1. Why a club has to care about GDPR
UK GDPR (the post-Brexit successor to EU GDPR, plus the Data Protection Act 2018) applies to any organisation that processes personal data, including a parent-volunteer-run football club with one team. There's no “we're too small” exception.
The good news: for a grassroots club, the obligations are not complicated. The ICO (Information Commissioner's Office) has explicitly said small voluntary clubs aren't their enforcement priority, and there's a grassroots-sized version of the rules that fits on one page. This guide is that.
What you actually have to do as a grassroots club, in priority order:
- Get parental consent for any data you collect on under-18s
- Have a privacy notice (one page; covered below) that says what you collect and why
- Keep data secure (no Google Sheets shared publicly; no kit lists on the WhatsApp group with addresses)
- Delete data when you no longer need it (a child leaves the club, etc.)
- Respond to subject access requests within one month (rare but real)
That's the entire compliance posture for a typical grassroots club. The rest of this guide is the practical detail behind each.
2. What data clubs typically hold
Be honest about the data you actually have. For most grassroots clubs it looks like this:
| Data | Why you have it | Where it usually lives |
|---|---|---|
| Player name + DOB | FA registration, age-group eligibility | FA system, spreadsheet, club website |
| Parent name + phone + email | Match-day comms, fees, emergency contact | Spreadsheet, WhatsApp, email list |
| Home address | Postal kit delivery, league registration | Spreadsheet, registration form |
| Medical / allergy info | Match-day first aid | Coach's phone, paper card in first-aid bag |
| Photos of players | Match reports, social media, website | Coach's phone, club website, social media |
| Bank details (parent) | Subs collection | Treasurer's accounting tool, GoCardless, club bank |
Medical info and ethnicity data (if you collect it for FA diversity returns) are special category data — held to a higher standard. Keep them in fewer places and delete them sooner.
3. Parental consent (the actual rules)
For under-18s, you collect consent from the parent or legal guardian, not from the child. UK GDPR sets the digital consent age at 13, but you should treat under-16s as needing parental consent regardless.
What consent has to look like to count:
- Specific — one tick per purpose. Don't bundle “I consent to everything” into one box.
- Freely given — the kid can't be barred from playing if the parent ticks no on photo consent (membership must still be possible).
- Informed — the parent needs to know what they're consenting to. Link to your privacy notice.
- Withdrawable — the parent must be able to withdraw consent later. State how (usually email the Welfare Officer).
Practically: build your player registration form with separate consent boxes for (a) holding data for club admin, (b) using photos on the website, (c) using photos on social media, (d) email newsletters to the parent. Default each to unticked.
4. How long to keep things
GDPR says you can only keep data “as long as you need it”. For a grassroots club that translates to:
| Data | Keep for |
|---|---|
| Active player records | While the player is registered + 1 season for transition / re-registration |
| Former players (admin records) | 3 years after they leave (in case of FA query, dispute) |
| Medical / allergy info | Delete the season after the player leaves |
| Photos with identifying info | While consent stands; remove on request |
| Financial records (subs, accounts) | 6 years (HMRC requirement) |
| Safeguarding incident records | Until child reaches 25, per FA + statutory guidance |
Practically: do a once-a-year audit at the end of each season. Open the spreadsheet, delete the rows for kids who didn't re-register and have now been gone for a year. Tick a calendar reminder for next July.
5. Photos and video
Photos are the biggest single GDPR risk-and-confusion point for grassroots clubs because (a) parents post them on personal social media without thinking, (b) coaches WhatsApp them around without consent, and (c) clubs put them on websites with full names attached.
The rules:
- Get written parental consent before publishing a photo of an under-18 on your website, social media, or in published match reports
- Don't pair a photo with full name. First name + shirt number is fine. “James Smith, son of John, lives on Oak Road” is not.
- Group photos with consent from every featured player's parent are usually fine
- Press / media photographers at competitive matches — have a sign-in for them at the gate, and a written policy that they comply with your photography rules
- Parents photographing their own kid at a match — fine, but discourage publishing the wider team without consent
Easiest implementation: a single “Photo & video consent” box on the player registration form, renewed every season. Don't try to track ad-hoc verbal consents.
If you'd rather have a private place to keep match photos and milestones for your own kid (not the club website, not the WhatsApp group), MyFootballJournal does exactly that — private to you, no public sharing, GDPR clean.
6. When a parent asks “can I have my data back?”
A parent can submit a Subject Access Request (SAR) asking what data you hold about their child. Rare in grassroots, but it happens — usually when there's a dispute. The rules:
- You have one month to respond (can extend to three for complex requests)
- You must provide a copy of all personal data you hold on the child
- You can not charge a fee for the first request
- If the request is “manifestly unfounded or excessive” (rare), you can refuse — document why
Practically: keep your data in one place per child (the registration form, a spreadsheet row, the photos folder). If a SAR comes in, exporting it should take an hour, not a week.
7. The one-page privacy notice you need
Every club must publish a privacy notice. The ICO and FA both have templates — the GrassrootsFC template covers all the required points in around 400 words. It must contain:
- Who the data controller is (the club)
- What data you collect
- Why (the “legal basis”, normally consent + legitimate interests)
- Who you share it with (FA, league, GoCardless, etc.)
- How long you keep it
- Their rights (access, deletion, correction, withdraw consent)
- How to complain (to the club + to the ICO at
ico.org.uk)
Put it on the club website at /privacy (or similar). Reference
it on the registration form. Done.
Every GrassrootsFC club site comes with a privacy notice template pre-filled with your club name + Welfare Officer details. One less page to write. See the platform →
8. If something goes wrong
A “data breach” doesn't mean “a hacker stole everything.” It means any incident where data is accidentally exposed, shared with the wrong person, or lost. Common grassroots versions:
- Coach's phone with the team's contact list is stolen
- Treasurer accidentally emails the subs spreadsheet to all parents instead of just the committee
- WhatsApp group used as a contact list shows everyone's number to anyone added
- Old laptop with player photos goes to landfill un-wiped
If a breach happens that could risk people's rights and freedoms:
- Report to the ICO within 72 hours (only if the breach is likely to cause real harm)
- Tell affected parents directly
- Document what happened, what was exposed, and what you did about it
Most grassroots breaches are minor and don't need reporting to the ICO. But document them anyway — if a second one happens, you want a record showing you took the first seriously.
Want a club website that's GDPR-ready out of the box?
GrassrootsFC sites ship with a privacy notice template, consent-aware registration forms, and proper data controls. Free to start.
Create your free club site →