View from seat

General Data Protection Regulations

Ensuring our members are equipped for the changes


The new GDPR will replace the current data protection regulations as of 25th May 2018.

New regulations relating to the protection of data will come into effect from May 2018. GDPR will give new rights to individuals in respect of the personal data held by companies, place obligations on companies on data collection and processing and introduce a new regime of fines for data breaches.

Get In Touch

Support available for Charter Standard Clubs.

Call: 0191 211 7799


Tweet: @MuckleLLP



Muckle has been chosen to provide legal support to The Football Association and its County FAs and Chartered Standard Clubs across England and Wales.




This GDPR training course will outline your main responsibilities and help you to start making the necessary changes. The course is 1 hour long and costs just £25.00.

get qualified


Legal Guidance

The FA's Legal Partner, Muckle have produced a variety of handy factsheets to help you understand the jargon and role requirements for GDPR compliance.

Find out more

The General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 on 25
May 2018. It will require all data controllers and data processors to meet new requirements. The
UK will supplement this with a new Data Protection Act later this year. 

The main changes include:

  • Increased rights for data subjects, including a right to detailed data protection notices and new
    rights to delete or restrict data;
  • New accountability obligations, which will require data controllers to demonstrate and record
    how they meet data protection obligations; and new fines, of up to €20,000,000.
A controller is an organisation that determines the means ("how") and purposes ("why") of processing.
It can choose what data will be used and for what purposes, and is in charge of ensuring that all data
protection requirements are met. For example, The FA is a data controller for its employees as their
employer and of participants' details where these are registered under FA rules or are used for FA
A data processor is an organisation that only processes data on behalf of a controller and on their
instruction. A data processor does not have any independent right to use data for its own purposes.
Most of a data processor's obligations come under contract from the data controller, but under the
GDPR processors now also have some statutory obligations to ensure security, report breaches and
keep accountability documents.
Data is any information that relates to an identifiable individual. This isn't limited to 'obvious' information,
such as a person's name, address or bank details, but also includes information such as their FAN number,
their dietary requirements and their photograph. Data does not have to be factual – opinions that a person
holds, or opinions that other people hold about them, are also considered personal data.

Processing is any use of personal data. This includes storing it, using it to make decisions,
accessing it on your phone, sending it to another person or even anonymising it. If you "do"
something to personal data, you will be considered to be "processing" it

The FA has been working closely with our legal helpline service provider, Muckle LLP, to provide support to clubs
around GDPR. Muckle LLP has produced a series of fact sheets and easy-to-use online training modules which
can be accessed via the links below should you want further information.

  • FA Online Training
  • GDPR Factsheets

    The Information Commissioner's Office (ICO) has also produced guidance for all UK businesses on how to
    prepare for the GDPR. You can find the following on its website:

  • 12 Steps To Take Now
  • Guide to the GDPR 

    In addition to the above, the ICO has a dedicated telephone helpline which provides advice on data protection
    matters and the GDPR.

    The relevant contact information can be found here.
The FA will not be undertaking any review or compliance activities in respect of non-FA systems. In addition, The FA
will not be undertaking compliance activities in respect of clubs’ use of data on FA systems for their independent
purposes or, to the extent that it falls under the provisions of the regulation, personal data processed by clubs in hard
copy forms. Any non-FA systems or applications which clubs use to collect personal data or processing which is carried
out by clubs for independent purposes will need to be reviewed and updated (as necessary) by each club. Each club will
need to consider if it needs to update its notices to participants, create internal data protection procedures or spend time
considering its information security procedures.
The FA has completed a thorough GDPR audit with the help of external advisors and we are in the process of making a
number of changes to our systems and processes to meet the new legal requirements. Where you rely on an FA system,
for example WGS or FullTime, you can be sure that it will meet requirements on information security and that online terms
and privacy notices will be updated to cover known and intended uses of The FA’s systems. The FA will also make sure that
contracts are in place with any relevant software providers and with other footballing stakeholders as needed under the GDPR.

Related Articles

View All