GDPR Compliance for Youth Swimming Clubs: A Practical Guide

Data protection is one of those topics that most swimming club committees know they should take seriously but are not entirely sure how to approach. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to every organisation that processes personal data, and that includes your local swimming club.

The good news is that GDPR compliance is not as complicated as it first appears, provided you understand what you are required to do and put some basic systems in place. This guide walks through the practical steps that any swimming club can take to meet its obligations without hiring a data protection officer or drowning in legal complexity.

What personal data does your club process?

Before you can comply with GDPR, you need to know what personal data you hold and why. Most swimming clubs process personal data about:

• Swimmers. Names, dates of birth, addresses, medical information, emergency contacts, swimming ability and squad placement.
• Parents and guardians. Names, addresses, phone numbers, email addresses, payment details.
• Volunteers and coaches. Names, addresses, contact details, DBS certificate numbers and expiry dates, qualifications, safeguarding training records.
• Committee members. Contact information, meeting attendance, correspondence.

You may also process special category data, which includes health information (such as allergies, medical conditions, or disabilities) and, in the case of DBS checks, criminal conviction data. Special category data has additional protection requirements under GDPR.

Lawful basis for processing

GDPR requires that you have a lawful basis for every piece of personal data you process. For swimming clubs, the most relevant lawful bases are:

Contract. You can process data when it is necessary to perform a contract with the data subject. When a family joins your club, you have a contractual relationship with them, and you need certain information to deliver that service: names, contact details, payment information, swimmer ability for squad allocation.

Legitimate interests. You can process data when it is necessary for your legitimate interests, provided those interests are not overridden by the individual’s rights and freedoms. This might cover things like sending club newsletters, organising social events, or maintaining records of volunteer contributions.

Legal obligation. You can process data when you are required to do so by law. This covers safeguarding records, DBS checks, health and safety compliance, and financial record-keeping.

Consent. You can process data when the individual has given clear, informed consent. This is the appropriate basis for non-essential activities like photography, video recording, or sharing swimmer achievements on social media.

You should document which lawful basis applies to each type of data you process. This is called a lawful basis assessment, and it is a core part of GDPR compliance.

Children’s data

Swimming clubs work predominantly with children, and GDPR has specific protections for children’s data. In the UK, children aged 13 and over can provide their own consent for certain online services, but for most club activities, you will need parental consent.

When collecting data about children, you should:

• Make it clear to parents what data you are collecting and why.
• Keep the amount of data to the minimum necessary.
• Ensure parents understand how the data will be used and who will have access to it.
• Review and delete data when it is no longer needed.

Many clubs use the membership application process to gather this consent. A well-designed application form will explain what data is collected, how it will be used, who will see it, and how long it will be kept. When families complete the form, they are providing informed consent.

Modern club management software makes this easier by building compliance into the membership application process, with clear consent checkboxes and privacy information presented at the point of sign-up.

Photography and video consent

Photography at swimming events is one of the most common GDPR questions clubs face. The ICO (Information Commissioner’s Office) has issued clear guidance on this:

• Taking photos or videos for personal use (e.g. a parent filming their own child) does not fall under GDPR.
• Taking photos or videos for club purposes (e.g. for the website, social media, or promotional materials) does fall under GDPR and requires consent.

Your club should have a photography policy that covers:

• What you will use photos for. Be specific. “For the club website and social media” is fine. “For any purpose” is not.
• Who can take photos. Designated club photographers only, or anyone at a gala?
• How consent is obtained. Many clubs include a photography consent clause in the membership form.
• How to withdraw consent. Parents should be able to withdraw consent at any time, and the club must act on that request.
• Safeguarding considerations. Avoid publishing full names with photos. Do not include information that could identify a child’s location or routine.

Some clubs use coloured wristbands at galas to indicate which swimmers have photo consent. This makes it easy for photographers and videographers to know who they can include.

Data retention and deletion

GDPR requires that you only keep personal data for as long as necessary. For swimming clubs, this means having a data retention policy that sets out how long different types of records are kept.

Here are some reasonable retention periods:

• Active membership records. Retained for the duration of membership, plus a short period afterwards to handle queries or process final payments.
• Financial records. Retained for six years after the end of the financial year, as required by HMRC.
• Safeguarding records. Retained indefinitely or in line with Swim England guidance and local safeguarding board policies.
• DBS certificates. The certificate number and verification date should be recorded, but the physical certificate should not be kept. DBS guidance recommends not retaining copies.
• Meeting minutes. Retained permanently as part of the club’s historical record.
• Correspondence. Deleted when no longer needed, typically within a year unless it relates to an ongoing issue.

When a family leaves the club, you should delete or anonymise their data within a reasonable period, unless you have a legitimate reason to retain it (such as safeguarding concerns or outstanding financial matters).

Transparency and privacy notices

GDPR requires that you are transparent about how you use personal data. This is usually done through a privacy notice, which should be easily accessible and written in plain language.

Your privacy notice should cover:

• Who you are (the name of the club and contact details for data protection queries).
• What personal data you collect.
• Why you collect it (the lawful basis for each type of processing).
• Who you share it with (e.g. Swim England for affiliation, the pool facility for session bookings, photography partners).
• How long you keep it.
• The rights individuals have (see below).
• How to make a complaint to the ICO.

The privacy notice should be provided at the point of data collection. For example, it should be linked from your membership application form and displayed on your website.

Individual rights

Under GDPR, individuals have specific rights over their personal data. Your club must be able to respond to requests to exercise these rights.

Right of access. Individuals can request a copy of the personal data you hold about them. You must respond within one month and provide the data free of charge (in most cases).

Right to rectification. If data is inaccurate or incomplete, individuals can ask you to correct it. This should be straightforward for clubs using a modern membership system where parents can update their own details through a parent portal.

Right to erasure. Individuals can request that you delete their data in certain circumstances. This does not apply if you have a legal obligation to retain the data (e.g. financial records) or if retaining it is necessary for safeguarding purposes.

Right to restrict processing. Individuals can ask you to stop processing their data while a dispute is resolved (e.g. if they contest the accuracy of the data).

Right to object. Individuals can object to processing based on legitimate interests. You must stop processing unless you can demonstrate compelling legitimate grounds that override their rights.

Most clubs will receive very few of these requests, but you should have a process in place to handle them when they arise.

Sharing data with third parties

Swimming clubs often share personal data with third parties, such as:

• Swim England (for affiliation and competition entries)
• The pool facility (for session bookings and emergency contact information)
• Gala organisers (for competition entries)
• Payment processors (for handling subscriptions)

Under GDPR, you can only share data when you have a lawful basis to do so, and you must inform individuals about the sharing in your privacy notice.

When you share data with a third party that processes it on your behalf (such as a payment processor or a club management system), that organisation is a data processor, and you must have a written agreement with them that sets out their data protection obligations. Reputable providers will provide a standard data processing agreement.

Data security

GDPR requires that you take appropriate technical and organisational measures to protect personal data. For a swimming club, this means:

Technical measures:

• Use strong, unique passwords for all systems and change them regularly.
• Enable two-factor authentication where available.
• Keep software and systems up to date with security patches.
• Use reputable, secure platforms for storing and processing data.
• Encrypt sensitive data, particularly when sending it by email.

Organisational measures:

• Limit access to personal data to those who genuinely need it.
• Train committee members and volunteers on data protection responsibilities.
• Have a clear desk and clear screen policy for devices used to access club data.
• Ensure personal data is not left unattended or visible in public places.

When choosing a club management system, prioritise providers who take data security seriously. Look for evidence of ISO 27001 certification, regular security audits, and clear data protection policies. If you’re evaluating platforms like SwimClub Manager, see our SwimClub Manager comparison for how different systems handle compliance and data security.

Data breaches

A data breach occurs when personal data is accessed, disclosed, altered, or destroyed without authorisation. Examples include:

• A laptop containing membership records is stolen.
• An email with personal data is sent to the wrong recipient.
• The club website is hacked and personal data is exposed.

If your club suffers a data breach, you must assess the risk to individuals. If the breach is likely to result in a risk to their rights and freedoms, you must report it to the ICO within 72 hours. If the risk is high, you must also notify the affected individuals.

In practice, most small data breaches (such as a single misdirected email) do not need to be reported to the ICO, but you should document the breach and your assessment of the risk. Keeping a record of breaches and how you responded demonstrates that you take data protection seriously.

Practical steps for compliance

Here is a checklist of practical actions your club should take to achieve GDPR compliance:

1. Audit the data you hold. List all the personal data your club processes, where it is stored, and who has access to it.
2. Document your lawful basis. For each type of data processing, record which lawful basis you are relying on.
3. Create or update your privacy notice. Make sure it is clear, accurate, and easily accessible.
4. Review your membership forms. Ensure they collect only necessary data and include appropriate consent clauses.
5. Implement a data retention policy. Set clear rules for how long data is kept and when it is deleted.
6. Secure your data. Review who has access to personal data and ensure it is adequately protected.
7. Train your committee and volunteers. Make sure everyone understands their data protection responsibilities.
8. Have a process for handling rights requests. Know how you will respond if someone asks to see, correct, or delete their data.
9. Use GDPR-compliant systems. If you use a club management platform, ensure it meets GDPR requirements and has a data processing agreement in place.

How club management software helps

Modern club management systems like Swimly are designed with GDPR compliance built in. They provide:

• Secure, encrypted storage for all personal data.
• Role-based access controls to limit who can see what.
• Automated data retention policies.
• Privacy notices and consent management integrated into the sign-up process.
• A parent portal where families can view and update their own information.
• Audit logs that record who accessed or changed data and when.
• Data processing agreements that meet GDPR requirements.

Moving from spreadsheets and email to a purpose-built system significantly reduces your compliance burden and your risk of a data breach. Explore our membership management, billing automation, and attendance tracking features to see how we handle data protection.

Final thoughts

GDPR compliance is not about creating unnecessary bureaucracy. It is about respecting the privacy of your members and handling their data responsibly. For most swimming clubs, compliance is a matter of documenting what you already do, tightening up a few processes, and using the right tools.

The clubs that take data protection seriously build trust with their members. Families are more willing to share the information you need when they can see that you treat it with care. That trust is worth far more than the effort required to get compliance right.