Guidance for British Rowing affiliated clubs, competitions, Regional Rowing Councils and Associations
What is GDPR and what does it mean for rowing clubs?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The UK Government intends to incorporate these requirements into UK law under the Data Protection Bill, with the regulations coming in to force on Friday, 25 May 2018.
The focus of the regulations are to lay out the way in which all organisations handle personal information. They specify the rights of the individual (the data subject) and the responsibilities of any organisation that captures and stores data that can be identified as personal. This includes names, dates of birth, addresses, performance data – anything that relates to a person.
The Information Commissioner’s Office website is the official source of infomation about GDPR.
Preparation for GDPR
The Sport & Recreation Alliance have been commissioned by Sport England to create a GDPR toolkit for the sport sector, including specific guidance for sports clubs. This can be accessed for free, and includes guidance, templates and supporting notes to help clubs meet the requirements of GDPR.
We recommend clubs start by working through the Sport & Recreation Alliance’s ‘GDPR Compliance Questionnaire’, which can be found via the link above, and also by undertaking an audit of all personal information held by the club.
This audit should include details of what the data is, where it is stored and in what format, who has access to the data and for what purpose the data is held. The focus should be on data held directly by the club, away from the British Rowing membership platform. This is likely to include membership records, performance data, coach and volunteer records – if the information contains a name, or other information that could identify an individual, it will be covered by GDPR.
As well as auditing the data that is held, clubs should also focus on how the information was obtained and whether this was through explicit consent. Is the data subject fully aware of the information being held (informed) and have they given their explicit consent?
British Rowing is currently undertaking an audit of all information we hold in preparation for GDPR.
Top tips to start your journey to GDPR readiness
Here are a few suggestions to help you get started towards compliance with the GDPR.
Understand the journey that personal data takes through your club. What information do you collect and do you need that information? What do you tell people when you collect it? On what legal basis have you collected it? Where and how do you store that data? What do you do with it? When is it deleted? This will allow you to identify any areas of risk.
Make sure that your coaches and volunteers are aware of the GDPR and data protection issues and that they know who to talk to if they receive a subject access request or if there is a breach.
Make sure the policies and procedures you have in place help your volunteers deal with data protection issues.
Make sure you tell individuals at the point of collection what you will do with their data and when you will delete it.
A simple data protection statement that includes a way for your members to contact you should they wish to see the data you hold on them. Make it clear they have a right to ask for changes should they consider the information you hold to be inaccurate.
6. ICO Guidance
You can find more information on GDPR on the Information Commissioner’s Office (ICO) website here including the ‘12 steps to take now‘ and the ‘Getting ready for the GDPR‘ self-assessment tools. The ICO also now offers a helpline. Representatives of small organisations should dial 0303 123 1113 and select option 4 to be diverted to staff who can offer support.
Does this apply to our club?
GDPR applies to any “data controllers” or “data processors”. Those are technical terms but, in essence, if you collect any personal data in the running of your club (which you will do if you have any members) then the regulations (GDPR) will apply to you.
My club is only a small one with a few members. Surely this won’t apply to us?
Although the risk is lower, if you collect and store any personal data you will have to manage the data in accordance with strong data protection principles.
What are the key things to consider for rowing clubs?
The principles of data protection are outlined below. All clubs need to ensure that any personal data:
- Is captured and maintained in a secure manner
- Individuals are made fully aware of what data is captured and what it will be used for
- Explicit consent is given by the individual (for under sixteens this will need to be sought from parents) for the club to hold data
- It is updated regularly and accurately
- It is limited to what the club needs
- It is used only for the purpose for which it is collected for
- It is used for marketing purposes only if the individual has given the club consent to do so
- Individuals’ data is only kept for as long as it is necessary
- An individual can request a copy of the data held at any time and this must be provided.
What if my club organises competitions?
If your club organises competitions or other activities that require the capture of personal information you will need to comply with the regulations by seeking explicit consent of all participants, being clear what the information will be used for and who will be responsible for managing the data captured. In the case of British Rowing affiliated competitions the BROE2 entry process will manage the consent process for every competitor, however if you use a regatta management software solution you will need to ensure this complies with the regulations.
Does all this only apply to data that is held digitally, e.g. on a computer, or does it cover paper records?
This may be a good opportunity to review filing systems and to limit the amount of paperwork you have to manage. Personal data collected manually and stored in files as a hard copy still has to be managed in accordance with the data protection regulations. As you can imagine, some of the legislation is more difficult to implement in relation to paper copies. For example, privacy of data is key to the GDPR. Paper documents can get into the wrong hands easily and this could easily become a data breach. Transportation of data in any format (including paper) should be seen as a threat to information security. One small slip and it’s too late – an individual leaves sensitive paperwork on a train, a courier loses an archive box full of payment records, a member of committee has files stolen from their car. These are all real-world situations where paper documents can get into the wrong hands.
My club keeps its membership records “in the Cloud” (e.g. via shared files on Dropbox or Google Drive, or via a bespoke or commercially available membership system). What should I do about that data?
Data security is key and when storing anything online you need to ensure that you protect yourself by ensuring you keep passwords safe and ensure that files that contain personal data are encrypted. The likes of Dropbox, OneDrive and Google Drive have built in security measures for the protection of files whilst in storage or in the process of being shared. When using third party software you need to ask for assurances over the security of the system. For example, ask the provider for an explanation of how data security is managed or ask if a Privacy Impact Assessment has been undertaken.
I looked at the impact of the existing UK Data Protection Act on my club and am happy that my club is compliant, so what else do I need to do?
You will need to tell people about what you intend to do with their data at the point you collect it and not at some later date. You also need to seek explicit consent that you can evidence.
All clubs should already have a privacy statement and policy, this outlines to an individual who is providing you with data the details of exactly how it will be used. If someone isn’t clear and you do not manage data in accordance with the policy, you are increasing the risk of breaching data protection laws.
The guidance given here is aimed at assisting British Rowing affiliated clubs, competitions, Regional Rowing Councils and Associations with identifying the key areas that should be addressed as a result of the additional requirements arising from the upcoming introduction of GDPR. Many people will no doubt already have considered – and where appropriate have taken specialist advice – regarding the impact of existing UK Data Protection legislation insofar as that may impact their activities.
It is similarly recommended that clubs and associations take appropriate advice if they have concerns or are still in doubt regarding specific issues having read this document. There are some suggestions within this document as to where that advice may be sought, but those should not be viewed as exclusive.