Does this apply to our club?
GDPR applies to any “data controllers” or “data processors”. Those are technical terms but, in essence, if you collect any personal data in the running of your club (which you will do if you have any members) then the regulations (GDPR) will apply to you.
My club is only a small one with a few members. Surely this won’t apply to me?
Although the risk is lower, if you collect and store any personal data you will have to manage the data in accordance with strong data protection principles.
What are the key things to consider for rowing clubs?
The principles of data protection are outlined below. All clubs need to ensure that any personal data:
● Is captured and maintained in a secure manner
● Individuals are made fully aware of what data is captured and what it will be used for
● Explicit consent is given by the individual (for under sixteens this will need to be sought from parents) for the club to hold data
● It is updated regularly and accurately
● It is limited to what the club needs
● It is used only for the purpose for which it is collected for
● It is used for marketing purposes only if the individual has given the club consent to do so
● Individuals’ data is only kept for as long as it is necessary
● An individual can request a copy of the data held at any time and this must be provided
What if my club organises events?
If your club organises events that require the capture of personal information you will need to comply with the regulations by seeking explicit consent of all participants, being clear what the information will be used for and who will be responsible for managing the data captured. In the case of British Rowing affiliated competitions the BROE2 entry process will manage the consent process for every competitor, however if you use a regatta management software solution you will need to ensure this complies with the regulations.
Does all this only apply to data that is held digitally, e.g. on a computer, or does it cover paper records?
This may be a good opportunity to review filing systems and to limit the amount of paperwork you have to manage. Personal data collected manually and stored in files as a hard copy still has to be managed in accordance with the data protection regulations. As you can imagine, some of the legislation is more difficult to implement in relation to paper copies. For example, privacy of data is key to the GDPR. Paper documents can get into the wrong hands easily and this could easily become a data breach. Transportation of data in any format (including paper) should be seen as a threat to information security. One small slip and it’s too late – an individual leaves sensitive paperwork on a train, a courier loses an archive box full of payment records, a member of committee has files stolen from their car. These are all real-world situations where paper documents can get into the wrong hands.
My club keeps its membership records “in the Cloud” (e.g. via shared files on Dropbox or Google Drive, or via a bespoke or commercially available membership system). What should I do about that data?
Data security is key and when storing anything online you need to ensure that you protect yourself by ensuring you keep passwords safe and ensure that files that contain personal data are encrypted. The likes of Dropbox, OneDrive and Google Drive have built in security measures for the protection of files whilst in storage or in the process of being shared. When using third party software you need to ask for assurances over the security of the system. For example, ask the provider for an explanation of how data security is managed or ask if a Privacy Impact Assessment has been undertaken.
I looked at the impact of the existing UK Data Protection Act on my club and am happy that my club is compliant, so what else do I need to do?
You will need to tell people about what you intend to do with their data at the point you collect it and not at some later date. You also need to seek explicit consent that you can evidence.
All clubs should already have a privacy statement and policy, this outlines to an individual who is providing you with data the details of exactly how it will be used. If someone isn’t clear and you do not manage data in accordance with the policy, you are increasing the risk of breaching data protection laws.