As clubs collect and process personal data in processing club membership, every sports club is considered a Data Controller under the General Data Protection Regulation (GDPR). This places obligations on club volunteers to ensure that the personal data of club members is processed in adherence to the 7 key principles of GDPR as outlined below.
Data Controllers are expected to be advocates of GDPR work practices, be constantly vigilant and sensitive to the data protection rights of Data Subjects (i.e. club members and club administrators) and for certain
clubs, the integrity of customer and employee data residing on internal business systems and those externally operated by their supply-chain partners.
Under Article 5 of the GDPR Directive, Data Controllers are obliged to adhere to the following principles:
1. Lawful, Fair and Transparent Processing
Data Subjects must be made aware of what they are signing up for, what data is processed and to what extent it will be processed.
2. Purpose Limitation
Processors need a limited legitimate purpose to process personal information in the first place. Data should be collected for a specified and legitimate purpose and not processed further without obtaining permission.
3. Data Minimisation
Only the data that is needed for the immediate purpose at hand should be collected.
4. Accurate and Up to Date
Processes need to be in place in order to keep data current and clubs should maintain an accurate record of the information collected and the source of that information.
5. Retention Limitation
Data relating to members should only be kept in a form which permits identification of members for as long as is necessary for the purposes for which the personal data are processed (e.g. duration of club membership).
6. Confidential Safe and Secure
Physical & IT security mechanisms must be used to protect both electronic and paper records.
7. Accountability and Liability
Organisations must be able to demonstrate to Data Protection Commission (DPC) inspectors precisely how they comply with GDPR.
For more details on these principles of data protection as per the GDPR regulation, please refer to the Data Protection Commission website.
Need help with getting your club GDPR ready?
Clubs as data controllers need to be careful about how they collect data, process data and how readily they can rectify personal data if requested to do so by a member. The 7 principles outlined above add a great deal of responsibility to club officials. Take an example of collecting membership information through paper forms – who has access to these forms and where are they stored? If your club wants to be GDPR compliant, a central sports club participation system like Clubforce can help to ensure that your club has complete oversight of club member data at all times and doesn’t have to worry about paper forms going missing.
If your club would like to receive a free data controller protection notice template document or would like to know more about how the Clubforce app helps you with GDPR compliance, please get in touch by filling out the form below.