GDPR - is your club prepared?
Disclaimer: This blog post is intended purely as helpful advice for sports clubs concerning GDPR. Nothing in this article should be considered as legal advice - we recommend that you seek your own professional legal advice to determine how GDPR applies specifically to your organisation.
What is GDPR?
General Data Protection Regulation (GDPR) is the new European law that takes effect from 25 May 2018. The legislation will affect anyone living inside the EU and any organisation that holds the data of EU residents.
GDPR replaces the Data Protection Act 1998 (DPA). GDPR is designed to strengthen the DPA and to give EU citizens more control over how organisations use their data - with large fines introduced for organisations that do not comply.
Does that include my club?
Almost certainly! If your club collects/holds the data (digital or physical) of any EU residents then you will be expected to comply and could receive a hefty fine for failing to do so.
Should I be worried?
Probably not! But you will need to be careful about how you collect, store and process data about your club members - something we should all do anyway!
Luckily, if you use teamo as your central database for members then you are already well on your way to becoming compliant!
Key rights from GDPR
- Right to be informed: Your members can ask about personal data, how it is used, and why it is being used at any time.
- Right of access: Your members can request a copy of personal information you hold about them at any time.
- Right of rectification: Your members can update (or request updates to) personal information at any time.
- Right of erasure: Your members may request that you or teamo erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Right to object: Your members can request that you cease to process their data based on legitimate interest or for direct marketing.
How do these rights likely affect my club?
- Do you collect member's data on paper forms?
- Do you share your member's data digitally with other volunteers at the club?
- Do you store digital data in multiple places?
- Do you have any digital documents with member's data that isn't password protected and encrypted?
- Do you need to download data from a central database to transfer to another product? For example for sending emails en mass via mailchimp/campaign monitor/similar?
If you answered yes to any of these questions you could be at risk of not complying with GDPR and could face a considerable fine. Fortunately, rectifying this should be relatively straightforward with the help of a secure central system like teamo.
How teamo can help
From 25 May teamo will help with the following
- Right to be informed:
Teamo will provide full documentation on information stored as well as how and why we and club admins use it.
- Right of access:
Teamo will be able to provide members with any information we hold on them.
- Right of rectification:
Teamo members are able to update their information directly from the app.
- Right of erasure:
Teamo members will be able to delete all of their personal data. This will automatically delete their data everywhere it is stored, including from email lists.
- Right to object:
Teamo members will have the ability to update their preferences to determine the types of communication they receive from both teamo and their club via email/mobile notifications.
What else should I consider?
For any member data that you upload to teamo you will need to confirm that you have a legal basis to use their data for this purpose. This legal basis will often be based on consent - i.e. "the individual has given clear consent for you to process their personal data for a specific purpose.". You will need to make the purpose clear to the member at the point of collection. In teamo, the players will have an opportunity to update their records on registration.
Whilst consent is often best practice, you may be able to process member's data on a different legal basis such as:
- Legitimate interest:
"the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests."
In order to use legitimate interests as your legal basis you will need to complete and file a Legitimate Interest Assessment (LIA) - we've prepared an LIA form for you here
"the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract."
- Legal obligation
"the processing is necessary for you to comply with the law (not including contractual obligations)."
- Vital interests
"the processing is necessary to protect someone's life."
- Public task:
"the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law."
Of course, any data that you may be holding on your members away from teamo is also subject to GDPR. This includes any spreadsheets, surveys, forms and any other documents - paper or digital that may contain data about your members.
We'd recommend destroying any of this information that is not absolutely necessary. But where you do continue to hold/collect this data you'll need to consider the following:
- Only collect and store the minimum amount of information required.
- Make sure all information is up to date.
- Your members will need to be informed of how long you will hold their personal data - this period must be reasonable for it's usage.
- Review the security of data - consider encryption for any digitally held documents.
- Limit the use of personal data - particularly where it is not held in a central, secure system.
- Avoid storing data in multiple products/services - (you can use teamo to replace your email service to communicate with your teams - find out more)
- All data should be held securely - digital documents need to be password protected and encrypted and backed up. You will need to be especially careful with sensitive data such as health records.
- You need to be able to identify when a breach has occurred and this will need to be reported to your data protection authority within 72 hours of becoming aware of it.
- To alleviate any such concerns we'd recommend using a secure, GDPR compliant central system like teamo and to limit collecting any external data where possible.
Useful Free Resources
Information Commisioners Office (ICO)
"The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."
Need some help?
If you'd like to chat about how to prepare your club for GDPR with teamo then please book in a time to chat with us via the link below:
Book a time to chat