General Data Protection Regulations

Helping our members understand their responsibilities around gdpr

Data protection laws are evolving. The General Data Protection Regulation (GDPR) is already in effect and we are currently in a period of implementation with the deadline for compliance set for 25 May 2018. As part of the FA’s commitment to share knowledge and best practice the following advice is being provided to help all leagues and clubs. 

Charter Standard Leagues & Clubs

For those leagues and clubs who have attained Charter Standard status the Football Association has engaged with Muckle LLP to provide FREE (up to 30 minutes) advice on how to become and remain compliant. Please click the link below for further information.


Tel: 0191 211 7799


Click here for further information.

Further Legal Advice

The FA's Legal Partner, Muckle have also produced a variety of handy factsheets to help you understand the language and role requirements for GDPR compliance

Click here for further information.

Further Training

For those who wish to learn more on GDPR the following training course will outline your main responsibilities and help you to start making the necessary changes. The biggest changes under the GDPR are in relation to obtaining consent, the right to be forgotten and the appointment of a Data Protection Officer. The course is 1 hour long and costs just £25.00.

Click here for further information. 

Useful Information

Here as some useful documents for County FA's, leagues and clubs regarding the GDPR changes.

data protection policy (clubs, county fa's, leagues)

fa faq's

privacy notice - clubs

privacy notice - leagues

privacy notice for the birmingham county fa

GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules.

  • To ensure all personal information is processed lawfully, fairly and in a transparent manner in relation to individuals.


  • To ensure all that all personal information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.


  • To ensure all personal information collected is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.


  • To ensure all personal information collected is accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate is corrected or erased without delay.


  • To ensure all personal information is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.


  • To ensure all personal information is processed in a manner that permits the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.


  • Increased rights for data subjects, including a right to detailed data protection notices and new rights to delete or restrict data.

  • New accountability obligations, which will require data controllers to demonstrate and record how they meet data protection obligations.

  • Potential new fines, of up to €20,000,000 where breaches have occurred.


GDPR applies to all data controllers and data processors, so if you collect any personal data in running your club (which you definitely will do if you have any members) then the GDPR will apply to you.

There are no exclusions for CASCs, charities or not for profit organisations. It doesn’t make a difference for example if you are structured as an unincorporated organisation or company limited by guarantee – the requirements are concerned with the data you hold and how you handle this.

Any information relating to an identified or identifiable data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Examples include: name, address, telephone number, IP address, membership numbers etc.

The FA will not be undertaking any review or compliance activities in respect of non-FA systems. In addition, The FA will not be undertaking compliance activities in respect of leagues’ use of data on FA systems for their independent purposes or, to the extent that it falls under the provisions of the regulation, personal data processed by leagues in hard copy forms.

Any non-FA systems or applications which leagues use to collect personal data or processing which is carried out by leagues for independent purposes will need to be reviewed and updated (as necessary) by each league. Each league will need to consider if it needs to update its notices to participants, create internal data protection procedures or spend time considering its information security procedures.

A controller is an organisation that determines the means ("how") and purposes ("why") of processing. It can choose what data will be used and for what purposes, and is in charge of ensuring that all data protection requirements are met. For example, The FA is a data controller for its employees as their employer and of participants' details where these are registered under FA rules or are used for FA marketing.

A data processor is an organisation that only processes data on behalf of a controller and on their instruction. A data processor does not have any independent right to use data for its own purposes. Most of a data processor's obligations come under contract from the data controller, but under the GDPR processors now also have some statutory obligations to ensure security, report breaches and keep accountability documents.

The FA has been working closely with our legal helpline service provider, Muckle LLP, to provide support to leagues around GDPR. Muckle LLP has produced a series of fact sheets and easy-to-use online training modules which can be accessed via the links below should you want further information.

The Information Commissioner's Office (ICO) has also produced guidance for all UK businesses on how to prepare for the GDPR. You can find the following on its website:

In addition to the above, the ICO has a dedicated telephone helpline which provides advice on data protection matters and the GDPR. The relevant contact information can be found here.