General Data Protection Regulations (GDPR)

21 October 2017
GDPR will replace the Data Protection Act 1998 (DPA), however, many of the GDPR’s main concepts and principles are much the same as those in the current (DPA).  Therefore broad compliance with the DPA will remain valid under GDPR.  

Our recommendation to clubs, counties and Regions at this stage is for them ensure that they are compliant with the DPA.  Our guidance on the DPA is on our website on the following link:

Set out below is a summary of the key changes under the GDPR.  Not all of these changes will be applicable to clubs, counties and Regions but in early 2018 Swim England will begin to provide specific guidance on the subject areas below where relevant to clubs, counties and Regions.  The timing and nature of these updates will be dependent on when the Information Commissioner’s Office issues updated guidance on each of the new areas. 


GDPR requires more active consent to support lawful processing of personal data; wherever consent is required for data to be processed, consent must be explicit, rather than implied.

Lawful basis for processing personal data

Organisations will be required to identify the lawful basis for their processing activities, document it and update privacy notices to explain it.

Data Breaches

Organisations will be required to notify the Information Commissioner’s Office, and (in some cases) data subjects, of significant data breaches for example where the breach could result in financial loss or damage to reputation to a data subject.

Right to be Forgotten

The GDPR consecrates the “right to be forgotten”, allowing data subjects the right to require a controller to delete data files relating to them if there are no legitimate grounds for retaining it. 

Data Subject Access Requests (DSAR’s)

Organisations will be required to handle DSAR’s within a month, rather than the current 40 days.


Organisations will have increased transparency obligations; privacy notices will need to include much more detailed information.

Data Portability

Organisations must ensure data subjects can easily transfer their data files from one service provider to another.

Data Processors

Organisations processing data on behalf of other companies will be required to comply with a number of specific data protection obligations.  They will be liable to sanctions if they fail to meet these criteria.

Privacy by Design & Privacy by Default

Organisations must take privacy risk into account throughout the process of designing a new product or service, and adopt mechanisms to ensure that, by default, minimal personal data is collected, used and retained.  An approved certification mechanism can be used to demonstrate compliance with the applicable requirements.

Data Protection Officer (DPO)

Organisations will have to appoint a DPO when they are, for example, processing sensitive data on a large scale.  The DPO will report to the highest level of management.

Privacy Impact Assessment (PIA)

A PIA will be mandatory before processing personal data for operations that are likely to present higher privacy risks to data subjects due to the nature or scope of the processing operation.

Stronger Enforcement

Non-compliance could lead to heavier sanctions.  The revised enforcement regime is underpinned by power for regulators to levy financial sanctions of up to 4% of the annual worldwide turnover of the organisation or up to €20 million, whichever is higher.
Back to top