General Data Protection Regulation (GDPR) Update

Please note that these materials are provided by the RFU for clubs, constituent bodies and referee societies to assist with their use of personal data. If you would like information on how the RFU itself deals with personal data, please see the RFU's Privacy Notices

Data laws are changing. The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and represents a reshaping of the data protection landscape.

In simple terms, GDPR will help protect the personal data of those involved in rugby by requiring better governance and transparency. Organisations holding personal data, including constituent bodies, referee societies and clubs, will need to give more information to people about what they do with those people’s data, why, and for how long. 

The RFU is pleased to provide guidance and resources via a toolkit, to help constituent bodies, referee societies and clubs work towards GDPR compliance, ahead of the Regulation coming in to force. The toolkit provides an overview of the Regulation, what it means for rugby, and some practical steps you can take to help prepare. It also contains some template policies and procedures you can put in place. It can be downloaded by clicking the link below and there is also a print ready version:

Download Toolkit > Print ready version of the Toolkit >

Toolkit Appendices:

Appendix 1 - Draft Privacy Policy
Appendix 2 - Data Breach Management Flowchart  
Appendix 3 - Subject Access Request Flowchart 
Appendix 4 - Personal Data Inventory

Further support is available via the RFU’s Legal Helpline on 0330 303 1877.
Please note, the RFU itself is not able to give specific legal advice to clubs, referee societies, or constituent bodies.


First, consider why you need this data. If you cannot show why you need to keep hold of this data and use it lawfully, you should delete it. Secondly, consider where the data has been sourced.

  1. 1. If you have extracted data from GMS, it is likely that it should be deleted and communications sent out through GMS.

  2. 2. If it has been created outside GMS, you should keep a central record of where all information is stored and who has access to it. You should also ensure that the files are kept secure, and if anyone else has access to the laptops, the files should be password protecte

Yes, but you will need to take extra care. You should keep a central record of where all information is stored, and who has access to it. You should also ensure that the files are kept secure, and the memory sticks should be password protected.

There may be occasions you want to collect individuals’ data, for example at festivals, open days etc. Before you collect any of this data, consider:

  • What data do you need?
  • What are you going to do with it?
  • If you do really need this data, only collect the minimum amount necessary. Having smaller amounts of good quality data is always preferable to large amounts of poorer data.
  • It is always better to store any data within existing secure systems, such as GMS.

This requires specific, informed consent. This means a member must opt in (you cannot automatically opt a member into this, and allow them to opt out). You cannot make this consent a condition of membership.

Generally, sending normal club updates does not require the consent of recipients if the updates are for the purposes of administering the club. However, you cannot send out marketing messages on behalf of sponsors without the recipients’ specific, informed consent. A reasonable amount of advertising in a genuine club administrative update is likely to be acceptable. There is no set point where a general administrative update becomes a marketing message, and this is a question of common sense. If you are in doubt, contact the RFU Legal Helpline on 0330 303 187.

Yes. GMS is provided through a web browser using the Secure Sockets Layer (SSL) to provide a secure connection using a cryptographic key. Data held in the GMS database is on a secure server with the data, including user passwords, encrypted.

The club has a responsibility to ensure its membership and playing lists are up to date. We would suggest these lists are reviewed at least at the start of each season.

There will be times you will need to share personal data outside your organisation, for example providing a list of attendees to an event to the organiser. Before you transfer this data, consider the following;

  • a. Why do we need to send the data outside the organisation?
  • b. Who (outside the organisation) are you sending the data to? Double check the mailing list to ensure there’s no one who should not have access to the data.
  • c. Double check the data to identify whether all the personal data fields need to be sent. Can some personal data be removed if it does not affect the task at hand?
  • d. Give advice to the external party on how long they should retain the data. After the data has served its purpose, the external party should be advised to destroy the data (physical and digital copies).
  • e. If there is a large amount of personal data, or any sensitive data it is good practice to password protect the file that contains it.

If you need advice, please contact the RFU’s Legal Helpline on 0330 303 1877. Note that, the RFU itself is not able to give specific legal advice to clubs, referee societies, or constituent bodies.

Personal data should be “kept in a form which permits identification of data subjects for no longer than necessary”. There needs to be a valid business or legal justification for keeping it. In summary, data no longer required should be removed.

When deleting data, physical hard copies should be shredded where possible. Do not print confidential material unless needed, always store securely and make sure it is disposed of in the most secure way you see fit. With digital copies make sure they are deleted from laptops/phones etc, and then remove from Recycle Bin.

Yes. These will be produced and distributed later in the summer. The new player registration forms will have updated consent statements. Clubs will be responsible for their own consent management.

This is something for the clubs to decide. But one of the key principles of GDPR is data minimisation - clubs should only process/use personal data if it is absolutely necessary. In this instance the clubs need to some thinking as to whether photo of players along with their details are required for player cards or whether RFU ID will suffice. The idea is to get rid of any personal data that is not required.

There should be a process, and individual, in place to manage this. You will need to find all data held by your organisation. You may need to go through emails, databases and other places where the individual’s data is stored. If an individual requests data held in GMS from the club or referee society, then it is the responsibility of the club or referee society to supply this – requests should not be forwarded on to the RFU. There is extensive guidance on the ICO website, here: for-organisations/guide-to-the-general-data-protectionregulation-gdpr/individual-rights/right-of-access/.

Under GDPR, where you hold individuals’ data you must be transparent with them as to how you use it. The content of a privacy policy is a matter for each club, CB or referee society. If you want to use a shorter policy, you can, but you will need to be satisfied it explains how you use individuals’ data.

The Information Commissioner has not yet provided full guidance on how these clauses will look. In the meantime, you can amend your Privacy Notice to say:

The personal information we collect may be transferred to and stored in countries outside of the UK and the European Union. Some of these jurisdictions require different levels of protection in respect of personal information and, in certain instances, the laws in those countries may be less protective than the jurisdiction you are typically resident in. We require third parties to respect the security of your data and to treat it in accordance with the law, and if we do share your personal information outside the European Economic Area, you can expect a similar degree of protection in respect of your personal information.

If someone you contract with (e.g. a website hosting company) transfers data outside the EEA, you should seek to get reassurance that they will treat data in a way that is compliant with GDPR. The template has been amended to reflect this.

The RFU GDPR page can be found at contains Toolkits and template documents.
You can also contact the RFU Legal Helpline for further guidance on 0330 3031877.