What GDPR means for sports clubs and organizations

Joey van Kuilenburg, Founder @ Victoryz
May 1, 2018


No matter weather you’re a small club, have professional staff or a sport governing body, you’ll have fans, associates, along with athletes. Consequently, you’ll be holding the personal data of several people in addition to information concerning employees and volunteers. Data is an essential advantage for sports organizations, the upkeep and growth of which is necessary to the continuing growth and achievement of the business and letting them participate with and promote events. This new EU law is intended to radically alter how all organizations handle people’s personal information with the largest reform in information security legislation in over 20 years. It’s critical that all athletic organizations have obtained or intend to take suitable measures to guarantee compliance with the regulation because you will find enormous potential fines (to $20 million or 4 percent of worldwide turnover for severe breaches) for businesses that don’t comply.

The GDPR applies to organizations that collect any personal data from associates, employees, athletes or fans (“Data subjects”). “Controllers” of personal data are businesses, which determine how and why personal information is processed “Processors” of personal data are people who process information on the control’s behalf. Some of the main changes, which are employed by GDPR, comprise:

Record keeping

Organizations will have to maintain records of the information they process, the reason they prepare it, for how long they procedure and also the legal foundation on which they collect the information.


The GDPR lays out the data that has to be given to data subjects in the stage of collection of their information. Data collection forms, and privacy policies of sports businesses have to be upgraded to be able to fall by the minimum transparency requirements of this GDPR. Data subjects have to be informed about what personal data is processed, and the reason it’s handled, the legal foundation for processing, how much time it’ll be retained for, who, if anyone, it may be shared together and what steps will be implemented to safeguard the information, particularly if it’s being moved or hosted out the EEA.


While approval isn’t the only foundation upon which information could be processed, the GDPR introduces new conditions concerning the way to get a valid approval. Consent to the processing system has to be provided by clear positive action to be compliant, i.e., the data subject should openly indicate affirmatively that they agree to the way their information is to be processed. Each purpose of communicating desires another approval and data subjects have to be given a simple method to withdraw their approval at any moment. Sports businesses might need to modify the way they gather information from the subjects and should begin with reviewing how they search, obtain and document consent of the person at the point of selection. Make sure that the person will know just what they agree to such as direct advertising, event updates, etc.

Make sure that you’ve got sufficient systems in place to confirm ages of members/players and collect approval from guardians of kids. Consent has to be verifiable and thus conveyed in plain and simple language and consent may be withdrawn.

Right of access

Data subjects have a right to look into their information as collected by an organization under the present Data Protection Acts 1988 and 2003 and the time limit for responding to these requests will be lowered from 40 days to within a single month. Controllers won’t be able to charge for access unless they can demonstrate that the incurred costs will be excessive. It’s well worth reviewing and upgrading procedures and figuring out how to take care of claims inside the new timelines without undue delay.

Right to erasure

The GDPR additionally introduces new rights along with the power of access. Data subjects will be able to seek out deletion of personal data without undue delay on a number of grounds.

Right to data portability

Individuals will have to be given a copy of their personal data in a structured, commonly employed and machine-readable format, even though such right only applies in limited conditions. These may end up being applicable in the context of operation information of athletes and players in case of them moving teams.

Sensitive data

Clubs and businesses should make sure they know if they maintain any “sensitive information” of the players, members or employees such as information regarding the person’s physical or mental health (including accidents). Explicit permission of the individual about whom the information relates will probably be required to be able to process this kind of information and extra security measures have to be in place to keep the data safe.

7 steps to take now

  1. Carry out a data audit to work out exactly what, why and how the team or organization stores personal data and also to ascertain precisely what the legal purpose of holding this data is.
  2. Do a full review of current privacy notices and ensure that these align with requirements under GDPR.
  3. Make sure that the club/ organization has proper systems in place in case of a data security breach.
  4. Contemplate if approval is needed and, if so, how consent is obtained from the respective players, members, etc. and if it’s accumulated appropriately based on Article 7 GDPR.
  5. To the extent consent hasn’t yet been gathered correctly, attempt to refresh or improve the approval or think about whether another legal foundation for processing that personal data is appropriate under Article 6 GDPR.
  6. Consider whether any sensitive information is processed inside the organization and if proper systems are in place to protect them.
  7. Inspect data safety measures and make sure that personal data is stored securely, i.e., that digital records are encrypted, and password protected, the data is backed up on a regular basis and make sure that members, volunteers or employees may identify when a breach has occurred, and they understand what they need to do and who they need to speak to.

Related Articles


What GDPR means for sports clubs and organizations


Gender equality and empowerment of women in sport

Nathaniel Yeo

The role of volunteers in sport


Sign up now

Sign up today. There is absolutely no risk. You can cancel your monthly or annual subscription at any time from within your dashboard. We don't want your money unless you are 100% happy with our product.