Did you know that since the introduction of the new General Data Protection Regulations (GDPR) in May 2018, people have become more likely to report potential data breaches? GDPR has led to a huge increase in data breach reports because people are more aware of their rights to be in control of their data; which is exactly the reason the regulations were brought into place!
As we predicted, the spotlight has very much been on the ‘big boys’ such as British Airways, who have been faced with huge fines for non-compliance.
We know comparing large companies like British Airways to local sports clubs seems silly; and that there is specific guidance available for charities/small organisations. But the fact is, both of these organisations have one thing in common, they handle people’s data.
These larger organisations will have dedicated teams looking after GDPR. We know what you’re thinking; as a club whose coaches may also have full-time jobs/very busy lives, how do you keep on top of GDPR with little resources? And how do you do this, whilst still simultaneously running your club?
In order to avoid large fines that could see your club forced to close; and protect your members’ data; you need to manage their data correctly… and efficiently. When you do your club admin manually, working with GDPR can become very difficult. If you’re thinking, ‘well, what’s the other option?’, sit tight, read on & assess your current processes.
Why is data security important?
GDPR has given people more control over what companies do with their personal data. Your member’s data is incredibly important. It should be your club’s priority to have the best admin system in place to protect it.
Realistically, poor security, and the loss of your member’s data could lead to many awful circumstances such as safeguarding issues, financial fraud, identity fraud and so on.
Having a data breach or failing to comply with GDPR could result in large fines for your club. Do you think your club could survive?
How do you store data at the moment?
Under GDPR, storing data electronically is considered to be best practice. This is because electronic data is easiest to view, secure & amend. At the moment, the 2 most common types of club owner we see are:
1. Spreadsheet user
If you’re still using spreadsheets, although they are technically classed as ‘electronic’, have you ever thought about the consequences of using them? You should be thinking about how easy your spreadsheets are to access, where your laptop/computer is stored at all points and what security is in place, both electronically and physically.
Although security measures aren’t defined under GDPR, it’s your responsibility to have measures in place that you think are ‘appropriate’. Is your laptop password protected? Is your spreadsheet password protected? How easy would this be to hack into? What would be the risks if it was hacked into? What would you do?
2. Completely paper-based user
It still shocks us how many clubs are literally still hand-writing their registers each week. Not to mention keeping hand-written copies of people’s personal data, which they and their coaches lug around to training with them.
There are so many security implications surrounding paper/hand-written club admin. What happens if a folder is stolen? Where are folders stored outside of club hours? What level of security does this location have? Not to mention not abiding by GDPR best practice of storing data electronically.
Managing data and keeping everything up to date on spreadsheets/paper-based admin is also super time-consuming! Our users tell us they saved hours of time when they finally switched to digital software; and this is just from not having to update information across all the various platforms they used to use.
How can your members view their own data?
Under GDPR, your members have the right to request a copy of whatever data you hold on them. They would need to submit a subject data access request and you’d have 30 days to provide them with all the data you have.
What is your current process for subject data access requests? Would you need to manually gather all information you have from spreadsheets/paper records/WhatsApp groups/other systems you may use? How long would this take you? And what would the implications be if a bulk of members put their requests in around the same time? Would you be spending more time on admin than coaching? In most circumstances, under GDPR, you should provide electronic copies of data to the members who have requested it (unless they request otherwise).
It’s considered best practice under GDPR to allow members access to a secure system where they can gain access to their data themselves.
It’s a great idea to look at getting on board with a system that allows this, and also where you can manage all other aspects of your admin too (like Coacha). This will be a huge weight off your shoulders and your members will be happy with their freedom to access their data whenever they like.
How can your members amend their own data?
GDPR has given your members the right to be able to amend the information you have on them. If they contact you with a request to alter any personal information, you will need to do that in every location you hold the data.
This can get time-consuming for you if you use different systems for different tasks, e.g. a generic list of members, a list of teams, an email list, in each coaches' list of member info etc. Plus, with you being so busy, you may end up using a huge proportion of your admin time just amending people’s personal information.
Wouldn’t it be easier to allow members access to a system where they can log in and edit their information themselves?
How do you keep on top of GDPR consent?
A part of GDPR is being open about why you need people’s data and what you’ll do with it. You’ll need to gain GDPR-specific consent from each member to store their data.
But how do you manage this? MORE forms? How do you keep on top of who has/hasn’t consented, especially if they’re existing members? Some systems (like ourselves) have GDPR consent built-in. This means that when a member joins your club, they will automatically have to give GDPR consent, otherwise their data cannot be stored in your club account.
Not only that, but if they try and withdraw their consent, you will be notified immediately.
How do you handle children’s data?
Children’s data is specifically important to protect under GDPR. Consent from their parent/guardian must be gained before you process their data and even communicate with them.
How do you ensure this is a careful process at the moment? Is it just a case of getting parents to fill in a form and trying to contact the parent (instead of the child) by memory?
Ideally, clubs should be using a system whereby the parent consents to communication and the child’s data being held from the start. Coacha even ensures that no child is ever contacted if they are underage. The system automatically directs messages to the NOK in this instance, so you can be confident that your members’ data is being fully protected.
What would you do in the event of a data breach?
If personal data is lost/stolen/compromised, it’s classed as a data breach. A breach must be reported to the ICO and the members/parents whose data is involved.
Organisations could be faced with fines between 2 and 4% of their annual turnover for a data breach. Not to mention an additional fine for failing to report the breach.
For a relatively small sports club, a fine of this amount could mean the end.
So, how do you make sure you get GDPR right?
We quickly found out that with GDPR, there is no hard and fast right/wrong with many aspects. Lots of GDPR is down to your own perception of it, making it really difficult to be confident in your club’s processes.
One thing that we’ve picked up on, is that clubs feel much more organised and in control if their data is stored within one electronic system.
We built our software, Coacha, specifically around GDPR. Allowing our clubs to have confidence in:
• The highest level of data security possible
• The ease that their members/parents feel when they can instantly access their own data via a Member Portal; because it’s all kept within one safe and secure system
• Likewise, with amending their data
• The compulsory GDPR consent that protects your club and its members
• Exceptionally safe handling of children’s data (working alongside NSPCC CPSU guidelines)
We think the overall key factors to working confidently alongside GDPR are knowledge, organisation and keeping in control.
A GDPR fine could mean the end for a lot of sports clubs, so we made it our mission to build our whole system around making things easier for you to manage your member’s data alongside the new regulations.
If you have any questions about how we could help further, be sure to get in touch today. We like to think that by using Coacha for your club admin, you’d swiftly turn a news headline from ‘Sports club goes bust over data breech’ to ‘Local club revolutionises GDPR efforts’.
Which one would you choose?