The General Data Protection Regulation (the GDPR) came into force in the UK on 25th May 2018. Although this is EU legislation, the GDPR will be transposed into UK law and will replace current data protection law including the Data Protection Act 1998. It applies to all organisations regardless of size and status - therefore it applies to affiliated clubs as well as to the SCA.
Many of the principles that underpin the GDPR are the same as those on which the Data Protection Act was based. However the GDPR contains several notable differences and has an increased emphasis on the rights of individuals about how their data is provided to organisations and how it is used:
Changes have been required in the following areas:
- Privacy Notices - individuals have greater rights about being informed about how their data will be used (processed) by organisations
- Consent - there are new rules on how consent must be obtained by organisations compared to e.g. pre-ticked boxes that we might have seen in the past
- Additional Rights of Individuals - including Subject Access Requests and the right to be forgotten
The SCA has produced a briefing document which has been sent to Club Secretaries/Club Data Protection Officers and template privacy notices are available which clubs can adapt for their use. Please email firstname.lastname@example.org if you need further informaiton
The processing agreement in place between the SCA and each Affiliated Club defines the transfers of personal data in both directions between the SCA and clubs. This can be downloaded from this page as a pdf.