Affiliation and Accounts-12

General Data Protection Regulation

GDPR

GDPR enforces data protection regulations  

GDPR gives rights to individuals in respect of the personal data held by companies, place obligations on companies on data collection and processing, and introduces a new regime of fines for data breaches. 

 

Muckle Charter Standard Clubs

Muckle has been chosen to provide legal support to the Football Association and its County FAs and Charter Standard Clubs across England and Wales. 

Read more here.

 

Muckle Legal Guidance

The FA's legal partner, Muckle, have produced a variety of handy factsheets to help you understand the jargon and role requirements for GDPR compliance. 

Read more here.

 

Muckle Online Course 

This GDPR training course will outline your main responsibilities and help you to make the necessary changes. The course is one hour long and costs just £25.00.

Get qualified here.

Get In Touch

Support available for Charter Standard clubs.

Email: CSLegalHelp@theFA.com

The General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 on 25 May 2018. It will require all data controllers and data processors to meet new requirements. The UK will supplement this with a new Data Protection Act later this year.

The main changes include:

 - Increased rights for data subjects, including a right to detailed data protection notices and new rights to delete or restrict data;

 - New accountability obligations, which will require data controllers to demonstrate and record how they meet data protection obligations; and new fines of up to  €20,000,000.

A controller is an organisation that determines the means ("how") and purposes ("why") of processing. It can choose what data will be used and for what purposes, and is in charge of ensuring that all data protection requirements are met. For example, The FA is a data controller for its employees as their employer and of participants' details where these are registered under FA rules or are used for FA marketing.

Data is any information that relates to an identifiable individual. This isn't limited to 'obvious' information, such as a person's name, address or bank details, but also includes information such as their FAN number, their dietary requirements and their photograph. Data does not have to be factual – opinions that a person holds, or opinions that other people hold about them, are also considered personal data

Processing is any use of personal data. This includes storing it, using it to make decisions, accessing it on your phone, sending it to another person or even anonymising it. If you "do" something to personal data, you will be considered to be "processing" it.

The FA has been working closely with our legal helpline service provider, Muckle LLP, to provide support to clubs around GDPR. Muckle LLP has produced a series of fact sheets and easy-to-use online training modules which can be accessed via the links below should you want further information.

 - FA Online Training

 - GDPR Factsheets

The Information Commissioner's Office (ICO) has also produced guidance for all UK businesses on how to prepare for the GDPR. You can find the following on its website

 - 12 steps to take now

 - Guide to the GDPR

In addition to the above, the ICO has a dedicated telephone helpline which provides advice on data protection matters and the GDPR.

The relevant contact information can be found here

The FA will not be undertaking any review or compliance activities in respect of non-FA systems. In addition, The FA will not be undertaking compliance activities in respect of clubs’ use of data on FA systems for their independent purposes or, to the extent that it falls under the provisions of the regulation, personal data processed by clubs in hard copy forms. Any non-FA systems or applications which clubs use to collect personal data or processing which is carried out by clubs for independent purposes will need to be reviewed and updated (as necessary) by each club. Each club will need to consider if it needs to update its notices to participants, create internal data protection procedures or spend time considering its information security procedures

The FA has completed a thorough GDPR audit with the help of external advisors and we are in the process of making a number of changes to our systems and processes to meet the new legal requirements. Where you rely on an FA system, for example WGS or FullTime, you can be sure that it will meet requirements on information security and that online terms and privacy notices will be updated to cover known and intended uses of The FA’s systems. The FA will also make sure that contracts are in place with any relevant software providers and with other footballing stakeholders as needed under the GDPR