This page sets out information on how to identify the role your organisation has in data protection compliance and guidance on how to allocate responsibility within your organisation.
Roles and Responsibilities
Controllers and Processors
Organisations that collect and use personal data will do so as either a ‘controller’ or ‘processor’. A controller is the main decision-maker, determining how data will be used. Processors act on behalf of controllers and may only use data in accordance with the controller’s instructions.
Clubs, referee societies and constituent bodies will act as controllers in most cases as you are deciding to collect data and use it to fulfil your organisation's purpose. For example, clubs need to collect members’ data in order to run the club and constituent bodies need to collect data on players and other participants in order to conduct discipline proceedings and fulfil safeguarding duties.
When you engage and share data with service providers, they will likely act as processors as they can only use the data to provide you with the service.
The distinction is important because controllers have the highest level of compliance responsibilities and additional obligations apply to controllers. For example, controllers are required to issue privacy notices to individuals (see section ‘Transparency and Privacy Notices’ in the Collecting and Using Data section for information on transparency requirements) and determine the lawful basis of processing (see section ‘Fair, Lawful and Transparent Use’ in the Collecting and Using Data section for more information).
There may also be limited situations where your organisation acts as a ‘joint controller’ with another organisation. This is not very common but occurs where two or more controllers are processing the same data as part of a common objective.
Internal Responsibilities
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your club/referee society/CB’s structure and governance arrangements. You should consider allocating them as the “Data Officer” role in GMS.
Everyone with a role that requires them to access personal data should also be aware of their role in maintaining compliance with data protection laws.
How to do it
Data Officers
It is important that someone takes proper responsibility for privacy and data within the club, referee society or CB and, ideally, they would have some relevant experience.
Consider sending a message to your membership to see if anyone has had to consider data protection as part of their working life.
We recommend that this person is a member of the main committee so that they will have visibility of how data is used throughout the organisation.
Some organisations are legally required to designate a formal Data Protection Officer and for this person’s contact details to be provided to the ICO. You should review the ICO guidance carefully and take advice if you are unsure whether this is required. Even if not formally required, some organisations choose to appoint a Data Protection Officer, and some law firms or consultancies can provide an outsourced service.
Note that this is not the same as a “Data Officer” on GMS – just because you nominate a “Data Officer” in GMS, this does not automatically mean they are a Data Protection Officer for the purposes of the UK GDPR and ICO.
Whether or not you formally register a Data Protection Officer with the ICO, what is important is that there is at least one person in the club, society, or CB who is tasked with understanding what data is used and why. This is important as that person will monitor the level of compliance and act as a central point of contact for queries on data protection both internally and for members and other external bodies or data subjects.
Other personnel
Other members of staff will also have access to personal data and so should play an active role in maintaining compliance. It is important that they be kept informed and updated on their responsibilities. This should be done by implementing and maintaining appropriate policies and procedures to deal with data compliance matters and having training at appropriate intervals (see sections on ‘Demonstrating Compliance’ and ‘Awareness and Training’ below for further information).
Where to find more information
The ICO has produced guidance on Data Protection Officers. The Data Officer will not necessarily need to be a formally appointed Data Protection Officer under the UK GDPR, but the guidance may clarify the role and help with identifying a suitable individual.
Demonstrating Compliance
One of the key areas of UK data protection law is that an organisation will have to demonstrate that it is compliant. Consequently, there is a large emphasis on record keeping and maintaining other documentation.
You will need to keep records of:
The name and contact details of the data controller (i.e. the club, referee society or CB – in some cases you may be a joint controller with the RFU);
The purposes of why you process data and the lawful bases you rely on;
How long you process data;
A description of the categories of individuals whose data you hold;
A description of how data is shared with, or obtained from, third parties and any international data sharing that goes outside the UK; and
A description of your security measures.
The ICO also recommends keeping records of the following:
Information required for privacy notices (including the lawful bases of processing, any legitimate interests relied upon, individuals’ rights, any automated decision-making or profiling used, and the source of personal data);
Records of consents;
Records of any contracts where you share personal data;
The locations you store personal data;
Any data protection impact assessments or other risk assessments you undertake; and
Any personal data breaches.
In addition, you should maintain policies and procedures covering the following, which all staff should be aware of:
General data protection policy informing staff of the general principles, their responsibilities, and consequences of breach;
Procedures to follow in the event of a personal data breach or data subject request; and
Procedures to follow in respect of retention and deletion of data.
These may be included in one policy, or in separate policies. It may also be helpful to link to other related policies, such as IT security or ‘bring your own device’ policies if used and relevant.
The ICO may request this documentation, and you should be ready to provide it if needed.
How to do it
There is no specified format that your policies and records must take, so you can create these in the manner that works for your organisation.
However, the ICO has provided a template record of processing which can be used to help create your records. Please see the Documentation page on the ICO website for the template (the ‘Documentation template for controllers’).
Similarly, policies and procedures for compliance, including breach and data subject request responses, should be tailored to suit your organisation. You should consider who in your organisation needs to be notified and what the best process is to respond. The RFU has provided some high-level guidance on responses to data breaches (see Appendix 1) and data subject requests (see Appendix 2), but you will need to adapt these to suit your organisation.
Where to find more information
For guidance on the documentation required, visit the ICO website.
Awareness and Training
It is good practice for all those people who collect or use personal data to receive training on this. They should be made aware of their obligations at law and under relevant organisation policies. This should be done on joining and updated at sensible intervals, such as on a change of law or practice, or annually.
We suggest that this toolkit is sent to all members of the committee of the club, referee society or CB, and any administrator or registrar.
The ICO has a large amount of guidance available on its website.
For any general queries relating to data protection, please contact the RFU Legal Helpline on 0333 0100337.