
Nobody joins a club committee for the data protection. Yet the moment a club keeps a membership list it is processing personal data, and UK GDPR applies to a volunteer-run boat club just as it does to a supermarket. The reassuring part is that for a small club, getting it right is mostly a matter of habits rather than legal expertise. The less reassuring part: the area where clubs slip most often, marketing texts and emails, is also where members are most likely to complain.
Here is what actually matters.
You hold more data than you think
Start with an inventory. Names, addresses, phone numbers and emails, obviously. Then sailing qualifications and their expiry dates. Emergency contacts, which are someone else's personal data, often held without their knowledge. Payment records. Booking histories. Incident reports naming the people involved. And quite possibly medical notes, because someone once wrote 'mild epilepsy' on a joining form and it has sat in a filing cabinet ever since.
Medical information is special category data, which means you need a specific justification for holding it. The practical test is simple: would anyone at the club actually act on that note in an emergency? If yes, keep it, store it carefully, and say so in your privacy notice. If no, stop collecting it.
Running the club is not the same as promoting it
This one distinction does most of the work. Emailing a member to confirm a booking, chase a subscription or tell them the pontoon is shut is membership administration. You do not need consent for it; it is part of delivering what the member signed up for. The lawful basis is the membership contract itself, or the club's legitimate interest in running its own affairs.
Texting the whole membership about the summer barbecue, a chandlery discount or a recruit-a-friend drive is marketing. Different rules apply — the Privacy and Electronic Communications Regulations sit alongside GDPR here, and for texts and emails to individuals they demand consent. Real consent: a box the member ticked themselves, knowing what they were agreeing to. A pre-ticked box does not count. 'They never objected' counts even less.
SMS consent, done properly
Texts deserve their own section because they are where clubs get complacent. A text feels informal, and a mobile number feels like fair game. It is not. If a member gave you their number so you could reach them about their bookings, that is the purpose you may use it for. Anything beyond that needs its own opt-in. Done properly, SMS consent has three characteristics:
- Per purpose. Agreeing to booking reminders is not agreeing to marketing. Keep the categories separate and let members choose each one individually.
- Recorded. You should be able to show when consent was given and how. A vague sense that most people are probably fine with it will not survive a complaint.
- Revocable. Opting out must be as easy as opting in, and it must take effect promptly, not after the next three campaigns.
Erasure: what leavers can ask for, and what you keep
When a member leaves and asks you to delete their data, the right to erasure applies, but it is not absolute. You must remove what you no longer need: contact details from mailing lists, the member profile, the emergency contacts. You may keep what the law or the club's legitimate interests require. Financial records generally need to be retained for six years for HMRC. Incident and accident reports should be kept in case of an insurance claim, which can surface years later. And you are allowed to keep a minimal do-not-contact record, because honouring an opt-out requires remembering who opted out.
A sensible approach is anonymisation: strip the identifying details out of the historical records, so the treasurer's accounts still balance and the booking statistics still make sense without a name attached.
Prove it: consent trails, photos and testimonials
If a complaint ever lands, the question will not be whether your intentions were good. It will be: can you show when this person consented, what exactly they consented to, and who changed the setting if it changed? A paper membership form from 2019 in a lever-arch file is technically a record. It is not a good one.
The same discipline applies to photos and quotes. Before a member's face goes on the website or their kind words go in the newsletter, ask, and write the answer down with a date. People are almost always happy to say yes. They are considerably less happy to discover they were never asked.
This is one area where decent software quietly earns its keep. Nauticore, for instance, gives each member a communication-consent panel with a full audit trail of every change, and its erasure tool anonymises a departed member's record rather than punching holes in the club's history. But the principle stands whatever tools you use: know what you hold, separate admin from marketing, get genuine consent for the latter, and keep evidence of all of it. That is most of GDPR, and none of it needs a lawyer.
See it in action
All Nauticore features are live in the interactive demo — no signup required.