We recommend that you read the whole of this toolkit, but this section summarises some key areas of data protection law that arise day-to-day and practical steps you can take to help with your compliance.
1. Data Officer
Allocate a suitable person (or people) to deal with personal data within the club/referee society/CB. One of the roles which a club/referee society/CB can already nominate in GMS is a “Data Officer.”
Data protection compliance is everyone’s responsibility, but appointing a Data Officer can help ensure compliance by taking active responsibility for monitoring compliance and assisting with enquiries. A Data Officer can be anyone with a role in your organisation, but it would be helpful if they had some existing knowledge of data protection compliance, or related areas, and should be supported by senior decision-makers. An example description of a Data Officer at a CB can be found here.
A number of voting members can nominate an individual, so if you have nominated an individual, consider whether this is the right person. Ensure that they read this toolkit and any other guidance.
See the section on ‘Roles and Responsibilities’ in the Data Governance section of this toolkit for more information on appointing a Data Officer.
2. Regular Reviews
You should have suitable policies and procedures in place (see ‘Demonstrating Compliance’ in the Data Governance section and the Collecting and using data section generally for more information) but data protection compliance is a live issue that requires regular review and input. In particular, you should:
- Review and update your record of processing when you start to use personal data for new purposes. The ICO has created a template record here. This format is not mandatory, but you may find it useful.
- Review and update your privacy notices any time you change your activities or share data with a new entity. (See ‘Transparency and Privacy Notices’ in the Collecting and Using Data section for more information on privacy notices.)
- Review and update your security procedures. (See ‘Data Security’ in the Collecting and Using Data section for more information on security.)
- Review and update your other relevant policies and procedures. This may include updating who has access to different data sets or amending who to contact in the event of a breach. The highest-level GMS permission holders (Level 5 for clubs and Level 3 for CBs) can control access rights through GMS but you will need to consider changes where data is stored elsewhere.
- Provide training and updates to volunteers and staff on any new processes or changes to law. This may include providing this toolkit as well as updates provided by the ICO (see ‘Awareness and Training’ in the Data Governance section for more information and resources).
It is a good idea to review your compliance when you make material changes to your use of data e.g. your club is using a new provider for its membership database or you want to start a new project that involves a lot of data. However, it is also a good idea to conduct reviews at appropriate intervals (often annually), which can form part of wider compliance reviews and updates.
3. Contracts
Contracts that require personal data to be transferred to another organisation where one party is acting as a processor require certain minimum terms (see ‘Roles and Responsibilities’ in the Data Governance section for more information on controllers and processors). This is often the case where you are engaging a service provider. For example, if you use a cloud-based software system, your agreement with the provider will need to include minimum terms set out in the UK GDPR. These terms include:
- details of the subject matter, duration, nature and purpose of processing, and the types of personal data and individuals involved;
- requirements on the provider to:
o only process on the instructions of the controller (in this case, your club/referee society/CB);
o impose a duty of confidence on their personnel who access the data;
o assist the controller with breaches, data subject rights request, and other compliance matters;
o keep records and allow for audits; - provisions on whether the provider can appoint sub-contractors who can access personal data; and
- provisions around what happens at the end of a contract.
You will need to ensure that you include these provisions whenever you enter into a new contract with a third-party processor. This should be built into any procurement and contract review processes you undertake.
You may also want to include additional provisions where you are sharing data with, or receiving data from, a third party who is not acting as a processor. This is not required by the UK GDPR but may be advisable for other commercial reasons. For example, to ensure that data is accurate and that any necessary consents are valid.
If the third party is located outside of the UK, additional standard terms may also need to be included. (See ‘Using Third Party Providers’ in the Collecting and Using Data section for more information on international transfers.)
How can GMS help you?
The RFU recommends that GMS is used as a means of helping with UK GDPR compliance. It is designed to be a secure system and keeping your records in fewer places means the process of reviewing and updating them should be more straightforward.
The RFU requires some personal data to be put onto GMS, such as first team adult registrations. Other data (such as names of second XV men’s players or general membership data) is not mandatory, but we recommend that if a club/referee society/CB collects this data, a safe way to store that is through GMS.
Using GMS also helps meet requirements on security by enabling access controls. Your Data Officer can decide who has what permissions (e.g. read, write and edit), so you can control which members of your organisation have access to which data.
Data Officers or your organisation should periodically do an audit at their organisation with individuals with permissions to ensure these are still current/required.
The template documents provided in this toolkit are also written on the assumption that data will be stored in GMS. If you do not use GMS, you will need to consider how you use these documents.
The ICO has a large amount of guidance available on its website.
For any general queries relating to data protection, please contact the RFU Legal Helpline on 0333 0100337.
