Introduction to GDPR

The law has moved on

Data protection for out of school clubs is now governed by three pieces of law that work together: the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA). The DUAA is the newest of these; it does not replace the UK GDPR or the Data Protection Act, but it amends both (and the rules on cookies and electronic marketing), with changes phased in during 2025 and 2026.

If your club was already handling personal data responsibly, most of this is not a fresh start; it is a set of updates to rules you already follow. The purpose of this page is to give you the plain-English version, with examples that make sense for an out of school setting.

The terms you need to know

Data subject: the person whose personal data is being processed. In an out of school club this is usually a child, their parent or carer, or an employee.

Personal data: any information about an individual that can be used, directly or indirectly, to identify them. In a club this includes child records, photographs, parental contact details, emails and staff employment records. It does not matter whether the information is on a computer or on paper; the law still applies so long as the information is held in a structured way. A quick scribbled note is not a structured record, but a completed form is. In practice it is simplest to assume the law applies to all the personal data you use.

Data controller: the person or organisation that decides why and how personal data is processed. In a club this is usually the owner, manager or management committee.

Data processor: anyone other than your own employees who processes data on your behalf, following your instructions. In a club this might be the payroll company that handles your staff wages, or a self-employed administrator who generates your invoices.

Processing: almost anything you do with personal data; obtaining, recording, storing, organising, consulting, sharing or deleting it. This covers the information on your registration and medical forms, the records you keep about children (attendance, observations, incident and accident records) and everything you hold about your staff.

The principles

The core principles are unchanged. Personal data must be:

  • collected and processed lawfully, fairly and transparently
  • used only for the purpose you originally collected it for
  • limited to what is necessary for that purpose (you do not collect data you do not need)
  • accurate and kept up to date
  • kept only for as long as it is necessary
  • kept secure.

You must meet these principles whenever you handle personal data, and you must also be able to demonstrate that you do; keeping good records is part of compliance, not an optional extra.

What the Data (Use and Access) Act 2025 changed

Most of the DUAA is designed to make data protection a little easier for organisations, while keeping protections for individuals. The changes most relevant to an out of school club are:

  • A new duty to handle data protection complaints. From 19 June 2026 you must give people an accessible way to complain to you directly about how you have handled their personal data, acknowledge their complaint within 30 days, and respond without undue delay. You also have to tell people about this right to complain in your privacy notice. This is the single most important change for clubs to act on. [Link to our Data Protection Complaints Policy template.]
  • Subject access requests are clarified. You are expected to carry out a “reasonable and proportionate” search, and the clock can pause while you wait for information you reasonably need to find the data or confirm someone’s identity. The one-month response time still applies. [Link to our SARs page.]
  • Cookies and website analytics. If your club has a website, the rules on low-risk analytics cookies have been relaxed slightly, but you still need to be transparent about them; and the maximum penalties for getting cookies and electronic marketing wrong have been raised significantly.
  • The regulator. The Information Commissioner’s Office is being reformed into the Information Commission, with stronger investigation powers. For day-to-day purposes it is still the ICO you deal with.

The fines, in perspective

You may see alarming figures quoted. For the most serious breaches the maximum penalty is now £17.5 million or 4% of worldwide turnover, whichever is higher (the old euro figures no longer apply). Those ceilings are aimed at the largest organisations and the most serious, deliberate or reckless failures. The ICO takes a proportionate, risk-based approach, and a small club acting in good faith that fixes a mistake promptly is very unlikely to face a fine. The point is not to panic; it is to take reasonable steps and be able to show that you have.

Your next steps

To meet the requirements at your club, you should:

  1. Appoint a lead person for data protection. Most clubs will not need a formal Data Protection Officer.
  2. Carry out an audit of what personal data you hold, where it is stored, how it is used, how long you keep it, and who you share it with.
  3. Review and update your data protection policy and procedures.
  4. Make sure you have a privacy notice in place wherever you collect personal data, and that it tells people how you use their data, who you share it with, how long you keep it, your lawful basis, and how they can complain (to you first, then the ICO).
  5. Put a data protection complaints process in place and make sure it is signposted.
  6. Review your process for handling subject access requests, corrections and deletions.
  7. Train all staff on your data protection policies and procedures.
  8. Check you are registered with the ICO and have paid the data protection fee (see the FAQs).

For more information on the specific steps you will need to take as an out of school club, download our GDPR: Implementation guide, or buy our GDPR for OSCs Pack which also includes some useful templates.

More information

GDPR FAQs for small organisations (from ICO)
GDPR advice service for small organisations
Guide to the data protection fee (from ICO)

Related articles

GDPR: Implementation guide
GDPR: Subject Access Requests (SARs)
GDPR: Frequently asked questions
Retaining records

Related products

GDPR for OSCs

Disclaimer

This article is a simplified overview of the GDPR, and only considers how it is likely to affect a typical, small, out of school club setting. We have not attempted to cover all areas of the GDPR. For in-depth information about the GDPR, and especially if your club is part of a larger organisation or is in any way non-standard, you should consult the resources on the ICO website. Moreover, the ICO is still developing its own guidelines and updating them on a monthly basis, so further clarification on issues covered in this article may be available from the ICO in due course. It is your responsibility to ensure that your club is meeting all of the GDPR requirements.