Data Protection

back to Protection

Data Protection

Overview of topic

Gymnastics clubs will collect and use information about living individuals (‘personal data’) for different purposes. This will vary dependent on the individual (‘data subject’) and the specific reasons why you need their data.

Data protection laws set out strict rules that apply to clubs. Understanding your club’s data protection responsibilities should be a priority, as many data subjects will be children and some personal data will be sensitive.

Getting data protection right will help you avoid complaints and data breaches and minimise risks to individuals and your club.

Further information

The General Data Protection Regulation (GDPR) has led to an increased awareness of data protection, both by organisations that need to comply and by individuals who wanted to understand the individual rights that the law provides them.

The GDPR is based on principles, for example, personal data must be used fairly, lawfully, and transparently and be kept accurate and secure. Those that need to comply must be able to demonstrate how they comply, e.g. by providing documentation.

Although the GDPR aimed to introduce consistent rules across the EU, there are some areas where there is still flexibility to make national rules. In UK, the Data Protection Act (DPA) 2018 provides some additional conditions when it is lawful to use personal data as well as exemptions when the GDPR does not apply.

In addition, the Privacy and Electronic Communications Regulations (PECR) sets out rules that will apply to clubs who send electronic marketing communications or use cookies (or similar technologies) e.g. on a club website.

It is important that you understand how these laws apply to your club activities and take steps to comply.

It's a fact...

The Information Commissioner’s Office (ICO) is responsible for enforcing data protection law in the UK but is also a helpful source of advice.

Although other forms of enforcement are more likely, the maximum fine for breaches of data protection law is 20 million euros or 4% of an organisation’s global turnover!

Some clubs may need to pay an annual fee to the ICO. Clubs who are not-for-profits may not need to pay but it is important that all clubs check with the ICO. Any club that uses CCTV for crime prevention will need to pay the fee.

Top tips

Complying with data protection law is easier if you know what data you hold. Use our data asset register template found in the GDPR toolkit to record:
a) the purposes for using personal data e.g. club membership, salaries, insurance, payment of fees, competitions, squads, fundraising etc.
b) the personal data you use for each purpose and the data subjects e.g. members, parents, employees, volunteers etc.
c) where the data is stored and who has access.
d) other organisations you share personal data with.

Make sure you consult with all key stakeholders to get a complete picture. You can then start to apply the data protection principles to each purpose and create an action plan.

Frequently asked questions

Does everyone need to comply?

Data Protection laws apply to organisations and individuals who process/use personal data but exempts individual whose use of data is for purely personal /family/household purposes.

Who is legally responsible for compliance?

The ‘controller’ is accountable. If your club has a legal status e.g. is a company, the controller is the organisation. Where a club is run by a committee or a sole trader/partnership, the controller will be the individual(s) who are in charge.

Do we need to appoint Data Protection Officer (DPO)?

Some organisations must appoint a DPO, but this is unlikely to apply to local clubs. However, it is important that someone has the responsibility for data protection at your club.

What is a personal data breach?

A personal data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.


Controllers need to prepare privacy notices that provide specific information to data subjects. These notices must be clear and easy to understand.

Data breaches need to be reported to the ICO within 72 hours of the controller becoming aware, unless unlikely to result in a risk to data subjects. The ICO has a data breach helpline if you need advice.

We have developed specific guidance and templates to help gymnastics clubs. Our e-learning courses will also help you to ensure your club officials have completed appropriate data protection training.

Data protection compliance can be complicated so if you are unsure about your responsibilities contact DAS Law for specific legal advice.

ICO self-assessment


Try completing the ICO self-assessment, which is specifically aimed at small businesses and sole traders.

GDPR Toolkit


Check out our data protection resource in the Toolkit section - GDPR toolkit this has various template documents including a club privacy notice template and drafting guidance.