SFA Banners

General Data Protection Regulations

Are you handling personal data correctly?

General Data Protection Regulations are changing

Lets ensure that you are handling data correctly

What is GDPR?

The General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 and is active as of  Friday 25th May 2018. The regulations require all data controllers and data processors to meet the new requirements. The UK will supplement this with a new Data Protection Act later in the year and football clubs across the country are encouraged to ensure they know how they should and shouldn't be handling any data that they may hold or have access to.

What changes are being made?

The main changes include:

  • Increased rights for data subjects, including a right to detailed data protection notices and new rights to delete or restrict data;
  • New accountability obligations, which will require data controllers to demonstrate and record how they meet data protection obligations; and new fines, of up to €20,000,000.


Staffordshire FA

E-mail: support@staffordshirefa.com

Office hours:
Mon - Thurs: 9:00 - 17:00
Fri: 9:00 - 16:00



The FA will not be undertaking any review or compliance activities in respect of non-FA systems. In addition, The FA will not be undertaking compliance activities in respect of clubs’ use of data on FA systems for their independent purposes or, to the extent that it falls under the provisions of the regulation, personal data processed by clubs in hard copy forms.

Any non-FA systems or applications which clubs use to collect personal data or processing which is carried out by clubs for independent purposes will need to be reviewed and updated (as necessary) by each club. Each club will need to consider if it needs to update its notices to participants, create internal data protection procedures or spend time considering its information security procedures.


The FA has completed a thorough GDPR audit with the help of external advisors and are in the process of making a number of changes to our systems and processes to meet the new legal requirements.

Where you rely on an FA system, for example WGS or FullTime, you can be sure that it will meet requirements on information security and that online terms and privacy notices will be updated to cover known and intended uses of The FA’s systems.

The FA will also make sure that contracts are in place with any relevant software providers and with other footballing stakeholders as needed under the GDPR.

U15 2017 5

Who's on hand to help?

There is plenty of support on offer for Clubs to utilise in relation to the GDPR changes. Muckle has been chosen to provide legal support to The Football Association alongside County FA's and Charter Standard Clubs throughout England and Wales.

They have put together a number of very useful guides that can be accessed to help understand the changes in more detail and how it may impact on grassroots clubs.

U16 2017 2
Other support options

Online training

Another option available for Clubs is to access the online course that is available via High Speed Training.

This GDPR training course will outline your main responsibilities and help you to start making the necessary changes. The biggest changes under the GDPR are in relation to obtaining consent, the right to be forgotten and the appointment of a Data Protection Officer.

The course is 1 hour long and costs just £25.00.

Want to find out more?

Here are some answers to your frequently asked questions:

A controller is an organisation that determines the means ("how") and purposes ("why") of processing. It can choose what data will be used and for what purposes, and is in charge of ensuring that all data protection requirements are met. For example, The FA is a data controller for its employees as their employer and of participants' details where these are registered under FA rules or are used for FA marketing.

A data processor is an organisation that only processes data on behalf of a controller and on their instruction. A data processor does not have any independent right to use data for its own purposes. Most of a data processor's obligations come under contract from the data controller, but under the GDPR processors now also have some statutory obligations to ensure security, report breaches and keep accountability documents.

Data is any information that relates to an identifiable individual. This isn't limited to 'obvious' information, such as a person's name, address or bank details, but also includes information such as their FAN number, their dietary requirements and their photograph. Data does not have to be factual – opinions that a person holds, or opinions that other people hold about them, are also considered personal data.

Processing is any use of personal data. This includes storing it, using it to make decisions, accessing it on your phone, sending it to another person or even anonymising it. If you "do" something to personal data, you will be considered to be "processing" it.