Data protection for your club

Find out more about the General Data Protection Regulation (GDPR), what it means for your club and what actions you need to take to comply with the law. 

What is GDPR?

From 25 May 2018, the UK General Data Protection Regulation (UK GDPR), alongside the Data Protection Act 2018 (DPA 2018), set out new rules for how personal data must be handled in the UK. All organisations — including clubs — that collect, store, use, or share personal information about individuals must comply with UK GDPR. Failure to do so can result in significant penalties, including fines.

Key principles to bear in mind are:

  • Lawfulness, fairness, and transparency: Personal data must be processed legally and fairly, and people should know what is happening with their data.
  • Purpose limitation: Collect personal data only for specific, legitimate purposes.
  • Data minimisation: Only collect data you need.
  • Accuracy: Keep data up to date and correct.
  • Storage limitation: Keep data only as long as necessary.
  • Integrity and confidentiality: Protect data against unauthorised access, loss, or damage.
  • Accountability: Clubs must demonstrate compliance with GDPR.

Roles and responsibilities

Clubs are 'controllers' of personal data for their members (e.g. name, address, email address, telephone number, date of birth, emergency contact details, etc.). Clubs may also store personal data for people who stay in huts they operate or any non-members who have agreed to receive email communications. 

Sharing their members' personal data with Mountaineering Scotland for the purpose of registration for insurance, magazine or email communications, means Mountaineering Scotland is also a controller of the personal data of members of clubs.

GDPR requires that controllers set out a valid lawful basis for holding and processing personal data. While obtaining explicit consent or 'opting-in' is one of the six options available to do this, it is not required where processing personal data is necessary to provide a service that someone has signed up for, like membership of a club. 

Clubs should assign a committee member to oversee GDPR compliance. This person ensures policies are followed, committee is up to date with the guidance, and any breaches or requests are handled correctly.

Lawful Basis for Processing Members’ Data

GDPR requires that controllers set out a valid lawful basis for holding and processing personal data. There are six:

  1. Consent – the individual agrees to the processing
  2. Contract – processing is necessary to provide a service, e.g., membership
  3. Legal obligation – processing is required by law
  4. Vital interests – processing is necessary to protect someone’s life
  5. Public task – processing is needed to perform a task in the public interest
  6. Legitimate interests – processing is needed for your organisation’s reasonable interests, balanced against individual rights

The importance of consent

In most cases you will need to seek the individual’s explicit consent in order to process their information.

The consent must be: clear, informed, unambiguous and positively given

For example, a person’s face in a photograph constitutes personal data because it can be used to identify a living individual. If you want to publish or use a photo showing individuals, you must seek their permission using a consent form. Written proof of this consent and the date of consent MUST be securely held in case of future complaints.

While obtaining explicit consent or 'opting-in' is one of the six options available to do this, it is not required where processing personal data is necessary to provide a service that someone has signed up for, like membership of a club. 

Mountaineering Scotland and affiliated clubs have a 'contractual', 'legal' and 'legitimate' basis for holding and processing members' personal data (membership management, insurance, event participation, and communications generally rely on contractual, legal, or legitimate interests) - we may not need to seek explicit consent, provided we have an appropriate lawful basis. Instead, the law requires that these reasons are explained clearly to members, that we show we take their privacy seriously and offer options to manage communication preferences, where practical.


Data Protection in Practice – Step by Step

Step 1: Map your personal data

  • Record what data you hold, where it comes from, and where it goes: You need to understand and record what personal data your club holds and the journey it takes through the club. It is a good idea to review this regularly and record these details. 
  • Identify who has access (committee members, volunteers, suppliers): Your club needs to be confident that all those people or organisations who have access to your members' personal data are aware of data protection regulations and handle that data securely. This may impact how your club Membership Secretary or Treasurer store membership forms or other records. You may wish to select a member of your committee to coordinate this. 
Template data audit and recording table for clubs 


Step 2: Keep data secure

  • Use strong passwords and restrict access: Data security is key and when storing anything on a computer you need to ensure that you protect yourself by keeping passwords safe, ensuring that files are stored securely and encrypting files that contain personal data. Many online systems including membership systems have built in security measures for the protection of files whilst in storage or in the process of being shared, but it is your responsibility to ensure that these are adequately secure.
  •  Encrypt sensitive files and for email, use password protection for sensitive attachments: Mountaineering Scotland requires all documents containing personal information shared by email between us and clubs to be password-protected before sending. 

How to password-protect documents like spreadsheets that contain personal data

Step 3: Create and maintain a Privacy Notice

  • GDPR aims to ensure that individuals are clearly informed by organisations that hold their personal data about how and why it is used, how long it is kept for, who it is shared with and what their rights are as data subjects. A privacy notice is the tool organisations use to set out this information.  
  • It is important that all your club's existing members receive details of any updates to the club's privacy notice. This can be done by email and you should keep a record of how and when you share the privacy notice with your members. You do not need to ask for explicit consent or confirmation that the privacy notice has been seen or accepted.
  • Members of your club also need to be aware of the Mountaineering Scotland privacy notice as we become controllers of their personal data when you register them with us. We will share our privacy notice with all existing members via our magazine and in our monthly members' email newsletter. You need to provide it to your new members when they join you. 


We have created a template privacy notice for clubs, this can be amended to fit your club's circumstances. 

Template privacy notice for clubs (Word)

Mountaineering Scotland privacy notice for members: www.mountaineering.scot/privacy-notice

Print-friendly version of Mountaineering Scotland privacy notice (PDF)


Step 4: Update forms and communications

  • Collect only the information you need and include a short data protection statement or reference to your privacy notice on forms, notifying individuals at the point of collecting their personal data, so they can make an informed decision to sign-up.
  • For children under 16, GDPR requires additional protection. If you collect children’s personal data, then you need to make sure that you obtain explicit consent from the parent or guardian to process the personal data.
  • Make it clear how members can manage communication preferences.

We have created a template membership form which contains a data protection statement flagging up yours/our privacy notice and requesting the member reads it. You can either adopt and tweak this membership form to fit your club's circumstances or incorporate the text in the data protection box into your existing membership form.

Template membership form for clubs (Word)


Step 5: Check third-party suppliers

  • If using any service providers (website hosting, email distribution, administering online hut bookings), have a written data processing agreement that they will only use the data provide for the purpose of providing the agreed service to you. 
  • Ensure suppliers only process data for the purpose agreed and comply with UK GDPR.

Please contact us at membership@mountaineering.scot or call 01738 493942 to receive a template data processing agreement or clause for use with your third party processors


Step 6: Be prepared for breaches or data requests

  • Appoint a committee member responsible for GDPR incidents.
  • In the event of a data breach: Report to ICO within 72 hours if likely to risk members’ rights and freedoms; notify members if it is high risk. Make sure all members of the club with access to personal data are aware of this.
  • Subject Access Requests (SARs): These are requests for copies of personal data from individual club members. You need to respond within one month. To comply with this you must provide a copy of the personal data you hold for this person (after confirming their identity) in a commonly used format e.g. word document, csv or excel file. We suggest that you keep a log of any requests of how and when you respond.


Step 7: Retention and deletion of data

  • Keep data only as long as necessary for the purpose collected.
  • Implement a retention schedule (e.g., 7 years for financial info, 2 years for past members’ email).
  • Delete or anonymise data when no longer needed.

GDPR for clubs FAQs

Further information and advice

This advice has been written to help club officers of Mountaineering Scotland's affiliated clubs review whether their club processes will be compliant with GDPR. We have received legal support through sportscotland's expert resource, Harper McLeod, in pulling together our advice and templates. The guidance in these web pages does not constitute legal advice and is based on information available at the time of writing.

If you have any questions relating to GDPR that aren't answered above, or if you are looking for further advice: