections highlighted in yellow which ask questions which will determine how you will need to edit the notice to suit your club’s situation. There are templates covering different types of club member. You can access all the templates under the ‘Privacy Notices’ section in the Club GDPR templates section of the website.
3) Help for junior clubs
There are more stringent measures when it comes to handling children’s personal data. So if your club runs a junior section, it will need to put the correct measures in place.
Gaining consent about how personal data used is one of the fundamental principles of the GDPR. However, some children are not old enough to give approval themselves, so clubs will need to gain parental consent.
The Sport and Recreation Alliance’s ‘Guide to the GDPR for Sports Clubs’ has a section about children’s rights under the GDPR. One of the essential things is that clubs are able to determine the age of people whom data is collected from, so children can be identified and treated appropriately.
A privacy notice for a junior member also needs to be child-friendly. This means the language can be understood by a child. In the Privacy Notices section of the Club GDPR Templates section of the Sport Recreation Alliance, there is a template of a child friendly data privacy notice which clubs can adopt.
4) Marketing emails
Before the GDPR was implemented in May, you will have probably received an abundance of emails asking for your consent to continue to receive marketing from companies you’d previously used.
Gaining consent to directly market to people is a key part in the evolution of data protection laws. Your club needs to be clear what it will use members’ data for and gain consent to send them direct marketing.
There are a few important aspects to gaining consent too. Organisations need to be able to show that consent was knowingly and freely given, this means that clubs can’t use pre-ticked boxes, default settings or a lack of a response as a form of valid consent. Individuals must opt-in to be contacted.
On the Sport and Recreation Alliance Club GDPR templates, there is a very useful document called ‘Standard Consent Wording and Advice Note on Direct Marketing’. As well as explaining how to stay on the right side of the law when it comes to direct marketing, the document also includes template consent documents and wordings your club can use to gain permission to directly market to your members.
5) Writing a data protection policy
A data protection policy sets out your club’s approach to data protection law and informs the club’s members and volunteers about how personal data will be processed at your volleyball club. It helps to serve as a way marker and practical guide to people in the club who handle data about the correct steps they need to follow to comply with the GDPR.
Unsurprisingly, a data protection policy can be a lengthy document and helpfully The Sport and Recreation Alliance has developed a ‘Standard Club Data Protection Policy’ template which your club can use. It highlights the sections in which you will need to put in your club’s details.
It is important that people responsible for GDPR at your club, usually the Data Protection Officer, is familiar with and understands the policy. It is also a good practice to go through relevant sections with volunteers and members which explain how they need to handle personal data.