The GDPR deadline has come and gone and although General Data Protection Regulation is no longer making the main news headlines, sports clubs across Europe still have a responsibility to ensure that they are securely storing and processing personal data of members and volunteers (and anyone else they hold data for).
A question we regularly get asked is “Does GDPR apply to sports clubs?” – the answer is “Yes it does!” and although the May 25th deadline has passed, it’s never too late to start your club’s journey to GDPR compliance. Here are eight steps we recommend to help ensure your club is compliant.
1. Pinpoint your data
Think about any data you collect about club members – where is it currently stored? Do you use a cloud-based sports participation management system or is your member data all on paper? If it is in the cloud – a single, centralised record is preferable, so all your data is kept in one place. If you manage it all on paper – are you satisfied that you can access all membership forms, payment records, cheques awaiting lodgement, club lottery ticket stubs etc. and that all of this data is stored securely?
If you use a cloud-based platform, are the platform providers (as a data processor) able to demonstrate GDPR compliance – the onus is on the club (as data controller) to be satisfied that they are!
Knowing where data is stored is a vital step to GDPR Compliance – next is what you do with the data when you have it.
2. Ask why do you hold the data?
The most obvious reasons for sports clubs to gather personal data are to process club memberships and raise funds (e.g. raffle, lotto) – but what about volunteers? Do you collect and store police vetting forms, coaching qualifications, first-aid qualifications? Where do you hold emergency contacts (e.g. doctor, clubhouse maintenance). The data you hold, the purpose for which you intend to hold it and the duration for which you intend to hold it must all be clear.
Clubforce is the most comprehensive membership and fundraising platform available to sports clubs. We recently released a single dashboard for reporting on membership and volunteer status called ‘Single Member View‘ – other online platforms may have something similar. If you use another online platform, ask them how this member and volunteer data is stored and presented.
3. Identify who is responsible?
Club officers are ultimately responsible for how data is gathered, stored and processed. This is a big responsibility but needn’t be a burden – especially if you can minimise paperwork in collecting data and keep all the personal data stored in one place.
Club registrars and other volunteers (e.g. lotto administrators) who collect data should be aware of how to collect, transfer and dispose of data in a secure way and also to ensure that they have sought the permission of the data subject for the specified purpose (e.g. taking personal details to play the club lotto).
4. Getting consent
Whatever the intended purpose of data processing, you must get consent from the person for whom you are gathering data – or their parent/guardian in the case of a child. This is a simple step to take but it’s important to be able to show where and when consent was granted.
5. Members Rights
Members have the right to access, update or even delete the data the club holds. Consider what that would entail at your club – is it a simple process to show them all of the data the club currently holds on them? Or would you have to trawl through paper files to firstly FIND their data, before deciding how you would update or securely delete it.
6. Data Security
This ties into the first point of where the data is stored. If all member data is stored in a clubhouse – what happens in the event of fire, vandalism or theft? Is there a copy of records stored elsewhere. Imagine the size of the task involved in creating your entire member data record from scratch – this scenario may be extreme but these things can happen!
Managing your sports club data online via a secure online platform is the most efficient way of ensuring your data is stored centrally and securely. It also gives members, volunteers and parents peace of mind, knowing their data is secure.
7. Take Care Sharing Telephone Numbers
People can be very slow to share mobile phone numbers – but may reluctantly to do so to get notifications on training schedules and matches for their children’s sports club via What’s App or a similar service. But who monitors when access to these numbers ceases?
In a simple example scenario, phone numbers get shared with this year’s Under-10 coach – next year he/she is no longer coaching/volunteering at the club but still has these phone numbers on his phone. The onus is on the club to ensure that these telephone numbers are used solely for the purpose for which the data subject (in this case the parent) intended when sharing. How does your club currently handle this potential data breach?
The release of the Clubforce App in 2019 is designed to help club’s meet this challenge – give us a call on 091-506048 to learn more!
8. Prepare for the worst
Club’s (rightly!) take out insurance for all sorts of things (player injuries, clubhouse fires etc.) but are not always as quick to safeguard member data. Yet the penalties in place for negligent data management are potentially far more significant than the costs of not being insured.
Your club should also have devised a policy for handling a data breach. If a breach happens, the club is obliged to inform the Data Protection Commissioner of the breach within 72 hours and failure to do so can result in a significant fine. Demonstrating that you have taken steps to mitigate the risk to members and volunteers is an important step towards being compliant.
If you would like to learn more about how Clubforce can help you to manage your membership, fundraising and club data in a secure, compliant cloud-based platform, get in touch below!