GDPR and Mountaineering Clubs

The following articles and links are to support club officers and committee members in understanding what the GDPR is and how to help their club to become 'GDPR compliant'.

All mountaineering clubs will need to comply with the regulations or penalties could be imposed, including very big fines.  GDPR will apply to you whether you pay staff or are all volunteers, whether you have a hut or not, whether you have 10 members or 1000 members… there are no exemptions.

What is GDPR?

GDPR gives UK citizens more control over how their personal data is used.  It makes it clearer for organisations (including both businesses and clubs) to understand their data protection requirements.  However, it also has very hefty fines for those who ignore or break the rules – up to 20 million euros can be levied.

How does GDPR affect my club?

The reason that all clubs need to comply is that clubs collect data about its members – name, address, e-mail address, telephone number etc.  For some clubs additional data may be collected such as data of birth, gender, emergency contact details or medical information (i.e. knowing that someone is asthmatic in case there is an issue on the hills).

If your club is fully compliant with the Data Protection Act (DPA) then you may only have minor changes to make to be compliant with GDPR.

Steps to ensure that your club is GDPR compliant

These are the first steps that you need to take to check out what you do as a club with the data that you hold. Over the coming weeks more information will be posted on the BMC website.

1. Consider what data you hold: who holds it and who has access to it?
2. Consider where that data came from: how is it up-dated, how regularly it is up-dated, how long you hold it for?
3. Consider what you do with the data: who you give it to, how do you transfer it to other people/organisations (including transfer to the BMC)?
4. Consider the security of data: where do you hold data, what data do you encrypt/password protect?
5. Do you have permissions from your members to do what you do with their data, when was that permission (consent) given?
6. Do you have a data protection policy, is it adhered to, is it current?

Working through the points above will give the club a good understanding of current practices and may identify some issues that you will need to deal with.

Sport and Recreation Alliance (SRA)

The SRA publishes advice on GDPR specifically aimed at the sport and recreation sector, including guidance and templates specifically for clubs.

READ: SRA GDPR Clubs Guidance

Not all templates and guidance will be appropriate for all clubs, so don't feel that you need to use everything that has been provided.

The Privacy Notice options cover several documents - the BMC will be using the content and producing Privacy Notice that will be suitable for most BMC clubs to use.

Articles and Downloads on BMC website

General Introduction and First Steps

Key Definitions

Legitimate Interest Assessment (LIA)

Template Statement for Club Membership Form

Using Lists of Club Members

Retention Periods

Annual Data Protection Charge: All organisations in the sport and recreation sector that process personal data are required to pay an annual data protection charge to the Information Commissioner's Office (ICO) unless a relevant exemption applies.

It is a legal requirement to pay the charge, and failure to do so could result in a fine, but it does also make good business sense as it could have an impact on your organisation’s reputation. Once you have paid, your organisation’s details are published on the Information Commissioner’s register of data controllers.

Many mountaineering clubs will be exempt from payment, but it only take a minute or two to  use the online tool from the ICO to help you determine if payment is necessary; you can find the self-assessment tool on the ICO website.

It is also important to make sure you are paying the correct level of charge - the charge-assessment tool will indicate the level you are required to pay.

Other Links

ICO - Information Commissioners Office

Sport and Recreation Alliance, introductory briefing

What does GDPR mean for grassroots clubs (Muckle LLP)

BMC Privacy Policy

More Info

If you have any questions relating to GDPR that aren't answered in the articles above, or if you are looking for further advice, wish to chat through support for your club or have a query on a different topic, then please contact Jane Thompson, BMC Clubs Development Officer, jane@thebmc.co.uk, 07885 910606

There is also more information to support the running of BMC clubs on the Clubs Guidelines and Huts Guidelines pages

This guidance has been written for the committee of a mountaineering, walking or climbing club to use while reviewing the way that their club processes data within their club to ensure compliance with GDPR.  It is based on information available at the time of writing.  There are several topics where the Information Commissioners Office still has to provide full guidance, therefore additional information may be made available to clubs in the future. This guidance is provided by the BMC to assist clubs and does not constitute legal advice.