Safeguarding, GDPR, and the Registration Form You Shouldn't Be Using
Your registration form asks for a child's date of birth, medical conditions, emergency contact, parental consent and a photo permission. All of this lives in a shared Google Sheet. Three coaches have edit access. Two club admins have view access. It is not encrypted at rest. You are one subject access request away from a very bad afternoon.
Common registration setups that fail
- A Google Form dumping to a shared Sheet. No access controls beyond "anyone with link."
- An email address that collects PDFs. Personal data in inboxes forever.
- A WhatsApp group for last-minute entries. Phone numbers, names and DOBs in a social app.
- A printed form stored in a folder. Physical controls are typically weaker than digital.
If any of these sounds like your event, keep reading.
The GDPR basics you must hit
- Lawful basis. You need one — usually parental consent for minors. It must be explicit, informed and re-collected each event.
- Data minimisation. Only collect what you need. "Any other info you'd like us to know" is a liability.
- Access control. Only named event staff should see personal data, and only for the event window.
- Retention. Define how long you keep data post-event. Most events should delete within 90 days unless there's an insurance or incident reason to keep it.
- Subject access rights. A parent can ask what you hold about their child. You must be able to find it, export it, and delete it on request.
Safeguarding is not the same as GDPR — you need both
Safeguarding covers how children are protected during and around the event — disclosure checks, photo permissions, chaperone rules, medical consent. GDPR covers how their data is stored. Your registration needs to collect both, track both, and store both correctly.
The minimum bar
- Registration form asks only what you need — no optional free-text "notes" fields.
- Parental consent is an explicit tickbox with the text linked to a full policy.
- Photo permission is a separate opt-in — not bundled.
- Medical info is collected only if needed at event, stored encrypted, and destroyed after.
- Access is role-based — event staff see it only during the event window.
- All data is deletable on request within 30 days.
The tooling question
No generic form tool does all of this. You either use a purpose-built competition registration system or you accept you are carrying risk. If you are a small club, the registration system you choose is your safeguarding tool. Choose accordingly — see our guide to choosing competition management software and cash on the door: the hidden cost.
Not legal advice. Every federation and every country has its own specifics. This is a starting framework — your national governing body should provide exact safeguarding templates. If they don't, ask them why not.
Stop firefighting. Start running events properly.
Brackets, scoring, rings and results in one place — from £39 per event.
See plans & pricing →Run your next event the way it should run.
From £39 per event — all you need is internet and a browser.
🥋 Try the live scoring demoPrefer to talk it through? Call or text +44 7546 289 419 — UK working hours. Or email tkd@webmatter.co.uk.