GDPR - Data Regulations

Posted by Todd Lake on 27 February 2018


The GDPR regulations will apply to all EU member states and the UK from 25 May 2018.  These changes are significant and cover all your club’s operations.  We advise you to check the Information Commissioner’s web site for full details ( This document covers your contract with ClubBuzz Ltd and deals with the changes necessary for you to comply with the new regulations.   We hope to have covered all the issues raised in the GDPR but the Information Commissioner is still making new recommendations, so you may receive further communications from us over the next two or three months.  All actions we have undertaken below are subject to change should the advice from the Commissioner change.

The first thing you need to know that, under these regulations, you are classified as the Data Controller (a data controller is defined as “the person who owns and decides what should be done with the personal data.”) and ClubBuzz is your Data Processor.  

This guide is aimed to assist you, our client, as data controllers.  It tells you what changes we will be making to the ClubBuzz template that you use and also outlining what actions you need to take before GDPR comes into force. Again we ask you to note that this is a guide to how our systems can help you comply but you hold full responsibility for making yourselves aware of all the elements of the regulations and ensuring that you conform to them.

GDPR is concerned with personal data, this is defined as “any information relating to an identified or identifiable living natural person”.  The GDPR rules that such data must be processed fairly and lawfully.  This means that the data subjects (your members) should not be misled about the purpose of the collection of their personal details.  You must therefore make clear to them all the uses which you intend to use their personal data for. This must be done when collecting new information from a member. N.B. it is our understanding that you do not need to notify your members about data you held prior to the new Regulations coming into force, although for best practice purposes we would recommend that you do advise them at point of re-registration. 

In order to facilitate the new functions necessary we will provide a new heading visible to the Data Controller and the Administrator entitled GDPR. This will be used to customise the various messages and emails which will become necessary.

Summary of Main Points of GDPR which we believe affect you:

Personal Data must be kept secure from unauthorised access, it should only be retained as long as is necessary for the purposes for which it was collected.

1.       You must nominate a “data controller” who is responsible for seeing that you comply with data protection law.  In order to comply with GDPR as your data processor we need to know who this person is so that we can report any breaches quickly to your club.  If you have a Data Controller you will be asked to add their details in your club account page.  NB: If you don’t have a Data Controller or until you add one, your club administrator will be our default point of contact and be assumed to be your Data Controller.

As a data controller you must carry out due diligence when choosing your data processor to ensure that they conform to the GDPR.  To help you in this regard you can check our Data Management Manual which is available here.  Please note that If you were our client prior to the new regulations we do not need to gain new approval from you.  However, we have made our guide available which should give you confidence in our ability to serve you in accordance with both Data Protection Law and Best Practice. Any questions you have should be emailed to, subject header GDPR query.

You must be able to demonstrate that the data subject (your member) has consented to the use of their personal data and such consent was freely given.  Where consent is given in a written declaration which covers other issues, for example a standard terms and conditions policy, the request for consent must be clearly distinguishable, in an easily accessible form and use clear and plain language.  You must define the specific reasons for which the data is required. In each case where this applies a “tick box” will be available against clear wording confirming the member’s agreement. Those who are members of your club prior to the new regulations coming into force do not need to be asked to consent to you holding current data on them.  However, if you collect new data from them you will need to advise them of the purpose of the data collection.  As best practice, for those clients using registrations we will add wording at the bottom of the registration form with a tick box so that you can gain their approval on an annual basis.  When we make these changes it will include a form already populated with our suggested standard wording. It will be editable by you so that you can fully explain the use of data within your organisation and it is vital that you do cover ALL the uses you put personal data to.  New members will have to agree to the use of their data, they will see the same wording as mentioned above at the point of accepting their invitation to register on the system.  In the case of either an existing member or a new applicant, if they do not agree, an email will be sent to your data controller asking him to contact the subject directly and take whatever action is deemed appropriate. (e.g. delete record from file).

2.       The data subject has the right to withdraw consent at any time, which must be as easy to do as giving consent.  In order to facilitate this we will place in the footer text a clear message prepopulated with- “If you wish to withdraw consent for us holding your personal data please email {populated with email of your data controller} requesting your data be removed from the site. However, this will only be possible if you cease your membership”.  You will be able to edit the actual wording in the “GDPR” section. Where a member proceeds with the request the Data Controller will start an automated deletion of the member account which will actioned 48 hours after the initial request.  Should a member have an outstanding financial balance on their account (for clients using our financial package) that member will be notified of the need to make full payment of the balance in order that their data can be deleted.  In that instance all personal data will be deleted after 48 hours except that data required to manage debt collection.  Once all debt has been paid there will be an option for the Data Controller to delete all remaining data.

3        The regulations also includes a right to be forgotten action, where anyone being mentioned on your web site may ask for that reference to be removed. This will be explained in the footer where there will be an option to commence this procedure.

4.       In defining security of personal data the GDPR specifies that it must be transmitted and stored in encrypted format. If your site uses one of our subdomains for example you already conform, being fully protected by our 256bit SSL certificate which confirms that the data is encrypted and you need take no further action.  If you use your own domain name, the only time data is currently transmitted is from the contact and join us forms.  We will reconfigure our systems so that these sit under your ClubBuzz subdomain.  This means when a user clicks on the menu tab for the contact form instead of your domain they will view it via your .clubbuzz subdomain as used within the content management system of your site already.

5.       There are specific security obligations relating to the security of data and as such passwords must be robust.  Whilst members can only access their own data those with management roles can view other member’s data and it follows that they need a higher level of password.  We will make the rules for an acceptable password more stringent and require passwords to be changed from time to time.   The rules for managers will be even tighter in order to ensure they meet the reasonable standard demanded by the GDPR.  We will set up the system so that Managers can only access data of the teams they are allocated to 

6.       Data subjects under the age of 13 cannot give their own consent and any agreement to hold data, request to delete and use the right to be forgotten must come from the parent / guardian. Any written declarations will include the following wording: Please read the statement below and tick the consent box.  If you are under 13 years of age this consent must be given by your parent/guardian.  Where this is the case the name of the adult agreeing must be entered together with their relationship to the juvenile.
Additional questions to consider
We hope we have made clear the route we are taking towards full conformity with the GDPR.  For you as a club there are other considerations however, some of which we list below:-
1.       If you download members’ personal data onto laptops, tablets, phones, etc. you need to ensure that this is secure from unauthorised access. Paper-based lists need to be held securely too.
2.       Do you have any old databases on other systems or personal computers?  If so how secure is it, do those systems comply with GDPR?  The regulations are specific that data should only be held for as long as it is necessary, so it is a good idea to review who holds what, on what and delete anything which is not current and no longer required.
3.       Do you delete personal data of lapsed or old members on a regular basis?  Is it necessary to keep data for as long as you do?
4.       Do you give any data to third parties, sponsors, etc.?  If so it is your responsibility to ensure that they are complying with GDPR as far as the handling and security of your data is concerned.
5.      An excellent plan is to minimise data held on computers under your control.  Check who holds what data, for what reason, whether it is secure and whether it is necessary.
6.       Data entered through your ClubBuzz template is NOT stored on the computer used to enter it.   So there is no possibility of a breach unless you decide to download such information.  Such reports should be used for whatever purpose the data was downloaded and then erased.
7.       Where you hold data with member details on a spreadsheet you should secure it with a password.
We trust that this document is helpful. We will be updating you as D-Day for GDPR approaches. You may be assured that we will be in a position to conform fully by that time.  If you do have queries please email us at using the heading GDPR QUERY and we will do our utmost to help.

Make an enquiry !


Get in touch

Our latest news

  • GDPR - Data Regulations

    Posted 27 February 2018

    GDPR - what you need to know - ClubBuzz Guide to General Data Protection Regulations (GDPR …