Data Protection

This guidance note is intended to provide you with a basic introduction to data protection,
the laws that govern it in the UK, as well as outlining some steps you can take to ensure you
are complying with the relevant rules and laws. IIt is meant only as an introduction to what
is a complex and nuanced area and is not intended to constitute legal advice. If you are
unsure as to the implications for your particular club or your obligations under Data
Protection law we would recommend visiting the Information Commissioner's Office (ICO)
website or seeking specialist advice.
For the purposes of data protection a voluntary club or group would be held to the same
standards as any other business, and it is important that you are aware of your obligations to
your members. You may have additional obligations under GDPR, and the ICO
self-assessment tool will help you to determine what these are.
For more information on British Canoeing’s approach to privacy, see the Privacy Centre.
1. What is Data Protection?
At its most simple level, the ICO states that Data Protection is about the “fair and proper use
of information about people”. It is about ensuring that data is processed and stored
responsibly and fairly.
Data Protection law in the UK is set out in the Data Protection Act 2018 (DPA 2018) and,
since the UK’s exit from the European Union, the UK General Data Protection Regulation (UK
GDPR) which is the retained EU law version of the General Data Protection Regulation
(GDPR).
2. Is Data Protection relevant to my club?
If you have or obtain information about people for club or event purposes then the answer
is likely to be yes! This is the case regardless of the size of your club or organisation.
As a result, it’s important you have an understanding of the key principles and what steps
you need to take to ensure compliance.
3. Data Protection Key terms
Personal data is defined in the legislation as any information relating to an identified or
identifiable natural person. This could be any information you gather about a member or
potential member, customer or employee and does not need to be information you would
consider private or restricted. If you can identify an individual from the information, then it
will count as personal data.
Processing of data will cover almost anything that you do with data within your Club
including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.

Last updated July 2021

A data controller is the person or organisation that decides why data has been collected and
how it will be used. It is the responsibility of the data controller to ensure that the
processing of that data complies with data protection law.
A data processor is a separate organisation who processes data on behalf of the controller,
in accordance with their instructions. The legal obligations on a data processor are more
limited than those imposed on a data controller. An example of a data processor would be
an external mailing company, such as Mailchimp.
4. Which regime applies to my Club?
As mentioned previously, both the DPA 2018 and UK GDPR are highly likely to impact your
club. The DPA 2018 sets out the main framework for data protection law in the UK replacing
the old Data Protection Act 1998. It supplements the UK GDPR which is based on the EU
GDPR which applied in the UK before its withdrawal from the EU. UK GDPR outlines the main
principles, rights and obligations with regards to processing personal data in the UK.

Whilst these different legal regimes may appear confusing, the ICO do offer a
self-assessment tool to help you decide which regime will apply most directly to you. You
can complete the self-assessment tool here.
In any event, whichever regime applies to your club, many of the fundamental principles of
data protection law remain the same.
5. Data Protection Principles
Article 5 of UK GDPR outlines the key data protection principles and it is these principles that
should form the basis of how you process personal data. You must ensure that data is:
1. used fairly, lawfully and transparently
This involves:
- identifying the valid grounds for collecting and using personal data (examined in
more detail below in the processing personal data section);
- using personal data in a way that is fair and not doing anything with the data that
breaches any laws;
- being clear and honest about how and why you are using an individual’s data.
2. used for specified, explicit purposes (‘purpose limitation’)
This involves:
- being clear about what your purposes for processing data are;
- ensuring you record your purposes and outline these clearly in your privacy
statements/notices;
- only using the data if it is in accordance with the original purpose.

Last updated July 2021

3. used in a way that is adequate, relevant and limited to only what is necessary
(‘data minimisation’)
This involves:
- using data in a way that is sufficient to properly fulfil your purpose whilst
ensuring the use has a link to that purpose and you do not hold or use more data
than is necessary to achieve that purpose.
4. accurate and, where necessary, kept up to date (‘accuracy’)
This involves:
- taking all reasonable steps to ensure the personal data is accurate and kept up to
date;
- taking reasonable steps to correct or erase incorrect data as soon as you become
aware of it.
5. kept for no longer than is necessary (‘storage limitation’)
This involves:
- not keeping personal data longer than is strictly necessary;
- having a policy which details how long you will retain data;
- regularly reviewing, and then anonymising or deleting data when it is no longer
needed;
- considering challenges to your retention policy or the data you hold in
accordance with the right to erasure principles.
6. handled in a way that ensures appropriate security of data (‘integrity and
confidentiality’).
This involves:
- ensuring protection against unlawful or unauthorised processing, access, loss,
destruction or damage;
- having appropriate security measures in place to protect the personal data you
hold.

The final principle is known as the accountability principle and this requires you to ensure
that you can evidence compliance with the rest of the principles detailed above.
Further, more detailed information on these fundamental principles can be found on the ICO
website but it is important to note that failing to comply with these principles can have
significant implications for your club with large fines permitted under the relevant
legislation.1
Processing Personal Data

1 UK GDPR Article 83(5)(a) details infringement of basic data protection principles could lead to a fine of up to
£17.5 million, or 4% of total worldwide annual turnover, whichever is higher.
Last updated July 2021

Whilst this guide cannot explain all 7 principles in detail, as a club, first and foremost you
must ensure that you adhere to principle 1, in that you must ensure you have a valid basis
for collecting and processing any personal data.
Article 6 of the UK GDPR details the 6 lawful basis for processing personal data. It is
important that one of these applies whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for
a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or
because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not
including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or
for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the
legitimate interests of a third party, unless there is a good reason to protect the individual’s
personal data which overrides those legitimate interests.
In many instances, the lawful basis for processing an individual personal data will be
obvious. However, it is important that you know and document what lawful basis you are
relying on for your respective activities. If you are unsure what lawful basis you are relying
on in a given incidence, you can use the ICOs interactive tool to assist you in this regard.
More detailed information on each of the lawful basis can be found on the ICO website:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-pro
tection-regulation-gdpr/lawful-basis-for-processing/

6. Ensuring Compliance
Data Protection can be daunting but there are a number of steps you can take to check how
well your business is currently adhering to the principles and law in this area.

1. Does your club need to register with the ICO? - Every organisation or sole trader
who processes personal information needs to register and pay a fee to the ICO
unless they fall under one of the exemptions. If you are unsure whether you need
to register, take the ICO self-assessment tool.
2. Does yourclub need to appoint and register a Data Protection Officer(DPO)? - UK
GDPR introduces a duty for you to appoint a DPO if you carry out certain types of

Last updated July 2021

processing activities. If you are unsure whether you need to appoint a DPO take
the ICO self-assessment tool.
3. Complete the ICO Data protection self-assessment to consider how your club is
currently placed and what actions you need to take.
4. Complete a Data Audit to consider where you currently obtain data from, who you
take it from, who you send it to, where it is processed and why it is processed. This
allows you to identify areas of risk. A Data audit template along with a Data
Protection Impact Assessment can be found on the ICO website and you may find
these useful as a starting point.
5. Ensure that you have the right policies in place to ensure you are (a) fulfilling your
own obligations and (b) being as transparent as possible to those people whose
data you are processing. This is likely to include ensuring you have the following
documents although depending on your size you may find you are able to combine
these into one document. Again, the ICO have some templates you may find useful
on their website.
- Data Protection Policy – This overarching Policy explains how you handle
personal data and will usually include setting out the principles, rules and
guidelines that inform how you will ensure ongoing compliance with data
protection laws.
- Data Privacy Notice – This will tell an individual what data you will collect from
them and how it will be used and stored as well as explaining their rights in
respect of the data.
- Data Retention Policy – This Policy details how long you will retain and store
different types of data.
- Data Breach Policy – This Policy sets out what action you will take in the
unfortunate event that there is data breach where data is lost, wrongly deleted,
or shared inappropriately.
6. If you are a business employing less than 50 members of staff, you can seek help
and support directly from the ICO using their live chat or online advisory check up.