GDPR Guidance

EH
What is GDPR? 

The General Data Protection Regulations (GDPR) will come into effect on 25 May 2018 and will replace the Data Protection Act (DPA). Legal advice suggests that GDPR does not present a drastic overhaul to the current DPA framework but rather, it plugs gaps, or strengthens existing rights and obligations and defines certain concepts more precisely. 

Therefore, if your organisation is compliant with the DPA this will put you in good stead for the move across to GDPR. It does however significantly increase the fines for failing to comply. It’s worth highlighting the basic principles of the original Data Protection Act which remain in place and which should continue to provide the basis for the way you manage people’s data. 

- Data must be used fairly and lawfully
- Used for limited, specifically stated purposes
- Used in a way that is adequate, relevant and not excessive
- Accurate and kept for no longer than is absolutely necessary
- Handled according to people’s data protection rights
- Kept safe and secure
- Not transferred outside the European Economic Area without adequate      protection 
 
Does this apply to our club/association? 

The GDPR applies to you if you collect any personal data in running your club/association (which you definitely will do if you have any members). This includes searchable paper records. GDPR refers to data controllers (those who own and control the data) and data processors (anyone who processes data on behalf of a data controller). 

Some of the common things to consider 

Data storage 
You should only collect the minimum data required to carry out the processes you need and the data should be kept up to date. Any data that is old and out of date should be securely deleted. You should review the security of the data particularly if it’s kept in spreadsheets and word documents rather than secure systems. Consider encryption, particularly if you are sending personal data around your club rather than using a central, secure system.  
 
Privacy or data capture statements 
When individuals provide you with their details, make sure you are clear and transparent about why you have it and what you will do with their information. This means you need to make sure that you have the right data capture statements to present to individuals when they give you their personal details. 

Data transfer 
One of the principles of the Data Protection Act 1998 (and the GDPR), is that you can only process data for the purpose for which it is collected. This means that if you collect a name and contact 

 
 
GDPR guidance V1 March 2018 
 
GDPR guidance 
 
Details of an individual, so that they can become a member of your club, you can’t simply use that information to allow your affiliates and sponsors to contact them for marketing purposes. You also need to tell people when they join your club if you are going to transfer their data, for example to an umbrella organization or even within your club if it’s not held in a central system. You can still transfer data and send group emails but you need the right consents.  In order to improve administration within the sport and to reduce duplication of input, England Hockey will be working with its approved partners to transfer some data between systems. For example league tables could be shared with club websites, club official’s data could be shared with leagues to avoid constant re-inputting. This will require the consent of individuals and the approved systems will ensure that this complies with GDPR.  

Data breaches 
You need to make sure that personal data is held securely, i.e. that electronic documents are encrypted and password protected and that they are backed up on a regular basis. Consider restricting the storage of personal information to GDPR compliant secure systems and not keeping personal details on spreadsheets etc. You also need to make sure that your volunteers can identify when a breach has happened and that they know what they should do and who they should talk to. Pay particular attention to any sensitive information such as health records. You are expected to keep this sort of sensitive data particularly safe.  

England Hockey systems
England Hockey will be working with our own systems providers so that the Player Pathway system, Hockey Hub, EHL system etc will be GDPR compliant. 
 
Top tips to prepare for GDPR  
1. Process – understand the journey that personal data takes through your club. What information do you collect and do you need that information? What do you tell people when you collect it? On what legal basis have you collected it? Where and how do you store that data? What do you do with it? When is it deleted? This will allow you to identify any areas of risk. 

2. Awareness – make sure that your volunteers are aware of the GDPR and data protection issues and that they know who to talk to if they receive a subject access request or if there is a breach. 

3. Policy – make sure the policies and procedures you have in place help your volunteers deal with data protection issues. 

4. Communication – make sure you tell individuals at the point of collection what you will do with their data and when you will delete it. 

5. ICO guidance – take a look at the 12 steps to take now and the Getting ready for the GDPR self-assessment tools. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf 
 
What are the key changes for clubs and associations? 

More communication 
You will need to give people more information. You need to tell people about how and what you do with their data at the point you collect it. If you use one of the league and club management systems provided by one of England Hockey’s approved providers (Club Buzz, Pitchero, SportLomo and Teamer) they will be taking the necessary steps to make it GDPR compliant but you need to make your members aware of where you send their data. That may be straightforward but you may be sharing it with leagues, county associations, regional associations, umpiring associations if for example you are providing details of your club officials or you may be sharing information on disciplinary forms. 

ICO notifications 
You no longer have to notify and register with the Information Commissioner’s Office (ICO) as a data controller – you may already not need to under the current not-for profit organisation. 

Obligations 
There will be direct obligations on data processors as well as on data controllers. This may mean 


GDPR guidance V1 March 2018 
 
GDPR guidance 
 
 
If you use any third parties to process data on your behalf, for example hosting your website, then you must have a written contract in place which sets out each parties GDPR obligations. 

Fines increase significantly 
Currently the highest fine the ICO can levy is £500,000. Under the GDPR they will be able to issue fines up to 20 million euros or 4% of your global annual turnover (whichever is the higher) for serious breaches. The fine could be 10 million euros or 2% of your global annual turnover (whichever is the higher) for less serious breaches. 

Getting consent 
Consent will be much harder to achieve. If you rely on consent from individuals to use their personal data in certain ways, for example to send marketing emails, then there are additional requirements to comply with. Consent must now be explicit, positively given for each separate use and can be removed at any time. It should be expressed in simple, easy to understand terms and avoid legal jargon. 

England Hockey’s official partners (Club Buzz, Pitchero, SportLomo and Teamer) will be changing the way that their systems obtain consent to ensure they are GDPR compliant. If you use a system that is not provided by these partners you should ensure that complies with the new legislation.  

Data retention 
Retention policies need to be clear. You can’t keep data for longer than is necessary for the purpose for which it was collected. You also need to inform people how long you will keep their personal data and you can’t keep it indefinitely so decide how long you need to keep data. It must be reasonable.

Privacy by design
If you are planning on putting in place a new system or electronic portal, then you need to consider whether the service provider you choose has adequate security to protect personal data. 

Breaches 
You will only have 72 hours from being aware of a breach to report it to the ICO. This includes the loss of any personal data. Under the Data Protection Act there are no obligations to report breaches. 

Children 
There are additional protections for children’s personal data. If you collect children’s personal data then you need to make sure that your privacy policy is written in plain simple English. And if you offer an online service to children aged 13-15, you may need to obtain consent from the parent or guardian to process the personal data. 

Summary 
In simple terms:
- Tell your members what you are doing with their data 
- Get their consent to use it for each purpose
- Keep their data secure
- Delete their data when you no longer need it. 

England Hockey will also be developing some Frequently Asked Questions (FAQ’s) which will put on our website to give further guidance once GDPR is more established. At present GDPR is a series of principles and the detail will become clearer once it has been tested and clarified.