British Rowing

Rowing community support

Need some additional help?
Get in Touch

GDPR Guidance

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

What is GDPR and what does it mean for rowing clubs.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

The UK Government intends to incorporate these requirements into UK law under the Data Protection Bill, with the regulations coming in to force on Friday, 25th May 2018.

The focus of the regulations are to lay out the way in which all organisations handle personal information. They specify the rights of the individual (the data subject) and the responsibilities of any organisation that captures and stores data that can be identified as personal.  This includes names, dates of birth, addresses, performance data - anything that relates to a person.

Preparation for GDPR

The Sport & Recreation Alliance have been commissioned by Sport England to create a GDPR toolkit for the sport sector, including specific guidance for sports clubs. This can be accessed for free, and includes guidance, templates and supporting notes to help clubs meet the requirements of GDPR.

We recommend clubs start by working through the Sport & Recreation Alliance's 'GDPR Compliance Questionnaire', which can be found via the link above, and also by undertaking an audit of all personal information held by the club.

This audit should include details of what the data is, where it is stored and in what format, who has access to the data and for what purpose the data is held. The focus should be on data held directly by the club, away from the British Rowing membership platform. This is likely to include membership records, performance data, coach and volunteer records – if the information contains a name, or other information that could identify an individual, it will be covered by GDPR.

As well as auditing the data that is held, clubs should also focus on how the information was obtained and whether this was through explicit consent. Is the data subject fully aware of the information being held (informed) and have they given their explicit consent?

British Rowing is currently undertaking an audit of all information we hold in preparation for GDPR.

Top tips to start your journey to GDPR readiness

Here are a few suggestions to help you get started towards compliance with the GDPR.

1. Process

Understand the journey that personal data takes through your club. What information do you collect and do you need that information? What do you tell people when you collect it? On what legal basis have you collected it? Where and how do you store that data? What do you do with it? When is it deleted? This will allow you to identify any areas of risk.

2. Awareness

Make sure that your coaches and volunteers are aware of the GDPR and data protection issues and that they know who to talk to if they receive a subject access request or if there is a breach.

3. Policy

Make sure the policies and procedures you have in place help your volunteers deal with data protection issues.

4. Communication

Make sure you tell individuals at the point of collection what you will do with their data and when you will delete it.

5. Publish

A simple data protection statement that includes a way for your members to contact you should they wish to see the data you hold on them.  Make it clear they have a right to ask for changes should they consider the information you hold to be inaccurate.

6. ICO Guidance

You can find more information on GDPR on the Information Commissioner's Office (ICO) website here including the '12 steps to take now' and the 'Getting ready for the GDPR' self-assessment tools. The ICO also now offers a helpline. Representatives of small organisations should dial 0303 123 1113 and select option 4 to be diverted to staff who can offer support.

For more information, visit the GDPR FAQs page.

The guidance given here is aimed at assisting British Rowing affiliated clubs, competitions, Regional Rowing Councils and Associations with identifying the key areas that should be addressed as a result of the additional requirements arising from the upcoming introduction of GDPR. Many people will no doubt already have considered – and where appropriate have taken specialist advice – regarding the impact of existing UK Data Protection legislation insofar as that may impact their activities.

It is similarly recommended that clubs and associations take appropriate advice if they have concerns or are still in doubt regarding specific issues having read this document. There are some suggestions within this document as to where that advice may be sought, but those should not be viewed as exclusive.

GDPR Guidance
GDPR Guidance
Let us know what you think? What do you think of this tool or resource? What could we do to improve how this works for you and what do you like? Tell us via the comments section below or by emailing