Resources
- GDPR Toolkit - easy print version
- Appendix 1: Data Breach Management flowchart
- Appendix 2: Subject Access Request flowchart
Frequently Asked Questions
There is no express prohibition on this in data protection law, and many organisations allow staff to use their own devices. You will need to assess whether you are able to implement appropriate security measures to protect that data when staff are using their own devices. This may include requiring the installation of certain security programmes, or requiring that data may only be accessed via certain software e.g. the GMS portal.
Yes, but you will need to take extra care. You should keep a central record of where all information is stored, and who has access to it. You should also ensure that the files are kept secure, and the memory sticks should be password protected.
This depends on (i) what you have told your members in your privacy notice, and (ii) what the sponsor wants the data for.
In order to share the data, you will need to have told members that you will share data with sponsors in your privacy notice. If the sponsor wants to send marketing to the members, the users will need to have provided their specific opt-in consent to receive marketing from the relevant sponsor. If they want it for other reasons, then consent may not be required but you will need to establish another lawful basis.
You can send service messages and necessary club/referee society/CB information without consent. However, if a message is going to contain marketing, then it will be deemed a marketing message and you will need prior consent from users before sending them marketing, whether that marketing is about your own organisation or your sponsors.
Yes. GMS is provided through a web browser using the Secure Sockets Layer (SSL) to provide a secure connection using a cryptographic key. Data held in the GMS database is on a secure server with the data, including user passwords, encrypted.
Yes. GMS is provided through a web browser using the Secure Sockets Layer (SSL) to provide a secure connection using a cryptographic key. Data held in the GMS database is on a secure server with the data, including user passwords, encrypted.
If you need advice, please contact the RFU’s Legal Helpline on 0330 303 1877. Note that the RFU itself is not able to give specific legal advice to clubs, referee societies, or constituent bodies.
In terms of responding to requests for personal data, the ICO (the UK’s regulator) website contains useful guidance, which can be found here. For any general advice, please contact the RFU’s Legal Helpline on 0330 303 1877. Note that the RFU itself is not able to give specific legal advice to clubs, referee societies, or constituent bodies.
The UK GDPR does not dictate how long you should keep personal data. It is up to you to justify this, based on your purposes for processing. The ICO website has a very useful guide on Data storage, sharing and security, which can be found here.
No, the RFU are not responsible for requests made by an individual for data held by clubs or referee societies. This is the responsibility of the club or referee society to supply this – requests should not be forwarded on to the RFU.
No, the RFU are not responsible for clubs or referee societies personal data breaches or failing to comply with individuals' rights. This is the responsibility of the club or referee society.
You can contact the RFU Legal Helpline for further guidance on 0330 3031877 or you can access the ICO’s website which contains extensive guidance here.
