GDPR for kids' sports clubs in the UK: what coaches actually need to do

If you’re coaching children in the UK, you’re a data controller under UK GDPR the moment you collect a parent’s phone number. That’s uncomfortable news if you thought GDPR was a problem for big corporations — it’s not. But it’s also not nearly as scary as the headlines suggest, once you know what the ICO actually expects from a small club.

This guide is for coaches running a wrestling, BJJ, judo, boxing, dance, or children’s activity club in the UK with between 10 and 200 members. It’s a plain-English walkthrough of what you actually need to do, what you can skip, and how to put your compliance on autopilot.

Disclaimer: this article is informational and not legal advice. For anything genuinely contested, speak to a UK data-protection professional or contact the ICO helpline.

The short version

1. Register with the ICO (£40–£60 a year for most small clubs).
2. Have a privacy notice that parents see before they give you any data.
3. Collect data on a valid lawful basis — almost always parental consent for children under 13.
4. Store data safely — which in 2026 means: no loose spreadsheets, no shared folders that the whole club can see, encrypted backups.
5. Delete data you don’t need any more, within a defined retention period.
6. Respond to parents’ requests (access, correction, deletion) within 30 days.

That’s it. The other 90% of what you’ll read online is corporate GDPR — subject access policies, data processing agreements, DPIAs. You don’t need most of it if you’re a small single-site club using reputable tools.

Rule 1 — Register with the ICO

Every UK organisation that processes personal data must register with the Information Commissioner’s Office. For a small club it costs £40 per year (Tier 1) and takes about 10 minutes online at ico.org.uk/registration. You need to renew annually.

You’ll get a registration number. Put it on your website and privacy policy. It’s the easiest part of compliance and the one most clubs skip — don’t be that club.

Rule 2 — Write a privacy notice, show it before signup

A privacy notice tells parents, in plain English, what data you collect, why, how long you keep it, who you share it with, and what rights they have.

For a small club it needs to cover at minimum:

• The categories of data you collect (name, DOB, emergency contact, medical notes, attendance record).
• The purpose of each (running classes, contacting in emergency, insurance, bookkeeping).
• Who else sees it (your coaching team, your insurer if there’s an incident, possibly HMRC if audited).
• How long you keep it (active while the child is a member, then delete or archive for a defined period).
• Parents’ rights: to access, correct, delete, port, and object.
• Your contact details for data queries.
• Your ICO registration number.

You do not need a 4,000-word template written for a FTSE-100 legal team. A one-page plain-English notice linked from your registration form and your website footer is fine. We publish our Clubroll privacy template here — not legal advice, but a reasonable starting point to adapt.

Rule 3 — Use parental consent for kids under 13

For children under 13, you can’t rely on the child’s consent. You need the parent or guardian’s consent. This is the usual lawful basis for a small club because:

• “Contract” doesn’t work well — the child can’t enter a contract.
• “Legitimate interest” usually fails the balancing test for children’s data.
• “Vital interests” only applies to life-threatening situations.

So: parent ticks a consent box at registration, explicitly for each purpose you’ll use the data. Tick boxes must be un-checked by default (no “implied consent”), and the wording must be specific — “I consent to Clubroll storing my child’s emergency contact” — not a single vague “I agree to anything and everything”.

For children over 13, under UK law they can give their own consent, but in practice for sport clubs it’s simpler to keep parental consent as your standard and change later if ages drift up.

Rule 4 — Store data safely

This is where most small clubs unknowingly fail. “Safely” in 2026 means:

• No shared Excel on a random laptop. If your laptop gets stolen from the boot of your car, every parent’s phone number goes with it. Same for paper registers in the back-office filing cabinet when the club gets burgled.
• No group Google Sheets that everyone in the coaching team can edit. Who has access to what is itself a GDPR question.
• Passwords that aren’t “coach2025”.

The practical answer for small clubs is a proper tool that stores data encrypted at rest, with named user accounts (so you can revoke one coach’s access when they leave), and backups you don’t have to manage manually.

If you’re still on paper or loose Excel, the fastest GDPR upgrade you can make is migrating to a single platform. Clubroll does this by default — data in Postgres, encrypted backups, per-user accounts, tenant-isolated records. But the principle applies even if you pick a different tool.

Rule 5 — Delete what you don’t need

GDPR’s data-minimisation principle says you should only keep data as long as you need it for the stated purpose. In practice:

• Active members: keep everything.
• Left the club: start a retention clock. Most clubs land on 6–24 months retention after departure — long enough to handle late injury claims, short enough to respect privacy.
• After the retention period: delete or anonymise. If you use a platform with a built-in “close account” flow, this should be a one-click operation.

A common GDPR-friendly design: keep anonymised attendance aggregates forever (you want to know class sizes over time), but delete the personal data that links attendance to a specific child after their retention period ends.

Rule 6 — Respond to parents within 30 days

Parents have the right to ask:

• “What data do you hold about my child?” (Subject Access Request)
• “Please correct this emergency contact” (Rectification)
• “Please delete my child’s record” (Erasure, subject to your legal retention needs)
• “Send me their full record in a portable format” (Portability)
• “Please stop emailing us about class offers” (Objection to marketing)

You have one month to respond. For a small club, the pragmatic setup is: one email address parents can use for data queries (privacy@yourclub.com), a note on your privacy page, and a process for pulling the right data together when asked.

If you’re using a modern tool, all of this should take under 10 minutes per request. A coach running a shoebox of paper records will spend hours.

Waivers — the bit most clubs get technically wrong

Waivers are a separate legal mechanism from GDPR consent, and they interact awkwardly. Key rules:

1. Capture the waiver text, not just the fact of signing. If you update your waiver wording in 2027, you need to be able to show what the parent actually agreed to in 2026. Storing just “signed = yes” is not enough.
2. Version the waiver. Tag each signed waiver with a version string (e.g. “v1”) so you can reproduce historic versions later.
3. One waiver per child, not per family. Easier to manage additions/departures.
4. Keep the signed waiver for the limitation period for personal-injury claims (typically 6 years for adults, but for children the limitation doesn’t start until they turn 18 — so practically you keep waivers a long time).

Emergency contacts and medical notes

These are special category data under GDPR (health data in particular). Rules tighten:

• Only collect what you genuinely need to run class safely.
• Explicit consent required.
• Access restricted to coaching staff, not shared with the whole club network.
• Encrypt at rest; avoid sending via unencrypted email or WhatsApp.

For a small club this means: put it in one secure system, not in a pinned message in the team’s WhatsApp group.

Things you do NOT need to do

There’s a lot of GDPR folklore. Small UK clubs in most cases do not need:

• A formal Data Protection Officer (DPO). This is mandatory for public authorities and large-scale processors, not for a 50-member club. The founder/owner can be the named contact.
• A Data Processing Agreement for every tool you use — though you should use reputable vendors who have them.
• A Data Protection Impact Assessment (DPIA) for every change — only for high-risk processing (large-scale monitoring, systematic profiling). Normal club admin doesn’t trigger this.
• Cookie banner consent for essential cookies. Session cookies that keep a parent logged in are “strictly necessary” and don’t need a banner. Analytics cookies do.

A 45-minute compliance sprint

If you have one unbothered 45-minute window, here’s what you’d do:

1. Register with the ICO (£40, 10 mins): ico.org.uk/registration.
2. Adapt a privacy notice (15 mins): start from our template or one from the SRA/YST. Publish on your website.
3. Tick-box audit (10 mins): look at your current signup form. Are consent tickboxes explicit? Un-pre-ticked? Linked to specific purposes? Fix if not.
4. Access audit (10 mins): list everyone who currently has access to parent/child data. Remove anyone who doesn’t need it. Change shared passwords.

Do this once, you’re ahead of 80% of small clubs in the UK.

Where Clubroll fits

Clubroll is built with UK children’s-data rules in mind from day one:

• Per-child waivers with version capture, stored to defensible timestamps.
• Explicit parental consent boxes at registration.
• Role-based access so only club owners and coaches see parent/student data.
• One-click delete of student records (honouring erasure requests).
• Encrypted backups, tenanted storage so clubs can’t see each other’s data.

If GDPR is one of the reasons you’re putting off modernising your admin, it’s actually the best argument for doing it soon. Paper and Excel don’t get more compliant with time. Try Clubroll free at clubroll.uk/signup — no card required.

---

Related reading:

• How to run a small sports club without spreadsheets
• Monthly membership vs pay-as-you-go pricing for small clubs