The General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998 on 25 May 2018. It will require all data controllers and data processors to meet new requirements. The UK will supplement this with a new Data Protection Act later this year.

The main changes include:

• Increased rights for data subjects, including a right to detailed data protection notices and new rights to delete or restrict data;
• New accountability obligations, which will require data controllers to demonstrate and record how they meet data protection obligations; and new fines, of up to €20,000,000.

A controller is an organisation that determines the means ("how") and purposes ("why") of processing. It can choose what data will be used and for what purposes, and is in charge of ensuring that all data protection requirements are met. For example, The FA is a data controller for its employees as their employer and of participants' details where these are registered under FA rules or are used for FA marketing.

A data processor is an organisation that only processes data on behalf of a controller and on their instruction. A data processor does not have any independent right to use data for its own purposes. Most of a data processor's obligations come under contract from the data controller, but under the GDPR processors now also have some statutory obligations to ensure security, report breaches and keep accountability documents.

Data is any information that relates to an identifiable individual. This isn't limited to 'obvious' information, such as a person's name, address or bank details, but also includes information such as their FAN number, their dietary requirements and their photograph. Data does not have to be factual – opinions that a person holds, or opinions that other people hold about them, are also considered personal data.

Processing is any use of personal data. This includes storing it, using it to make decisions, accessing it on your phone, sending it to another person or even anonymising it. If you "do" something to personal data, you will be considered to be "processing" it.

The FA has been working closely with our legal helpline service provider, Muckle LLP, to provide support to clubs around GDPR. Muckle LLP has produced a series of fact sheets and easy-to-use online training modules which can be accessed via the links below should you want further information.

• FA Online Training
• GDPR Fact Sheets

The Information Commissioner's Office (ICO) has also produced guidance for all UK businesses on how to prepare for the GDPR. You can find the following on its website:

• 12 Steps To Take Now
• Guide to the GDPR

In addition to the above, the ICO has a dedicated telephone helpline which provides advice on data protection matters and the GDPR.

The relevant contact information can be found here.

The FA will not be undertaking any review or compliance activities in respect of non-FA systems. In addition, The FA will not be undertaking compliance activities in respect of clubs’ use of data on FA systems for their independent purposes or, to the extent that it falls under the provisions of the regulation, personal data processed by clubs in hard copy forms. Any non-FA systems or applications which clubs use to collect personal data or processing which is carried out by clubs for independent purposes will need to be reviewed and updated (as necessary) by each club. Each club will need to consider if it needs to update its notices to participants, create internal data protection procedures or spend time considering its information security procedures.

The FA has completed a thorough GDPR audit with the help of external advisors and we are in the process of making a number of changes to our systems and processes to meet the new legal requirements. Where you rely on an FA system, for example WGS or FullTime, you can be sure that it will meet requirements on information security and that online terms and privacy notices will be updated to cover known and intended uses of The FA’s systems. The FA will also make sure that contracts are in place with any relevant software providers and with other footballing stakeholders as needed under the GDPR.