Sports Clubs & GDPR - 7 Do’s

The General Data Protection Regulation(GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).

1. Increase Awareness

GDPR will benefit all of us, it will ensure that our Personal Information is protected from misuse by any organisation.

2. Ensure Understanding 

Clubs need to understand exactly what Personal Information it holds and is responsible for. Make an inventory of the personal data that is held and examine it under the following headings: -

  • Why is it being held?
  • How was it obtained?
  • Why was it originally gathered?
  • How long is it being retained for?
  • How secure is it?
  • Is it shared with any third parties?

3. Record Keeping 

Organisations will be required to keep records of the data they process and the legal basis on which they process it.  Consider whether and how any sensitive data is processed within the organisation and whether appropriate systems are in place to safeguard them.

4. Transparency 

Data capture forms and privacy policies of sports organisations will need to be updated in order to fall in line with the minimum transparency  requirements of the GDPR.  

Consider whether an appropriate system is in place such that a data access request / exercise of a right of erasure can be dealt with quickly and satisfactorily - see Chapter 3 Rights of the Data Subject

5. Consent 

They must give their consent for their data to be used.

Consent must be ‘freely given, specific, informed and unambiguous’. 

Consider if consent is required and, if so, how consent is obtained from the individual players, members etc. and whether it is collected appropriately in line with Article 7 GDPR “Conditions for consent” 

Identify Data Protection Officers

6. Right to Access 

Access to all information held about an individual (Subject Access Request).

This allows for any member to request a copy of all information held about them. This must be provided within one month. 

Notification of Breaches - if unauthorised access to Personal Data occurs or Personal Data is lost or stolen, this must be notified to the Data Protection Commissioner within 72 Hours of being identified.

7. Review 

Review the privacy policy and fair processing notices of the club / organisation to ensure that the transparency requirements are appropriately satisfied.

For further information on GDPR – Data Protection Commissioner – Ireland visit