Gathering personal information or data is integral to the correct running of clubs. The risk of mismanaging this data is low, but nonetheless it is crucial that the data is managed, collected and stored correctly and in accordance with the GDPR.
In the case of Cycling Ireland clubs, Cycling Ireland is usually considered the Data Controller, with the personal data and information on our database required for the purpose of issuing Cycling Ireland membership. Clubs, in this case, are regarded as the data processor as they are gathering personal data for this purpose. In this case Cycling Ireland is responsible for compliance with data protection legislation and GDPR, and clubs are expected to process data securely.
Club officials must ensure data is processed securely;
- It is updated regularly and accurately;
- It is limited to what the club needs;
- It is used only for the purpose for which it is collected; and
- It is used for marketing purposes only if the individual has given their consent to do so. This needs to be an opt-in consent rather than an opt-out consent.
Should the club ask for any information other than that required by Cycling Ireland for membership, recorded consent from the individuals and the processing of their data must take place outside of the Cycling Ireland system, and the club becomes the data controller with primary responsibility for compliance with data protection legislation including GDPR.
Should clubs fail to comply with data protection and are in serious breach, there will be increased fines. While Cycling Ireland is usually the data controller of personal data on its systems, both data controllers and data processors can be issued with fines under GDPR.
Club officials should not be using personal email addresses, instead a “club” email address should be used. This increases the likelihood of transparency and maintains continuity. It also keeps the data stored in one place that is only controlled by the club official or data controller.