If we’ve been on your radar for at least the last few months, you’ll have heard us talk about GDPR and the three-step-process to ensure you’re working towards ultimate compliance:
Step 1: We firmly believe that by using Coacha2.0, you’re working towards up to 75% of your ongoing compliance. This is largely due to the fact you’re demonstrating an ongoing attempt at a commitment to compliance.
Step 2: Legal and compliance documentation. These are manual processes that need to be completed by the club owner. We believe they account for around (approx.) 20% compliance.
Step 3: Leaving approx. 5% unaccounted for, as GDPR is subject to change, especially once presidents have been set by case law.
Officially, ‘compliance’ is expected from 25 May 2018. However, the ICO say that they are a “fair and proportionate regulator” so they should have consideration for organisations (such as sports clubs) that are genuinely making the effort to comply now and in the future.
Are there GDPR templates I can use?
We often receive phone calls asking if Coacha will ‘cover’ the caller’s sports club under GDPR. We go on to explain the above process to them, to which the next question is usually ‘so what documentation do I need exactly?’. You can produce your own but Sport England have released a really helpful pack of free templates and guidance notes You can click here to head over to their website to access them.
Whilst using Coacha will aid with your GDPR compliance journey, there is still the need for you to understand the requirements of the legislation and make a few decisions based on your own circumstances. Once you’ve done this and decided on your policies, using Coacha to run your club’s admin will help you with your ongoing compliance.
In addition, for Coacha subscribers we’ve secured a unique discount for Markel Law, a large legal firm’s unique portal that gives you access to all of the documentation you need to work towards GDPR compliance.
In addition to the documentation, our subscribers will also benefit from features such as:
• Discounted access to a solicitor via a pay-as-you-go telephone service.
• Additional non-GPDR related tools and documents e.g. cyber security, proper.
• Live chat available Monday-Friday
• Expert resources from award-winning lawyers
You can find out more by getting in touch.
A breakdown of Sport England’s Guidance
Whilst we are trying to help sports club to understand GDPR, it is quite a complex subject. Sport England being the English Sports Council ultimately have the best advice and guidance to give to the sports world, be it at NGB level or grassroots club level. They have worked with The Sport and Recreation Alliance to produce a suite of GDPR specific templates and guidance.
To follow is our view on the implementation of these templates and the related guidance. There are 18 documents they have available, and we’ve highlighted those that we think need your most urgent attention. You should however look over them all, if not before 25th May, then as soon after as you can.
Please remember that our view is exactly that – it’s our view and interpretation of what should be done and when. However, it’s for you to decide what is best for your own unique situation.
GDPR Compliance Questionnaire
A fantastic starting point to get your head around GDPR and what it means to your club. The introduction on the document says it all really:
The Sport and Recreation Alliance has produced a range of resources, advice notes and templates to help you on your journey towards compliance with the General Data Protection Regulation (GDPR).
This compliance questionnaire is designed to help you ask the right questions as you think about how your organisation uses personal data and whether you comply with GDPR.
The checklist of things to consider within each section should be seen as suggestions of measures and processes that might be relevant for your organisation to consider, rather than as an exhaustive list; the more broadly you can think about each question, the more helpful this questionnaire will be.
This is one of the most important pieces of information, and you should look at completing as soon as possible. Sport England & The Recreation Alliance also point out that not every point in these documents will be applicable to you, so edit them down to meet your club’s needs.
Data Protection Policy
This is essentially an overarching policy that you can base your own policy on as you start your approach to GDPR. There are three documents on the subject with the main ‘Standard Club Data Protection Policy’ being the one for you to personalise. Whilst these are quite detailed they’re well worth a read.
There’s guidance offered on appointing a Data Protection Officer (DPO), but as we mention in our free GDPR guide, we believe that most sports clubs will not need a DPO. The ‘Advice note on Accountability’ is a must read too as it discusses how just having policies in place won’t be sufficient should the authorities. You need to be able to demonstrate you have active systems and process to back them up – regularly using a piece of club management software such as Coacha for example.
Individual Rights Documentation
There are four documents covering individual rights. It’s quite a bit of information as an individual’s rights are at the very heart of GDPR. They are:
• A template to use for a ‘Subject Access Request’
• A template to use for a request for the ‘Right to be Forgotten’
All of the personal data stored in Coacha2.0 will be accessible to members and parents through Coacha’s member portal. Naturally, it won’t be possible to send any data that isn’t contained in Coacha.
Sports clubs are ultimately responsible for sending anything that is stored on computer hard drives, tablets, phones, other software, emails, printed documents and so on. So, the more info you can get stored in one place (such as Coacha), the better. Remember that this includes any data your coaches and helpers have too.
Data Protection Impact Assessment (DPIA)
Although not covered in its own document, DPIAs are mentioned in the Compliance Questionnaire and the Data Protection Policy document. They help you identify weak spots in the way you handle your information. You can receive a free DPIA template by signing up to our mailing list here.
We are conscious that the ICO’s guidance suggests that a DPIA should be carried out whenever new technology is used (such as Coacha). We think that goes beyond what the GDPR requires but could nevertheless be considered as ‘best practice’. So, if you have time to complete a DPIA that would be to your advantage should the ICO check up on you at all.
Direct marketing under GDPR
A big part of GDPR is to ensure that individuals have greater control over their data, and this includes the type of information they receive from you. Sport England have not only outlined the finer detail of direct marketing, but also provided some ‘copy and paste’ examples of wording that you can use.
Advice notes, guidance and additional documents
In addition to the templates provided, Sport England and The Sport and Recreation Alliance also offer advice notes to help with specific elements of GDPR:
o Advice note on data breaches and self-reporting
o Guide to Data Subject Rights, including Subject Access Requests and Right to be Forgotten
o Advice Note on Data Protection Officer appointment
o Advice Note on Direct Marketing
o Advice Note on Data Transfers Outside of the EEA (note that if using Coacha as all data is stored in the UK and backed up in the UK – it is never transferred)
o Transferring And Processing Data - Standard External Data Processing Agreement – middle ground approach.
o Transferring And Processing Data - Data Transfer Agreement – Outside the EEA
o Note that these last two documents acknowledged that these agreements are only applicable ‘where commercially feasible to do so’. Any data processor acting on your behalf should have GDPR compliant processing processes).
Above all else, don’t panic.
The above does seem to be very overwhelming if you have only just started looking at GDPR for your club – but you are not alone by any stretch of the imagination. The ICO recognising that only a third of UK organisations are ready for GDPR at the moment. Therefore, as long as you can prove that you’re working towards GDPR compliance, leniency is expected should they come knocking at your door.
The GDPR regime is largely complaints driven, which means that you need to minimise the potential for complaints being made against you. Make a start on your documentation as soon as you can and ensure the public facing documents are squared away first.
Using Coacha 2.0 will vastly help you with your ongoing GDPR compliance. As mentioned above, you need to be able to demonstrate you have actual processes in place to back up the policies you develop.
By subscribing to your free trial now (which gives 30 days free so why wouldn’t you?!) with the intention of using Coacha2.0, we believe will also demonstrate to the ICO that you’re taking GDPR seriously.
The Legal Stuff
The content of this article is intended to provide information to help you with the subject matter and is not to be regarded as a substitute for consultation with a legal specialist who can advise you with a focus on your specific circumstance. Specialist advice should be sought about your specific circumstances.