The importance of managing personal data as a sailing organisation

Your responsibility as a Data Controller under the DPA

Wide shot of a flock of dinghies out on  the water

Under the Data Protection Act 2018 (DPA), organisations that collect personal data for their own purposes are considered a Data Controller.

You need to be registered with the ICO as a Data Controller and pay an annual fee unless you fall under the not-for-profit exemption. If the case, be wary as any activity which is outside of this exemption will trigger the need for registration.

Being a Data Controller under the DPA means you have responsibilities to the data subject to manage and protect their data. Failure to do so could result in a report to the Information Commissioner’s Office (ICO) and a significant fine which would not be covered by insurance necessarily.  

Your organisation might be a Data Processor, which means you collect data for a Data Controller but have no purpose of your own for it. There are lesser obligations in this role, but there are still responsibilities.

Some possible risks with personal data are collecting too much for the intended purpose, not storing it securely, releasing it without grounds as a privacy breach, keeping it longer than is required and a cyber-attack or data breach.

Some questions to ask as an organisation

  • What kind of personal data do we collect? 
  • Does it include sensitive data such as medical information or do we collect children’s details and if so, how do we treat that with the enhanced responsibilities the DPA imposes? 
  • Have we a privacy policy available that includes all our uses for personal data and who we might share it with? You can find RYA templates available for this.
  • Do you have a secretary that uses a laptop for club purposes, and it is taken away from site and data is not kept on the organisation’s secure server?  
  • This could result in a data loss which the organisation could be liable for as Data Controller. 
  • What happens if a phishing email is sent with a link which compromises the data?
  • Do you display new member applications on your notice board? 
  • Have you minimised the data content to do this and is the board in a member only area? Same for a guest book. 
  • What about emergency contact details for sailing events, how do you manage this data?
  • Do you have a membership platform you store personal data on. Have you got an agreement and indemnity in case a third party loses your data and claims are made against you?

Insurance is available for cyber issues at an additional cost which may be disproportionate for a small organisation. Fines for unlawful acts are not normally covered in an insurance policy, so if an unincorporated association particularly, you should risk assess your management of personal data.

It is recommended that you undertake an assessment of how you collect, store, share and destroy personal data. Your privacy notice should reflect all uses of personal data and whether you are Data Controller (determines the means and purposes for processing data), Data Processor (processes data on behalf of a controller) or a Joint Controller (determines the processing with another controller for their own purposes).

The ICO can provide further advice and downloadable templates. The RYA Legal team can also help with data protection practice and compliance; you can find guidance notes and templates on the subject in Club Zone.