GDPR guidance
The General Data Protection Regulation (GDPR) is the updated law on data protection which came into force in 2018.
The new rules apply to all organisations - not just businesses - including sports clubs. This section of the website guides you through GDPR and provides useful resources you can use at your volleyball club.
This is a living document so will be updated and expanded.
Volleyball England GDPR
As the national governing body of the sport, Volleyball England adheres to GDPR. The organisation's GDPR polices can be viewed on the Policies and procedures box on the Governance section of the site.
Volleyball England's Data Protection Officer is Guin Batten. For any queries relating to GDPR, please email dpo@volleyballengland.org or call 01509 974 700.
What is GDPR?
The General Data Protection Regulation is the updated law on data protection which comes into force on May 25, 2018.
It is an European Union (EU) directive which is also being implemented in the United Kingdom. The aim is to give individuals' more protection about how the use of their personal data. The new rules set new standards about personal data is collected, stored and shared.
Who does it apply to?
GDPR applies to organisations - not just companies. So it doesn't matter how big or small your volleyball club is, if it has members then the club must comply with the new rules.
Any personal details your club asks for from players, coaches, volunteers - in fact, anyone associated with your club - must be collected, stored and shared in line with GDPR.
It is important your club understands GDPR and adopts the correct process. The 'GDPR - is my club compliant? ' page of the GDPR guidance section of the website explains how your club must handle personal data.
Data breaches and sanctions
Any failure to follow GDPR correctly is classed as a data breach. For all organisations, this could be something such as an club secretary losing some paperwork to large multi-million pound companies having data hacked or sharing it without permission.
The GDPR ensures a duty on all organisations to report certain types of data breaches. If a breach poses a high risk of adversely affecting individuals - for example, losing their bank details - you must inform them without undue delay. Certain types of data breaches are required to be reported to a supervisory authority, within 72 hours.
A record of all data breaches must be kept - whether or not they were reported. For more detail on data breaches, including what these are and developing an action plan to prepare for a breach, visit the 'Personal data breaches' section of the Information Commissioner's Office.
Complying with the rules
GDPR sets out the standards required of all aspects on handling individuals' personal data. Personal data is any piece of information by which a person can be identified - this can be something as simple as a name, phone number or email address.
If the correct procedures are put in place and followed it minimises the risk of a data breach and protects personal data.
The Information Commissioners Office is the UK's independent authority to uphold information rights in the public interest and is taking a lead on the introduction of GDPR in the UK. Their website is a very useful resource for information about GDPR.
It sets out two key definitions:
- Data controller - they determine the purposes and means of processing personal data. So this would be the volleyball club and is decided by those who run the club.
- Data processor - this is a person who is responsible for processing personal data on behalf of a controller. For example, this would be a team coach who must ensure they process data on behalf of the volleyball club.
The way personal data is handled can be broken down into three key areas: how it is collected, stored and used.
Collecting personal data
When someone joins your club - whether it is a player, coach, volunteer, in fact anyone - you need to ensure you collect their data correctly. This means:
- Only collecting data your club needs
- Data must be processed securely
- You need to make it clear and simple to that person what data you're collecting
- You need to make it clear why you are collecting it
- Telling the person how their data will be used
- Telling the person who you plan to share their data with
- If a person is under 18, you need get consent from their legal to collect, store and use their data.
Every club member must give their permission for your club to use their data. So it is good practice to create a Privacy Notice for your club. This is a document which outlines what data you will hold, why you need it, who you will share their data with (including club coaches, Volleyball England, local media etc), how long you will hold the data (is it just as long as they are a member or will the club keep it for a period afterwards?), and the individual's right to access their data or request for it to be deleted.
Once you have created a Privacy Notice, you can attach this to your registration form and ask each member to sign to give their consent for the club to use their data as explained.
The Sport and Recreation Alliance has a selection of templates of Privacy Notices for different types of members on their website which you can use for your club. To access their resources click here.
It is also important to remember that no all personal data a club collects will come directly from the individual. If your club is passed personal data from a third party, think carefully before youy use this data. Only use data from a reliable and trustworthy source. If that organisation hasn't got the relevant consent to pass the data to you, there could be a data breach.
Storing personal data
Volleyball clubs will possess lots of personal data and need to ensure it is stored in a safe and legal way. Clubs must:
- Store personal data securely - only those who have permission should be able to access personal data
- Ensure any IT systems where data is stored are secure and protected
- Keep paper records securely - it is best if these can be locked in a filing cabinet
- Update personal data regularly to ensure it is accurate
- Only keep relevant data - do not keep data of members who have long left your club
- Ensure data is always processed securely
- Honour an individuals right to their data
Every person has the right to their personal data. An individual has the right to access, rectify or erase their data. A person can ask an organisation for what personal information it holds, to rectify any incorrect or incomplete data or have their data deleted. If an individual makes a request of this nature, the organisation must respond within one calendar month.
Using personal data
The fundamental aspect of using people's data is consent. Do you have permission to use personal data in the way you want to use it? Most clubs will need to share members data to operate so it is best to explain how a member's data will be used when they first join the club and gain their consent.
Clubs must:
- Only use data for the purpose it was collected
- Only share personal data if they have consent - for clubs this can include sharing data with club coaches, Volleyball England, competition organisers
- For under 18 members, permission must be gained from their legal guardian for you to use the data
- Be clear on how personal data will be used for marketing purposes - if you want to contact members with marketing notices you must give them the option of how they will be contacted and list each method, such as email, post or SMS. You cannot have one opt-in box for all. The boxes must be ticked by the individual and not pre-populated
- Not share members details to allow other organisations to contact them for marketing purposes - even if the organisation is a club sponsor or business connected to your team.
Data Protection Policy
A data protection policy outlines to your organisation's members how to handle personal data. Volleyball England has its own policy - which you can read here.
For your club, it is good practice to create a Data Protection Policy. Some organisations must appoint a Data Protection Officer, depending on what data they store and how they process it.
The Sport and Recreation Alliance - who have been commissioned by Sport England - have produced very useful templates and information about Data Protection Policies and Appointing a Data Protection Officer - you can access it here.
For more information and useful template, visit the 'Useful Resources' page in the GDPR Guidance section of the Volleyball England website.
Resources for my club
GDPR may seem like a challenge to implement, however there is lots of support available to sports clubs.
Commissioned by Sport England, the Sport and Recreation Alliance (SRA) is working on a project to help the sports sector comply with GDPR. It has developed a GDPR Toolkit with national organisations, regional organisations and clubs can access to help them develop the correct methods of data processing.
Click here for the SRA GDPR Toolkit for Clubs.
The Toolkit includes template documents which your club can use. These include:
Privacy Notices - this document tells individuals your club deals with what information you collect and why
Data Protection Policies - these policies guide your club's staff and volunteers as to how to handle personal data
Individual Rights - these templates show clubs how to respond to an individual's request for access or erasure of their data, as well as advice on data breaches.
Transferring Data - templates of processing agreements of how to share data outside your organisation
Direct Marketing - template of consent wording and advice on direct marketing to your members
Is my club compliant?
To help ensure your club is GDPR compliant, the Sport and Recreation Alliance have created a GDPR Compliance Questionniare. This comprehensively goes through GDPR and poses the questions you need to answer to ensure your club is compliant. It can almost be a tick sheet for your club, that goes through almost every aspect of GDPR.
To find and download the GDPR Compliance Questionnaire - click here.
The Information Commissioner's Office
The Information Commissioner's Office is the independent authority 'set up to uphold information rights in the public interest'. It is leading on GDPR and has extensive information and advice on their website, for individuals and organisations.
This includes definitions of key terms and a break down of all areas of GDPR. You can access all this information for free on their website.