top of page
Aisha Akhtar, a solicitor in the Commercial team at Blacks Solicitors

Data security is a vital responsibility of clubs to protect the organisation as a whole, and its players. With the potential for data breaches to impact the function and reputation of organisations, clubs hold a key line of security responsibility.


No matter the size of the club, data security should be on the agenda of senior management. Additionally, it may be appropriate to appoint a specific individual or team to ensure data protection policies and procedures are followed in the organisation.


Aisha Akhtar, a solicitor in the Commercial team at Blacks Solicitors, discusses data protection and transfer post-GDPR and what club managers and other staff members should be aware of.

Storing personal data


Clubs and other sporting organisations need to be careful when it comes to storing personal data. Security measures and a strong strategy should be put in place to protect against personal data breaches. This is defined by article 4 of the GDPR and the level of security is defined by article 32. 


Organisations are required to periodically assess, test and upgrade their security in a way that is proportionate to the types of personal data that they process. This can include the name, age and location of players.

Transferring  personal data

There are a number of things to consider when it comes to the transfer of personal data, particularly outside of the UK. Following Brexit and the CJEU judgement in the Schrems II case1, if an organisation processes personal data, or is to transfer personal data to a third party that is based in a ‘third country’ which is a country that doesn’t have a UK finding of adequacy against it, then an additional legitimising transfer mechanism will be required to be entered into. 


Examples include Binding Corporate Rules, and  under EU law, the Standard Contractual Clauses. 


Earlier this year, following the implementation of Brexit, the ICO published its own version of the EU Standard Contractual Clauses, titled the International Data Transfer Agreement (IDTA) to replace the EU version. Clubs that are transferring personal data to a third country will be required to enter into this. 

Site security


Part of the specific responsibilities for clubs and other sporting organisations focuses on site security. A perimeter breach to any site that stores or processes data risks a data breach, particularly when it comes to the personal data of high profile players which will be of interest to both the public and press. A data breach could have significant and adverse consequences for a club and its players. 


Computers, devices, or documents containing data are at risk during a site breach, and it is the responsibility of the IT team and club manager to ensure that these assets are at minimal risk. 

Processes and education

Educating people across the club about the importance of data protection and how it can be transferred and stored correctly is crucial. The more people at the club that are proficient and confident in data breach and incident management procedures, the more quickly a response can be generated in the event of a security breach. 

It’s also advisable to set up reminder or update sessions in regular intervals to sustain a level of data security awareness, in addition to educating new people on the club’s policy and standards. It may be advisable to have a written policy for individuals to refer to. This will reduce confusion in the event of a data breach and bolster the standards established through training.


Ensuring that data breach policy and reporting process information is easily and quickly accessible on site is advisable to ease the data security process, but additionally to reduce the risk of sanctions for late disclosure of a breach to the Information Commissioner’s Office (ICO).

For more information, please visit

bottom of page