GDPR for UK martial arts clubs: a practical guide

Most UK martial arts clubs treat GDPR as a sign-up form checkbox and a paragraph in the privacy policy. That’s not enough. A typical dojo holds children’s names and dates of birth, emergency contact details, photographs from grading days, payment information, and in some cases medical conditions and safeguarding notes. Under UK GDPR that’s real personal data, much of it relating to children, with real obligations and real penalties for getting it wrong.

This is a practical guide. It isn’t legal advice. For that, speak to a UK-qualified solicitor or read the ICO’s guidance. But it covers the questions every UK club should be asking, and what most clubs in practice get wrong.

The six lawful bases (and which ones a club uses)

UK GDPR doesn’t let you process personal data because you feel like it. You need a lawful basis. There are six: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

For a typical martial arts club, two cover most of the work:

• Contract.Holding and processing a member’s data because they’ve signed up to train at the club. You need their name, contact details, payment information, attendance records — that’s contract data. You don’t need separate consent for it.
• Consent.Anything beyond what’s strictly needed to deliver the service. Marketing emails, photographs of children, social media posting — these need explicit, granular, revocable consent.

Legal obligation also comes up. HMRC requires you to keep financial records for seven years. Vital interests is rare. Public task and legitimate interests are sometimes claimed by clubs, but the ICO is sceptical of legitimate-interests claims for processing children’s data, so don’t lean on it.

Consent has to be specific

“I agree to the terms and conditions” is not GDPR consent. Consent has to be:

• Specific.What exactly are they consenting to? “Photographs being used for grading documentation” and “photographs being posted on the club’s Instagram” are different things.
• Informed. Plain English. No buried clauses.
• Freely given.Members must be able to refuse consent without consequence to the contract. You can’t withhold a membership because someone refused photo consent.
• Revocable. They can withdraw consent at any time, as easily as they gave it.

Practically: if your sign-up form has a single “I agree to Terms and Privacy” checkbox covering everything, you don’t have valid consent for the marketing or photo processing.

Children’s data is harder

In the UK, the lower age limit for a child to give their own GDPR consent for online services is 13. For most under-13 club members, the parent or guardian gives consent on the child’s behalf. That consent should be on record, dated, and tied to a specific version of the policy.

Photographs of children are a common pitfall. Posting a grading photo on Facebook with the child’s face visible needs explicit per-child consent — not a blanket photo opt-in covered by the membership form. If you have eight juniors in a grading photo and three of their parents haven’t opted in, you can’t post it.

The same applies to filming. Lots of clubs film classes for instructional purposes; if those clips end up online, every identifiable face needs consent.

How long can you keep data?

GDPR doesn’t give a single answer. The principle is that you keep data for as long as you have a lawful purpose, and not longer.

For a club, that breaks down roughly:

• Active member data.Held for as long as they’re a member, plus a reasonable wind-down.
• Lapsed member contact details. Common practice is 12–24 months after they leave, then anonymise. A reason to hold longer might be safeguarding records, but those are usually a separate retention regime.
• Financial records.Seven years, by HMRC rule. This isn’t optional. You can’t delete a payment record before then even if a member asks you to.
• Photographs and consent records. Usually retained as long as the photo itself is in active use. When the photo is taken down, the consent record can be archived too.

The right answer is to write a short retention policy, share it in your privacy notice, and stick to it.

Data subject rights

Members have specific rights under UK GDPR. The big ones for a club are:

• The right of access. A member can ask for a copy of all their personal data. You have one calendar month to provide it, in a portable format, free of charge. Most clubs have never done this and would struggle if asked.
• The right to be forgotten. They can ask you to delete their data. There are exceptions (financial records, safeguarding obligations) but the default is to comply.
• The right to rectification. If their data is wrong, they can ask you to correct it.
• The right to object. They can object to marketing at any time, and you have to stop.

A subject access request usually arrives by email and won’t always say “subject access request” on it. “Can you send me everything you have on me?” counts. Treat it as the clock starting on a one-month deadline.

Soft anonymisation

Once a member’s contact details have been deleted, you can often keep anonymised aggregate data. “In 2018, this club had 142 active members across three disciplines” is a fact about the club; it doesn’t identify anyone. You can keep that.

Soft anonymisation is the technique of stripping identifying fields (name, email, phone, address, date of birth, photos) while keeping the structural shell of a profile. It lets you maintain long-term club history without holding identifiable data on people who left a decade ago.

Common pitfalls

From talking to other club owners, the patterns are consistent:

• One blanket consent at sign-up.A single checkbox doesn’t cover marketing, photographs, or social media. Each needs its own opt-in.
• No audit trail on consent.If you can’t prove someone consented to what, on what date, you don’t have valid consent.
• Holding emergency contacts forever. Once someone leaves, their emergency contact information should fall out of retention along with the rest of their personal data.
• Photos from years ago, still online, no consent on file.Run an audit. Take down anything you can’t evidence consent for.
• Spreadsheets and group emails.Members in email TO/CC fields can see each other’s addresses; that can be a personal data breach. Use BCC, or a proper mail system.

How Club Forge handles this

Club Forge bakes the structural pieces in:

• Consent records are versioned. When the policy changes, members re-consent, and the previous version stays on file.
• Retention rules run automatically — the lapsed-member 12-month window, the financial seven-year window, the photo-consent window — without anyone having to remember.
• Subject access exports happen in two clicks: a PDF for human reading and a CSV for machine portability.
• Soft anonymisation is built in — clubs can preserve their aggregate history without holding identifiable data past retention.

More on how Club Forge handles GDPR on the features page.

One last note. This piece is a practical overview, not legal advice. For actual compliance work — drafting policies, handling complex requests, responding to a breach — consult a UK-qualified solicitor or the Information Commissioner’s Office. The ICO’s guidance for small organisations is genuinely good and worth reading.