To accompany our guidance for clubs on GDPR data protection legislation, we've picked out some of the most regular queries we have received from clubs and provided our advice and suggestions below. If you have any further questions, please get in touch with firstname.lastname@example.org or call us on 01738 493942
According to the chief of the Information Commissioner's Office who will be enforcing the legislation: “There will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.”
We recommend that your club aims to share an up-to-date privacy notice with all your members and any other people whose personal data you retain before 25 May, even if you continue to review and improve some of your club's processes after this point.
Clubs do not need to get a positive agreement, explicit consent or even confirmation from their members that they have read the club's privacy notice. You simply need to share it with them, by email or in paper form, and record when and how you shared the notice with them. You will need to share it again any time you make changes to it in the future.
So long as your privacy notice explains that you hold and use your members' personal information on the basis of the club's contractual and legitimate interests, then their positive agreement is confirmed by their signing up for or choosing to renew their membership. It is important that your privacy notice also gives members a clear option to manage or change their communication preferences with the club on an ongoing basis.
If you intend to communicate with your members or others on matters that are not a core element of the club’s activity then you would need to ask for them to confirm that they “opt-in” or consent to this additional activity.
The law is not specific in stipulating how data must be stored, just that you have appropriate safeguards in place. We suggest that you first need to review whether it is necessary to hold hard copies of members' personal information in multiple homes. Try to cut down where possible - for instance, by scanning in paper membership forms or inputting into a password protected spreadsheet.
If it is important to the operation of the club that you retain paper copies of personal information, then you do need to demonstrate that you are taking precautions to hold that information responsibly and securely. If paper documentation is stored in a locked cabinet, this conveys that you have sought to be diligent.
Again, there is an element of balancing levels of risk with practicality - that is for the club committee to decide. Either way, your privacy notice should set out for members how the club chooses to store personal data and which committee members hold it, so that they can make their own informed decisions at the time of sign up or renewal.
Your privacy notice should cover all the people who you hold personal information for. So yes, it should be shared with all existing non-members/prospective members and it should be given to new guests/non-members when you are collecting their personal information.
You should add a specific sentence into your privacy notice if you retain the data of people who don’t join for a different timescale to your members. If another club shares the personal information of their members with you – they should add this to their privacy notice or ensure they have a record of informing their members about the transfer of the data.
GDPR will allow organisations to process next of kin details / emergency contact details under legitimate interest processing rules or lawful bases. It is reasonable to assume that it is in a person’s best interest to have their data processed for this purpose and it is an important part of the club's responsible approach to managing safety.
Your privacy notice should highlight the club's need for emergency contact details, stating that they will not be used for any other purpose and how you securely store all personal information to reassure people on this. You should also include a sentence in any form where emergency contact details are asked for.
Clubs should review whether it is really necessary to circulate members' contact details publicly or between the full club membership.
If the club chooses to continue to publish detailed membership lists or contact details, they should also provide recipients with clear instructions on what they can/can’t do with the data in the lists, i.e. they can only use the data for club-related communication and can not pass or sell the data on to anyone else. This should be highlighted in the club's privacy notice too.
It will continue to be acceptable to retain historic publications like club newsletters or journals that include members' personal information in the public domain or in a public archive.
Clubs should review whether it is really necessary to continue to publicly share members' contact information in future publications, though there is obviously always likely to be references to names and photos. You should ensure that any personal information that you intend to continue publishing in these public locations is referred to in your club's privacy notice.
If a member were to request their "right to be deleted", this can not reasonably include personal information which is already in the public domain.
Members sign up to a Facebook closed group themselves and in choosing to do so, they accept Facebook’s security and data protection principles.
You should highlight in your club's privacy notice that you may use images, etc, to publicise the club’s activities on social media and other communication channels, especially if you also have a public Facebook page for the club as well as your closed group.
This is not necessary for small not-for-profit membership organisations, unless a club operates CCTV for crime protection, e.g. at a hut.
This advice has been written to help club officers of Mountaineering Scotland's affiliated clubs review whether their club processes will be compliant with GDPR changes in data protection law. We have received legal support through sportscotland's expert resource, Harper McLeod, in pulling together our advice and templates. The guidance in these web pages does not constitute legal advice and is based on information available at the time of writing.
If you have any questions relating to GDPR that aren't answered in the articles above, or if you are looking for further advice visit:
The ICO also now offer a helpline. Representatives of small organisations and clubs should dial 0303 123 1113 and select option 4 to be diverted to staff who can offer support.