Update Feb 2018: as the ICO themselves state, the GDPR is a ‘living document’. This means guidance and recommendations are still evolving as we get closer to 25th May 2018. Whilst this article is still entirely relevant, we recommend that you download our Free GDPR Guide for Sports Clubs. And we urge you to come back regularly and download the latest version as we update it as soon as we hear anything new that’s important.
GDPR in sport – How will affect your club?
If you read our last, uber-serious post outlining GDPR and what will be expected of you come May 25th, 2018, you will have gathered that the EU isn’t messing around when it comes to new data protection laws. You may be wondering, post-Brexit, why this still applies to us? Well, the UK is still abiding by this new law as its data protection law hasn’t been renewed in nineteen years!
Our last post was very ‘official’ and whilst it wasn’t our intention to make you panic, we needed to be open and honest. We want to ensure that by next year, you are fully aware of the changes GDPR will enforce, and the implications it will have for coaches/club owners/managers like you. Although May 2018 seems a fair distance away – it’s not. You’ve got just eight short months to get your club whipped into shape and ensure its operation is compliant with GDPR.
To recap, GDPR is all about redressing the balance of power by empowering the individual and depowering organisations. Individuals will get more say in what happens to their data. Although this seems like a lot of work for you and your club to facilitate, think of your own personal data; what happens to it when it’s no longer needed? How easy would it currently be to get your data deleted from an organisation’s database? Fed up of those pesky automatically ticked check boxes that unknowingly opt you into passing your data on to third party companies? GDPR will control these things and give you more rights, so it’s only fair that your club members get those rights, right? Right.
If you’re feeling slightly overwhelmed, try not to worry because we’re using our platform to share every piece of advice and guidance that we come across to make your lives easier and help you get closer to becoming GDPR compliant.
The GDPR is aimed primarily at ‘big boy’ organisations such as Facebook, Google, Twitter etc. However, the new regulations will apply to all organisations, no matter how big or small, so there are no excuses for non-compliance.
We think the number one priority for sports coaches for now, is to understand what you’re doing with data and why you’re doing it – these are the big questions to get you thinking. If you don’t already, it may be a good idea to document this, because when GDPR comes into place, you will need to provide your club members with a privacy notice. Some of you may have this on your website already, you’ll need to update it to fully comply with GDPR. It should state:
• Who you are
• What you are going to do with their information
• Who it will be shared with
Although under GDPR there are more things to tell people, these are the basics and you can find out how to write a privacy notice in conjunction with GDPR here. Some companies with a large online presence, for example the BBC, have their privacy policies documented online so that they are automatically available for the public.
It’s probably a good idea to get in touch with your national governing body (if you have one) and seek their advice. For example, British Gymnastics are running free GDPR courses and workshops in different regions over the coming months.
We think the main thing to realise, is that ignorance is not bliss and ultimately, the responsibility stops at you as an organisation to be aware of GDPR and comply.
Getting yourself clued up
Here at Coacha, we’ve put a lot of time and effort into researching and understanding GDPR and how it will affect the way your club runs. We believe that the main areas to get clued up on from a sports coach perspective are as follows:
• People requesting a copy of the data that you hold on them
• Ability for your members to change their data and the need for you to amend your records
• The right to be removed/forgotten
• Deciding what data is essential
• No more automatically ticked opt-in or unticked opt-out boxes
• The new ‘VAT-Man’
• Data security
• Team awareness
• Data protection officer (DPO)
People requesting a copy of the data that you hold on them –
Under GDPR, your members will have ‘right of access’ to their information. This is so that they are aware of and can verify the lawfulness of the processing. You will now need to provide this information for free instead of charging the previous £10 ‘subject access fee’, chargeable under the data protection act. You can charge a ‘reasonable fee’ if a request is manifestly unfounded, excessive or repetitive.
The current Data Protection Act (DPA) allows you 40 days to comply with such requests. GDPR will only allocate you one month. Failure to provide the data within this timeframe means that the requester can report you to the Information Commissioner’s Office (ICO) which may result in you paying a penalty fine.
As part of GDPR you need to demonstrate that you have a system in place for when these requests occur. If it’s feasible, you could provide access to a secure self-service system where your members can log in and view their information by themselves. However, we know this may be as practical as expecting all your athletes to show up for training on time, so whatever plan you put in place, make sure it’s efficient.
If you use a data/sports management system, you will need to contact the software provider and see if it’s possible for them to send a copy of the member’s data to you. You can then forward it on to your member. However, it’s essential that this is done in a secure way (using encryption if possible), and not just as an insecure attachment to an email.
Depending on which sports club management software you use, this won’t always be possible.
Ability for your members to change their data and the need for you to amend your records
If a member’s profile is inaccurate, outdated or incomplete, they can request that their data is corrected. If any of this data has been disclosed to third parties e.g. for an upcoming event, you must let them know. You need to respond within one month.
You should have a system in place for when this happens to ensure the relevant members of your coaching team know the process they should undertake. We’d highly recommend that your team inform you of any such requests and that you nominate a trusted and responsible member of your team to deal with these correctly. Ideally, as senior coach and/or club owner or manager, you should oversee these requests yourself.
The right to be removed/forgotten
This means that when there is no reason for your withholding of a member’s information, e.g. if they leave your club, and they request it, their personal data should be deleted. Your members have the right to be forgotten in specific circumstances which you can find here.
Under current laws, a member could have their data deleted if the keeping of it causes unwarranted danger or distress. This is not the case under GDPR, but if keeping their data does cause danger/distress, this will make the case for deletion stronger.
GDPR has placed more weight on the protection of children’s information, especially online. You must always ensure that your young athletes are fully aware of the risks involved in the processing of data at the time when consent is given. Again, you must inform third parties to ensure the deletion of their data too.
You should plan how you will handle such requests so that you are prepared for when GDPR comes into place. If you use a club management system (software dependant), this will hopefully be a relatively easy process as all their data should be located in one place. However in some cases, this may not be an easy process so it’s worth checking with the software provider before committing to a subscription.
It’s worth noting that you should consider retaining any information on people whereby there may be the need for historic health, medical or behavioural information. For example, if someone has an accident whilst a member of your club they could come back to you in the future with a claim for future ill health. Unlikely we know, but it has happened, so be very careful about anything you quickly delete and why.
Deciding what data is essential
You should require the minimum amount of personal data necessary to achieve lawful processing purposes under GDPR. Now don’t panic, we’re sure that all the data you’re collecting is completely relevant, as long as you’re not asking members for their NHS number and Great Aunty Betty’s apple crumble recipe as part of the sign-up service.
You should be reviewing your existing data collection and consider what needs changing to comply with these restrictions. How much, and what, information do you realistically need to be able to deal with your members effectively?
No more automatically ticked opt-in or unticked opt-out boxes
With websites, emails and other digital communications, GDPR will put an end to the typical ‘untick this box if you do not want to receive further information and offers from us’. There needs to be specific actions that people take to consciously ‘opt in’ to receive information from you. It is for you to decide the types of things that you will be sending out to people.
You must ensure that you are using positive opt-in boxes or other active opt-in methods like:
o Signing a paper consent form
o Selecting from yes or no options
o Responding to an email requesting consent
o Answering yes or no to a clear oral request
The new ‘VAT-Man’
The ICO is expected to grow its staff by 40% in the next few years to help with the new GDPR guidelines, including lawyers, investigators and specialists. This team will need to be paid for, and with government funding coming to an end, the ICO will need to be entirely self-sufficient. How will they achieve this? By charging data controllers a fee, but also by fining organisations falling foul of GDPR.
Whilst big organisations that process lots of personal data (such as Google or Facebook for example) will no doubt be high on the agenda, some believe that smaller organisations are also at risk. Whilst bigger operations will mean bigger fines, some experts are saying that the ICO may follow up lots of smaller complaints about smaller organisations. This will result in lots of smaller fines being levied, which in turn add up and all contribute to the costs of running the ICO.
Some are suggesting that they will essentially be the new ‘VAT-Man’ and will have powers at their disposal to look into an organisation's systems and processes. They could even prosecute them if what they find isn’t up to scratch, so they could expect visits/audits as well as potentially substantial fines in the near future.
Security of data has always been a huge issue for any organisation and the GDPR builds on this.
Even the largest and most established of organisations with the strongest of security protocols cannot prevent data breeches 100% of the time. Just look at the US government data breeches, where, in its largest, over 191 million voters’ personal data was exposed. However how you detect and respond to a breech could make the difference between being GDPR compliant and receiving a hefty fine.
SecureWorks have proposed a 4-step guide to making sure that the security measures for organisations (your club included) to work towards compliance with the GDPR and not against it:
1. Know your data (what is covered, where it’s held and who you share it with)
2. Assess your current state (review your current systems and how they do or don’t comply with GDPR)
3. Build the programme (in accordance with GDPR)
4. Test, operate & manage
All your fellow coaches and helpers need to be made aware of the law change to GDPR to ensure they know what’s going on. They need to know why this is happening and what you as a club are doing to ensure compliance. The risks associated with non-compliance should be explained to them in detail, and it’s your responsibility to ensure that they are all on board.
As mentioned already, we’d highly recommend that your team inform you of any such requests and that you nominate a trusted and responsible member of your team to deal with these correctly. Ideally, as senior coach and/or club owner or manager, you should oversee these requests yourself.
Data protection officer (DPO)
Depending on the size of your club, the ICO state that a DPO may be required, who would be like a safeguarding and/or health and safety officer in terms of responsibility. It’s important that they have the knowledge and support they need to do their job efficiently. You can find out in what circumstances you would need to allocate a DPO here.
For most sports clubs, this responsibility will fall at the feet of the club owner, manager or lead coach. As we know, these are often the same person. The same person that also must cover health and safety, safeguarding, admin and finance rolls.
The points we’ve pulled out in this article, we believe to be the most relevant to sports clubs and organisations. Although there are still vital aspects of the GDPR that are yet to be finalised by the government, there’s no reason why these can’t be addressed now. The introduction of the GDPR might seem daunting at this point, we know; but we think you should relax, take a breath, grab a cuppa and brainstorm.
Re-work through the steps in this article, taking one step at a time. Once you’ve considered the implications of one and what you need to do, you can move onto the next until they’re all completed. Starting this process sooner rather than later will stand you in good stead for GDPR compliance as opposed to if you were to leave it until the last minute and rush through the process. Give yourself a head start and remember that May 2018 isn’t that far off.
The legal stuff
The content of this article is intended to provide information to help you with the subject matter and is not to be regarded as a substitute for consultation with a legal specialist who can advise you with a focus on your specific circumstance. Specialist advice should be sought about your specific circumstances.