GDPR for Jog Leaders
The General Data Protection Regulation (GDPR) came into force on 25 May 2018. This is a piece of data protection legislation that governs the way people’s data can be stored and used.
This affects you if you store any data about your joggers, for example, if:
- Your phone or computer contain phone numbers or email addresses for jog members
- You have old PARQs, or the information from them, stored somewhere
- You have any member information stored anywhere, whether digitally or on paper
- You pass member information to other people/organisations eg. leisure trusts, gyms etc.
Making sure you comply with GDPR doesn’t need to be onerous, but with the potential for significant fines if it is not adhered to, it is important that you give it some thought.
We’ve put together a document, GDPR guidance for jog leaders to help you make sure you’re GDPR-compliant. Please take time to have a read and take any action that you need to.
For further guidance on the implications of GDPR for your group please read the GDPR – club briefing paper prepared by Harper Macleod LLP, on behalf of sportscotland, to support sports clubs.
Harper Macleod LLP have also prepared a number of resources to support sports clubs in preparing for the implementation of GDPR. If you require these to be sent to you then please e-mail firstname.lastname@example.org.
What does our group need to to comply with GDPR?
Firstly, the group needs to read the briefing paper prepared by Harper Macleod LLP for sports clubs in Scotland. In summary, you need to review all the information you hold and your reasons for holding it, identify the lawful basis for collecting and storing that information, prepare a privacy notice (or notices, where applicable), identify a process and accountability for monitoring compliance within your group, and ensure all individuals managing data in your group are fully aware of the GDPR and its requirements.
What are the implications for failing to apply with GDPR?
Organisations can be fined up to 4% of annual global turnover and there is a tiered approach to fines. Whilst fines are relative to the size of your business it is important to ensure you are fully compliant to safeguard your group against data protection breaches.
What do we do if there is a breach?
Any personal data breaches should be reported to the ICO within 72 hours of becoming aware of the breach. Further information on personal data breaches, including how to avoid a breach and how to report a breach can be found here. On reporting of any breach, whether from the organisation themselves or from an individual or other party, the group may be required to show what steps they have taken to manage data safely and in line with GDPR. This is why it is extremely important you take the time to review the briefing paper and prepare accordingly.