GDPR - complying with the rules
Complying with GDPR
GDPR sets out the standards required of all aspects on handling individuals' personal data. Personal data is any piece of information by which a person can be identified - this can be something as simple as a name, phone number or email address.
If the correct procedures are put in place and followed it minimises the risk of a data breach and protects personal data.
The Information Commissioners Office is the UK's independent authority to uphold information rights in the public interest and is taking a lead on the introduction of GDPR in the UK. Their website is a very useful resource for information about GDPR.
It sets out two key definitions:
Data controller - they determine the purposes and means of processing personal data. So this would be the volleyball club and is decided by those who run the club.
Data processor - this is a person who is responsible for processing personal data on behalf of a controller. For example, this would be a team coach who must ensure they process data on behalf of the volleyball club.
The way personal data is handled can be broken down into three key areas: how it is collected, stored and used.
Collecting personal data
When someone joins your club - whether it is a player, coach, volunteer, in fact anyone - you need to ensure you collect their data correctly. This means:
- Only collecting data your club needs
- Data must be processed securely
- You need to make it clear and simple to that person what data you're collecting
- You need to make it clear why you are collecting it
- Telling the person how their data will be used
- Telling the person who you plan to share their data with
- If a person is under 18, you need get consent from their legal to collect, store and use their data.
Every club member must give their permission for your club to use their data. So it is good practice to create a Privacy Notice for your club. This is a document which outlines what data you will hold, why you need it, who you will share their data with (including club coaches, Volleyball England, local media etc), how long you will hold the data (is it just as long as they are a member or will the club keep it for a period afterwards?), and the individual's right to access their data or request for it to be deleted.
Once you have created a Privacy Notice, you can attach this to your registration form and ask each member to sign to give their consent for the club to use their data as explained.
The Sport and Recreation Alliance has a selection of templates of Privacy Notices for different types of members on their website which you can use for your club. To access their resources click here.
It is also important to remember that no all personal data a club collects will come directly from the individual. If your club is passed personal data from a third party, think carefully before youy use this data. Only use data from a reliable and trustworthy source. If that organisation hasn't got the relevant consent to pass the data to you, there could be a data breach.
Storing personal data
Volleyball clubs will possess lots of personal data and need to ensure it is stored in a safe and legal way. Clubs must:
- Store personal data securely - only those who have permission should be able to access personal data
- Ensure any IT systems where data is stored are secure and protected
- Keep paper records securely - it is best if these can be locked in a filing cabinet
- Update personal data regularly to ensure it is accurate
- Only keep relevant data - do not keep data of members who have long left your club
- Ensure data is always processed securely
- Honour an individuals right to their data
Every person has the right to their personal data. An individual has the right to access, rectify or erase their data. A person can ask an organisation for what personal information it holds, to rectify any incorrect or incomplete data or have their data deleted. If an individual makes a request of this nature, the organisation must respond within one calendar month.
Using personal data
The fundamental aspect of using people's data is consent. Do you have permission to use personal data in the way you want to use it? Most clubs will need to share members data to operate so it is best to explain how a member's data will be used when they first join the club and gain their consent.
- Only use data for the purpose it was collected
- Only share personal data if they have consent - for clubs this can include sharing data with club coaches, Volleyball England, competition organisers
- For under 18 members, permission must be gained from their legal guardian for you to use the data
- Be clear on how personal data will be used for marketing purposes - if you want to contact members with marketing notices you must give them the option of how they will be contacted and list each method, such as email, post or SMS. You cannot have one opt-in box for all. The boxes must be ticked by the individual and not pre-populated
- Not share members details to allow other organisations to contact them for marketing purposes - even if the organisation is a club sponsor or business connected to your team.
Data Protection Policy
A data protection policy outlines to your organisation's members how to handle personal data. Volleyball England has its own policy - which you can read here.
For your club, it is good practice to create a Data Protection Policy. Some organisations must appoint a Data Protection Officer, depending on what data they store and how they process it.
The Sport and Recreation Alliance - who have been commissioned by Sport England - have produced very useful templates and information about Data Protection Policies and Appointing a Data Protection Officer - you can access it here.
For more information and useful template, visit the 'Useful Resources' page in the GDPR Guidance section of the Volleyball England website.