What does GDPR mean for your Sports or Recreational Club?

Some might think data protection is for large organisations and doesn’t apply to small organisations and clubs. But if your club holds names, addresses and contact details, next of kin details, disability data, financial information including bank account details, means that you must adhere to the Data Protection Act 1988 (DPA).

From the 25th May 2018 new EU General Data Protection Regulations (GDPR) have placed certain obligations on sports clubs who process individual’s personal data. It regulates how personal information should be used and protects people from misuse of their personal details. So, you now need to not only know what your obligations are, but club committees need to understand how the DPA affects your club going forward. It is the law and non-compliance can lead to complaints being made to the Data Protection Commissioners Office. If data is misused there could be a fine levied against your club.


Personal data will be:

  1. Processed fairly and lawfully

Have a legitimate reason for collecting and using the data and tell the individual what you will be doing with their data.

  1. Processed for specified, lawful and compatible purposes

Open about the reasons for obtaining personal data.

  1. Adequate, relevant and not excessive

Hold sufficient personal data about an individual to do the job and not hold more information than is needed.

  1. Accurate and up to date

Take reasonable steps to ensure the information is accurate and up to date.

  1. Not kept for longer than necessary

Consider the purpose for why you hold the information and regularly review how long you keep the data.

  1. Processed in accordance with the rights of the individual

The DPA gives certain rights to individuals. The main ones to note are – any individual has the right to view certain information that is held about them, the right to prevent the processing of their personal information and the right to say no to marketing information.

  1. Processed with appropriate security

Be aware of how personal data and sensitive personal data is protected – lock filing cabinets, change passwords regularly on computers, password protect documents.

  1. Not transferred outside the European Economic Area without adequate protection

Do not transfer outside of the EEA unless that country has adequate protection for personal and sensitive personal date.


  • Adopt a data protection statement for your club
  • Ensure any forms that collect Personal Data (i.e. club membership form) include a data protection statement and consent from each club member
  • Ensure all records are kept securely and up to date – i.e. locked away, password protected documents on computers.
  • Old data about past members should be deleted
  • Ensure that only nominated (ideally no more than three) club officials have access to Personal Data and understand how to comply with the Act
  • Do not disclose – written or verbal – any Personal Data for any member to anyone
  • Ensure that for any emails that are sent to more than one individual, email addresses are BCC’d (blind copied).
  • Consider the adoption of a Data Protection Policy and place it on your club website

Privacy Preference Center