How does GDPR affect my sports club?
GDPR (General Data Protection Regulation) is a significant change to the law relating to personal data, enforceable from 25 May 2018, that every sports club needs to be aware of.
Its aim is to protect EU citizens from data and privacy breaches and requires all organisations – including UK sports clubs – to comply with stricter requirements on the storage and processing of personal data.
What does ‘personal data’ mean?
You may see personal data referred to as ‘personally identifiable information’ or ‘PII’ and that includes all of the typical things that a sports club might routinely collect on its members (or anyone for that matter) like name, address, email and location.
Essentially, all data collected and stored by a club, or someone acting on behalf of a club, about a person that can be linked directly to them falls under GDPR.
The financial penalties for not conforming are up to 20 million Euros or 4% of worldwide revenue (whichever is higher) so for a sports club, it’s vital to understand and to act now.
Controllers, processors and subjects
There are three terms that you will see in relation to GDPR that are important to get right:
- A ‘controller’ determines the purposes and means of processing personal data – a sports club would be a controller in relation to the personal data it collects on its members and others.
- A ‘processor’ is responsible for processing personal data on behalf of a controller – as a third party, Pitchero is a ‘processor’ in relation to the sports clubs using its platform.
- A ‘subject’ is a person whose PII is being processed or controlled – an example would be a player at a sports club whose membership details are stored with them.
Key GDPR demands relevant to sports clubs
- Access and rectification – On request, clubs have to provide individuals with a copy of their personal data within a month.
- Correction – A person can ask for inaccurate data to be changed.
- Deletion – An individual has a ‘right to be forgotten’ so remove personal data, if there is no strong reason to keep it.
- Restriction – In some circumstances, there is scope to be asked to suppress personal data which means a club could hold but not use it.
- Portability – Individuals can obtain and reuse their personal data for their own purposes across different services.
- Objection – An individual can object to a processor (the sports club) collecting, storing or deleting data, even if the club believes they have a legitimate reason to do so.
- Automated decision-making and profiling – an example might be advertising-targeting (not something that is likely to be relevant to a sports club but important to know and act on, if necessary).
Peace of mind with Pitchero
All sports clubs using Pitchero can be safe in the knowledge that the company will be fully GDPR-compliant by the deadline.
Sports clubs using Pitchero can also take advantage of a range of GDPR-related tools. Club websites can now add their own terms and conditions, privacy and data policies. That can be done via the Dashboard > Site Content > Policies.
Once the text is added and saved, it will appear under the ‘Policies’ link at the bottom of a club’s homepage.
Furthermore, Pitchero has a GDPR toolkit that highlights some of the steps you should consider taking to achieve GDPR compliance for your organisation’s website including an updated privacy and data protection policy.
Pitchero resources include video consent forms as the explicit consent of an individual to give their permission for a sports club to hold their PII (that includes photography and video) is a cornerstone of GDPR.
Online and offline
Crucially, sports clubs must make sure that all of the personally identifiable data they collect, both online and offline, is suitably catered for. So, whether it’s email, cloud storage like Google Drive or paper records in filing cabinets in the clubhouse, the same rules apply.
Read Pitchero’s GDPR page and refer to the Information Commissioner’s Office (ICO) that has its ‘12 steps to take now’ checklist.
There are many complex questions that organisations are tussling with. However, a sports club should begin with considering the life-cycle of a piece of data – how is it collected, stored, used and deleted? How are people informed of its collection and use?
In addition, what’s the legal basis for ‘processing’ that personal data and how long is it stored? Once a club’s data processes are understood, a club should appoint a person or team to update GDPR procedures.
Pitchero will continue to offer advice and support to all of its sports clubs to prepare them for GDPR and there will be further articles and updates to follow.