Is your cricket club GDPR ready?

You have probably heard about GDPR at work or in the pub. But have you considered how it will affect your club?

The recent ECB guidance was, at best, a holding operation. I am told more definitive and practical advice is in the pipeline. But, judging by the time it took to get the first communication out, that will probably not arrive ahead of the May 25 compliance deadline. So what about those dire warnings of massive fines if you are not compliant by then?

That fact is it DOES affect you but not as much and with such force as the many GDPR snake-oil-salesmen are predicting. GDPR has all the hallmarks of the 2000 Millennium Bug scare many of us will remember.

The detailed UK implementation of this EU regulation (and no, Brexit won’t stop it) has yet to be worked out and Parliamentary legislation is still at a relatively early stage. So, to be fair to ECB, it is a moving feast and nothing is concrete. That’s why the May 25 date is more a milestone than deadline; and the GDPR gauleiters will probably be knocking on the doors of Google, Facebook and a few other global data behemoths well before they get to your club.

In essence, don’t panic. First and foremost, clubs will NOT be required to register with the ICO so long as they can demonstrate they are not-for-profit. That means intentionally not just the actualite. Unless you have CCTV; that’s a whole different ball game, just as under current data protection regulation.

However, if you SELL your membership data to third parties you need specialist advice. If you ‘give’ your data to third parties to process for you such as Teamer, Pitchero, Membermojo, and ……Team App etc. etc, you need to be clear about the advice they are giving you. Especially if you uploaded your members’ details – without their explicit permission – rather than ask the members to do it themselves. It is unclear, yet, how this will affect Play Cricket and ECB say they are confident it will be compliant in time. But what if your 2nd XI opener doesn’t want their career stats open to club members let alone the public?

Here are the simple guidelines that should help avoid the “20% of global income” fine if some malcontented member – or, more likely, some malcontented ex-member still on your mailing list – decides to dob you in it as a cheap and low shot. At least until more definitive guidance emerges:

1. Appoint a Data Supremo or Czar. Probably the club secretary unless they are on the wrong side of the digital divide.

2. Have a discussion at Committee – an audit – and log all the club data: what it’s for, where it’s kept, who has access and how it’s processed. Membership, mailing, subs, match fee lists….you get the gist. You need to be especially careful about sensitive data: bank, junior, health, welfare, tea ladies’ ages, etc. And it includes paper not just digital data, so the captains’ little black contact books, for example.

3. You should be doing this already but make plans on who has ownership and access. Preferably keep online – in an encrypted cloud-based repository, not on someone’s hard drive, with limited people and protected access.

4. Amend your membership application form so you ask permission to use the data therein for legitimate club admin purposes. You cannot rely on consent alone – it can be withdrawn – but it should reinforce the implied contractual obligation the club has to service the member’s relationship with the club. So that covers finance, communication, marketing events and safeguarding juniors etc. Numerous good examples are bound to emerge and I will post some on the document sharing file so you don’t have to reinvent the wheel.

5. Work out how you are going to get all existing members to sign something similar over time. Preferably before hell freezes over. And get them to take ownership, if they haven’t already, of their Play Cricket, Teamer, Team App etc., etc. registration. And maybe even update their 1993 abode or that silly student Hotmail address that always bounces back.

6. Start working out a club privacy policy you can stick online, and refer to at every available opportunity, so each form doesn’t cost a small forest. This alone is a business case for your club’s own website. Again, examples are emerging and I will post some on the document sharing file.

7. Wait with baited breath for next best advice. So revisit……regularly. And minute the discussions…….in the minutes your privacy policy says you will keep for 10 years and then destroy. Ahem!

And just to caveat all the above. These guidelines are probably not definitive or complete so I am not going to accept responsibility for them. But they’re the best you’re going to get right now!

Leave a Reply

%d bloggers like this: