Contents...

• Introduction
• Registration and Data Protection Fee
• What Clubs Should Do
• Further Information
• Conclusion

Introduction

This is an update to the article in the December 2017 issue of the Croquet Gazette, which outlined the GDPR impact on clubs (General Data Protection Regulation) when it comes into force on 25^th May 2018.

Registration and Data Protection Fee

One of the changes that GDPR makes is that Data Controllers no longer need to register with the Information Commissioner's Office (ICO) (though in practice typical croquet clubs were exempt from doing so). However, draft legislation is before parliament to introduce a "data protection fee", to support the Commissioner in the style to which she has become accustomed. The good news is that, according to an article on the ICO website, it appears that most croquet clubs will also be exempt from this if they:

• are only processing data for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are members of the body or association or have regular contact with it;
• only hold information about individuals whose data it needs to process for this exempt purpose; and
• the personal data processed is restricted to personal information that is necessary for this exempt purpose

There is also an exemption for "core business purposes" such as:

• staff administration
• advertising, marketing and public relations
• accounts and records

Individuals are exempt from paying a fee if the only information they process is for personal, family or household affairs that have no connection to any commercial or professional activity. Personal, family or household affairs' includes recreational activities and the capturing of images that contain personal data, even if they are captured in a public space.

What Clubs Should Do

Even if you are exempt from paying the fee, you are still required to abide by the regulations. I think the most important things for clubs to do are:

• Document what data the club holds, where it is held (many clubs will have data held on their officers' personal laptops), where it comes from, who you share it with and the lawful basis for processing it.
• Ensure that it is held securely and backed up, to protect against loss or unauthorised disclosure.
• Provide privacy notices, e.g. on membership application forms and in a club handbook and/or website. The requirements are documented on the Information Commissioner's website and there is a template for such a notice on the Croquet England website.
• Obtain freely given, informed and positive consent if you use or publish members' data for purposes that are not necessary for running the club.

Further Information

The Information Commissioner's website has a wealth of information at ico.org.uk. The Sport and Recreation Alliance have been commissioned to provide advice to the sector, but I suspect this is still being developed. The Sport England "Club Matters" website (see the separate article by Dave Gunn in the April 2018 Gazette) is also advertising a podcast on this topic.

Conclusion

Like Y2K, there has been a lot of talk and publicity about this, and not a little FUD (Fear, Uncertainty and Doubt). Unlike Y2K, GDPR will have a more lasting impact, but the message I've been getting is that small organisations have little to fear provided that they take sensible, proportionate, steps to comply and keep their members sweet. The ICO is only likely to come down heavily on large organisations, or those who wilfully continue to breach the regulations after a complaint.