GDPR Policy


It is the responsibility of all club officials who work with data to take reasonable steps to ensure it is kept to the minimum, protected, is accurate and up to date.

Personal data should not be shared informally. It should never be sent by email, as this form of communication is not secure.

Data will be held in as few places as necessary. Officials should not create any unnecessary additional data sets.

Officials should not save copies of personal data to their own computers. Always access and update the central copy of any data. Lawful Fair and Transparent

Officials should take every opportunity to ensure data is updated. For instance, by confirming a member’s email address

Data should be updated as inaccuracies are discovered. For instance, if a member can no longer be reached on their stored telephone number, it should be removed from the database.

It is the secretary and web administrator’s responsibility to ensure personal details are removed from all data base systems when a member has passed away.

Secure Processing

The only people able to access data covered by this policy should be those who need it for legitimate club activities.

In particular, strong passwords must be used and they should never be shared.

Data Storage

When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it in a locked drawer or filing cabinet.

Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.

Data printouts should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

Data should be protected by strong passwords that are changed regularly and never shared between members.

Data should be backed up frequently. Those backups should be tested regularly.

All servers and computers containing data should be protected by approved security software and a firewall.


AFC Sudbury Data Protection policy