Golf clubs and General Data Protection Regulations (GDPR)

Jenny Yu
By Jenny Yu April 2, 2018 08:02 Updated

This Q&A about the GDPR is from the National Golf Clubs’ Advisory Association (NGCAA) 

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from May 25, 2018.

What is a data controller?

The data controller is the appointed person responsible for the safe handling and storage of data. It is their job to ensure procedures and policies are followed by anyone with access to the data they control and to report breaches to the Information Commissioners Office (ICO).

What are data processors?

They can be internal or external. They are people or companies who process data for which the data controller is responsible. These can include internal people who process data on the data controller’s behalf (for example, office staff, competition processors, team leaders and the ladies’ section). They also include external companies who process data on the data controller’s behalf (for example, membership database, tee booking system, the professional, newsletter distributors, website host and so on).

What is a privacy statement?

A statement to be included whenever personal data is collected. We advise that the statement should be signed by the person whose data you are collecting and in the case of a person under the age of 16, it MUST be signed by a parent or guardian.

Can people sign electronically?

An electronic signature is acceptable but if you wish people to just tick and respond by email you would need to demonstrate, if required to do so by the ICO, that it was the intended person who signed and returned the email.

Our golf club holds signed application forms already, is this enough?

Possibly, but you would still need to make people aware that data protection regulations are changing, your legal basis for holding their data and with whom you share it. The answer would be no if you wish to either use this data for a purpose where you don’t have a legal basis (such as marketing) or if you wish to share the data with the professional in order for them to market to the members.

Can I share our members’ details with the club pro?

In order to share details with the professional so that they can market to the members, the members would need to positively opt in to permit the sharing of this data. You should also ensure that the professional will process data in accordance with GDPR and it would be advisable to obtain written confirmation from the professional to that effect.

Our professional already holds all these email addresses. What should we do?

In addition to the above, you should tell the professional they should be sending out a privacy statement to anyone whose details they hold to get their positive opt in to enable them to continue marketing to these people.

We hold information on society organisers, can we still communicate with them?

If you hold a database of society organisers or visitors’ contact details, you need to ensure that you gain permission from them in order to retain and use their data for marketing purposes.

People book for open competitions online, is this still okay?

Yes, it is still okay to collect data online but you must tell people, at the point of booking, that their data is only used to administer the competition for which they have entered and it is not stored or used in future for marketing purposes.

But we would like to use this data for marketing purposes?

Then you must have a signed privacy statement with a positive opt in from the competitor which you can collect on the day of the competition.

What about green fee payers?

If you collect personal data from these people then the best way to manage this is to get them to sign a privacy statement on the day of their visit which must also include an opt in if you wish to use their details for marketing purposes.

How do we ensure that external data processors don’t share details with other people, or use it for marketing purposes?

You must check the privacy policy of all external data processors to ensure that it complies with general data protection regulations. You may need to discuss their documentation before the relationship continues

How do we ensure that internal data processors don’t share details with other people?

You must ensure that all internal data processors are trained and adhere to the golf club’s internal policies and procedures in relation to data protection.

What is a privacy policy?

A general document that must be made available for inspection (website / noticeboard) that shows what information you collect, how the information is used, who it is shared with (internal and external data processors), marketing consent (opt in), individuals’ rights, how often the policy is updated and how to contact the data controller at the club. Please note that your privacy policy will also contain more information regarding other matters such as CCTV, card machines and so on.

What is my legal basis for holding data?

Your legal basis for holding data is likely to enable you to fulfil a contractual obligation to the individual. For example, members have the right to receive a subscription renewal notice and details of general meetings at the very least. There may be other contractual obligations such as communicating about competitions if the members have the right to enter competitions.

What are an individual’s rights in relation to GDPR?

The right to be informed – about what data you hold and how it is used.

  • The right of access – to request a copy of all information held about themselves
  • The right to have mistakes corrected
  • The right to have information deleted
  • The right to restrict processing – to opt out of marketing and so on.
  • The right to data portability (new) requested data must be provided in an easy to read, commonly used format (Word, Excel)
  • The right not to be subjected to profiling – decisions made about their interests by others.

Can we hold details of members who have resigned?

In order to be able to continue to hold data in relation to past members you will either need a legal basis for doing so or permission from the individual.

Do we need to write a data protection policy?

You are required to produce policies and procedures in relation to:

Procedures for Data Protection Officer

– Monitoring compliance

– Informing others of their obligations

– Completing Privacy Impact Assessments (PIA’s) as and when required

– Engaging with the ICO in the event of a breach

Procedures for Data Processors

How they process data. For example;

– Processing membership applications

– Deletion of Data (Competitions and Societies)

o Deleting resigned members data

o Keeping data secure

Safe storage of Data

– Password protection – laptops and mobile devices

– Paper documents (filing, shredding and so on)

– Historical documents

– Contracts with external processors (compliant policies)

– Competition processors procedures

Data breaches

– Procedures to detect data breaches, for example cyber security

– Internal, checking for viruses, malware and so on. Remove threats

o – Understand external processors policies for reporting breaches

– How you inform the data controller

– Possible need to notify ICO of breach if individual is likely to suffer some form of damage.

Subject Access Requests (SARs)

– Plan how you will handle requests

– Normally one month to comply (currently 40 days)

– Develop a documented system of how to handle an SAR

– Put policies in place to justify refusing a request

o For example, if another individual’s data may be released

– Readable format (digital data portability)

Data protection policies

– How often they are reviewed

– How they are brought to the attention of all groups whose data you hold

– Training of processors

Privacy Impact Assessment (PIAs)

– Under what circumstances would you require one (changing membership database supplier, changing computers and so on)

– How would you complete one?

For further reading on GDPR please see our General guidance document –

You can also use the useful step-by-step guide provided by the ICO here –

Clubs in membership with the NGCAA are welcome to contact us to obtain guidance on their privacy statements, privacy policies and documented procedures and any other questions relating to GDPR.

Please contact Tom on

The NGCAA provides support, advice and guidance – from start to resolution – on all legal matters impacting upon both proprietary and private members’ golf clubs. 


Alistair Smith, the chief executive, is based in the office and is on-hand to offer advice and support. 

The National Golf Clubs’ Advisory Association (NGCAA)

The Threshing Barn, Homme Castle Barns,

Shelsley Walsh, Worcestershire, WR6 6RR

Tel: 01886 812943




Jenny Yu
By Jenny Yu April 2, 2018 08:02 Updated
Write a comment


  1. Paul May 8, 12:05

    Dear Sir,

    This is an enquiry of a personal interest matter. Briefly, the reason for my enquiry is as follows. I was playing at a local club in my area on a winter morning a couple of years ago and as I walked around the course, on all the raised tees, of which there were several, I noticed areas of the slopes to the tees, where new turf had been laid. When I got to somewhere around the 12th/13th hole, the greenkeepers were in the process of removing a perfectly good flight of wooden steps, which clearly were there to avoid walking up slippery grass slopes, in cold or wet conditions.

    Out of curiosity, I asked them why they were doing that and the reply was ‘Health & Safety Rules’. My reply to that was @So the health & Safety inspector considers that at this time of year in particular & on wet days through the rest of the year, considers wet & icy grass slopes safer than steps does he? I asked whether the club concerned had received any complaints about the steps and the reply was ‘No’.

    My question is, is there specific legislation about this sort of thing & if there is, where can I find it, please. To a mere layman like me, the more that I read & hear about Health & Safety, the more I am inclined to think that much of it revolves around personal opinion.

    Are you able to let me know whether there is definitive legislation, please.

    Reply to this comment
  2. Petrina August 29, 10:44

    I am handicap secretary for the ladies section of our golf centre. The centre gathers the information and passes me name, contact details and dob which I enter on our system and use to send out newsletters and information. Do I need to do anything or would that be covered by the data protection of the centre? Thanks

    Reply to this comment
View comments

Write a comment

Your e-mail address will not be published.
Required fields are marked*

Join Our Mailing List

Read the latest issues

Advertise With Us

To advertise in the magazine or online, contact:

Tel 020 7803 2453

Twitter Timeline