09 January 2018

GDPR for Sports Clubs

What you need to know.

Declan Murphy


Tony Byrne


GDPR stands for General Data Protection Regulation. The GDRP sets out the privacy rights of every EU citizen and the ways in which an individual’s ‘Personal Data’ can and can’t be used.

Personal data is information about an individual such as name, address, phone number etc. and includes special categories of personal data including one’s race, ethnicity, religion or sexual orientation.

When is it coming in?

The EU will be enforcing these laws across the 28 member states from May 25th 2018. We will return to the Brexit conundrum facing clubs from Northern Ireland later!

Why is it such a big deal?

Failure to comply with the GDPR will result in the risk of incurring massive fines ranging from €10m to €20m or 2% to 4% of an organisation’s total worldwide annual turnover in the preceding financial year (depending on whichever is greater).

Where a club forms part of a bigger organisation there is a potential for significant fines when the worldwide annual turnover is assessed. It’s in the interest of any individual or organisation to be compliant and up to speed!

Why does this affect me or my club?

The law puts the onus on the person or entity that collects a person’s information (Data Controller), to comply with the legislation and to demonstrate compliance.

Don't Panic

However, there is no need to panic!

Most of the Data Protection procedures should already be in place by your club but there are several keys changes that must be highlighted. The Irish Data Protection Commissioner has published a 12-step guide which is worth a read.

What are the key points?

  1. GDPR sets out rules about how personal Information (data) can be obtained, how it canbe used and how it is stored. Sports clubs often collect the data of its members and players via membership forms, Garda Vetting forms, summer camp applications, text or messaging systems, email list or distribution groups, team sheets or training attendance lists, and information captured on club websites.
  2. Should a member consent to the holding of his or her data by the club, this must be communicated to them at the time the data is obtained. A single box tick will not suffice for multiple purposes. Three separate boxes should be offered to request consent to use one’s information in the following practical example: i) using training facilities, ii) signing up for club lotto and iii) getting updates about the club.
  3. Clubs must explain to members the legal basis for the use of the data. There are many legal grounds for using personal data such as ‘performance of contract’ and the ‘legitimate interest’ of the data controller. If relying on the member’s consent to use data, it should be easy for an individual to withdraw their consent. The chance to review their consent should be given on a regular basis (e.g. yearly). In Ireland, it is anticipated that parental consent for children under 13 will be required in relation to the use of digital technology e.g. apps.
  4. Data must be kept safe and secure and must be kept accurate and up to date.
  5. An Individual can request a copy of all of the personal information held about them (this is called a Subject Access Request) and must be allowed to have all of their data deleted or returned to them, if they so wish, within a month.
  6. Each club should consider the appointment of a Data Protection Officer (DPO) or identify someone to manage the requirements of the role. The DPO will advise on the GDPR, monitor compliance and represent the club on engagement with the Data Protection Commissioner.

What should my club do?

Become Accountable

It is up to the club to make an inventory of all the data they have of their members and to maintain a record of what they do with this data, this is called ‘data processing’. The object is to find out why, where and how the data is stored? Also, why was it originally gathered, how long it is being retained, how secure it is and whether it is shared with any third parties?

So, all paper forms, emails and computer files should be checked, updated and irrelevant data should be deleted. Data Controllers must be able to demonstrate that consent was given or another lawful grounds for processing can be relied upon and an audit trail is maintained.

The GAA, for example, stores all registered member information on their Central Games Management System (Foireann) and jointly shares responsibility for this data with each club/team/county. Some clubs may have other systems in place (Excel) or use third party providers such as ClubZap to manage their digital systems. Third party providers must be well aware of GDPR compliance and discussions should be held with third parties in relation to responsibilities arising and where liability for a failure to comply will rest.

Update Forms

If relying on consent, it must be ‘freely given specific, informed and unambiguous’. In order to comply with GDPR, membership (or any other) forms should include the following information…

  • The Club’s identity
  • The reasons for collecting the information
  • The uses it will be put to
  • Who it will be shared with
  • If it’s going to be transferred outside the EU
  • The legal basis for processing the information
  • How long it will be retained for
  • The right of members to complain
  • Whether it will be used for automated decision making
  • Other specific personal privacy rights relevant under GDPR.

Although GDPR does not kick in until May, it might be wise to bring these changes in this month if memberships are being renewed to save a data dilemma a few months down the line.

Make it a New Year’s resolution! If consent was already gathered in a way consistent with GDPR, then it is not necessary to do so again.

Respect Personal Privacy Rights

As a data controller your club must protect the rights of individuals.

They include the right to have information erased, inaccuracies corrected and the ability to object to direct marketing.

Ensure Data Portability

Data Portability is a hot topic at the moment — it’s the process where an individual’s information is gathered and moved to another provider or to the individual in a technical format. This is more relevant to switching banks or utility services but could crop up when a player transfers club.

Respond to any Data Breach

If there is unauthorised access to personal data or it is lost or stolen, the Data Protection Commissioner must be informed within 72 hours.

Where there is a high risk to the rights and freedoms of the individual affected, he or she should also be made aware of the breach.

Consider Brexit ramifications

Clubs in Northern Ireland may be concerned over the effect of Brexit on data protection. It is expected that when the UK formally leaves the EU in 2019 it will have enacted legislation that mirrors GDPR. However, this remains to be seen.

In Summary…

  • Consent needs to be obtained and refreshed regularly
  • Privacy statements need to be updated
  • Information needs to be protected and accurate
  • Specific locations of information must be known
  • Subject Access Request must be facilitated within 1 month
  • Breaches must be reported within 72 hours
  • Privacy by design and by default must be adopted
  • New procedures must be implemented to enable the above throughout the lifecycle of the data (Capture, Store, Use, Destroy).


Checklist of things to do by May 25th

  • Spread awareness of GDPR within club
  • Ensure Privacy by design and default e.g. when adopting new processes and developing new systems or programmes, consideration must be given to any impact on the privacy of individuals and privacy features must be built in to new products and services.
  • Create Inventory of data processing activities
  • Review access to Personal Information
  • Evaluate who has access to personal data and ensure they are authorised
  • Evaluate any other systems that hold member information for appropriate access
  • Ensure any third parties have provided assurance on GDPR compliance and that liability for non -compliance has been agreed.
  • Ensure paper forms are stored in known and safe locations
  • Ensure any laptops holding data are encrypted
  • Ensure any spreadsheets are password protected
  • Ensure a SAR process is in place
  • Ensure a process to report data breaches is in place
  • Ensure documentation is in place
  • Ensure BCC function on email is used — never reveal addresses in group emails
  • Use cloud-based system like Microsoft OneDrive as a mechanism to keep electronic data secure

Further Information



Data Protection