Your Membership Database Just Disappeared. Now What?

Picture this. It's a Tuesday morning in September - right in the middle of your membership renewal period. You log into your membership system and get an error message. Something about the server being unavailable. You try again. Same thing. You call your IT person - the one committee member who "knows about computers" - and they try. Same error.

Turns out your web hosting company had a server failure overnight. Your membership database, your event bookings, your financial records, your communication history - all of it was on that server. The hosting company has backups, they tell you, but they're from three weeks ago. Three weeks of new member signups, payments processed, and data entered - gone.

I'm not making this up. Versions of this story happen to small organisations across the UK every month. They just don't make the news because nobody outside the organisation knows or cares. The people inside the organisation care a great deal, usually at about 11pm on a Tuesday night when they're trying to reconstruct their membership list from email receipts and bank statements.

This is what UK Sport's guidance on Requirement 2.7 of the Code for Sports Governance is designed to prevent. Not with expensive enterprise IT infrastructure. With a plan.

Data recovery is not the same as "we have backups"

The UK Sport guidance makes a useful distinction. A data recovery plan isn't just about having backups. It's about having thought through four things:

1. What data you hold. All of it. Membership records, financial data, HR records (if you have staff), safeguarding case files, committee meeting minutes, contracts, insurance documents, event attendee lists, correspondence, marketing databases. Most organisations hold more data than they realise.
2. Where it lives. In a cloud system? On someone's laptop? In an email inbox? In a filing cabinet? On a USB stick in the treasurer's kitchen drawer? Don't laugh - I've seen all of these. Most organisations have data spread across multiple locations, some of which they've forgotten about.
3. What happens if you lose it. Not all data is equally critical. Losing your membership database mid-renewal season is catastrophic. Losing last year's AGM minutes is inconvenient but recoverable. Losing safeguarding case files is a regulatory crisis. Prioritise accordingly.
4. How you get it back. This is the actual recovery plan. For each category of data, how do you restore it? How quickly? Who's responsible for doing it?

Start with the inventory

Before you can plan for recovery, you need to know what you're recovering. The UK Sport guidance recommends involving staff (or committee members, for volunteer-run organisations) from across the organisation to build a complete picture.

Here's a practical way to do it. Sit down with each person who handles organisational data - your membership secretary, your treasurer, your safeguarding lead, your events coordinator, your communications person - and ask them three questions:

• What data do you work with regularly?
• Where is it stored?
• If your laptop died right now, what would you lose?

The answers will probably alarm you. They usually include things like:

• "The membership spreadsheet is on my personal computer. I email a copy to the secretary every month."
• "I save the financial records in my personal Dropbox. I think I shared the folder with the Chair but I'm not sure."
• "The safeguarding referral forms are in my email. I keep meaning to file them somewhere."
• "The event registration data is in the Eventbrite account. But only I have the login."

Every one of these is a single point of failure. The data exists in exactly one place, accessible by exactly one person. If that person becomes unavailable or that device fails, the data is gone.

The GDPR problem

This isn't just an operational risk. It's a regulatory one.

The Information Commissioner's Office (ICO) - the UK's data protection regulator - takes a dim view of organisations that lose personal data through negligence. Under UK GDPR, you're required to implement "appropriate technical and organisational measures" to protect personal data. That includes having proper backup and recovery procedures.

If your membership database is lost and it contained names, addresses, email addresses, dates of birth, and payment details - which most membership databases do - you may be legally required to report it to the ICO as a data breach. You'd certainly need to notify the affected individuals. And if the ICO investigates and finds that your data recovery procedures were, effectively, "someone emails themselves a spreadsheet," you're not going to have a comfortable conversation.

The ICO's guidance for small organisations is clear: even small, volunteer-run organisations that process personal data need to take data protection seriously. You don't need an enterprise IT budget. You need a plan, documented procedures, and some basic hygiene.

The National Cyber Security Centre (NCSC) has published a Small Charity Guide that covers the practical steps. It's free, it's written in plain English, and it takes about 20 minutes to read. If you run a sports organisation and you haven't read it, close this article and go read that first. I'll wait.

What your data recovery plan should cover

Right. Based on the UK Sport guidance and practical experience, here's what your plan needs.

Inventory and classification

List every system and data source your organisation uses. Be exhaustive. Include:

• Your membership management system
• Your financial/accounting system (or spreadsheet)
• Your email accounts (organisational and personal accounts used for organisational business)
• Your website and its content management system
• Social media accounts
• Your document storage (Google Drive, OneDrive, Dropbox, local storage)
• Event management platforms
• Communication tools (WhatsApp groups, newsletter platforms)
• Banking platforms
• Any specialist systems (competition management, booking systems, etc.)

For each one, record: what data it holds, who has access, how it's backed up, and how long you could function without it.

Risk analysis

For each system, ask: what could go wrong?

The UK Sport guidance breaks this into familiar categories:

• Hardware failure - a server dies, a laptop breaks
• Cyber attack - ransomware, phishing, unauthorised access
• Human error - someone accidentally deletes the database, or overwrites the master spreadsheet
• Service provider failure - your cloud provider has an outage, your hosting company goes bust
• Natural disaster - flood, fire at your premises
• Access loss - the person with the login leaves and nobody else has the credentials

For sports organisations, the most common scenarios are human error and access loss. The dramatic ones - ransomware attacks, server room floods - happen, but most data loss in the voluntary sector is someone accidentally deleting something or someone leaving without handing over their passwords.

Backup strategy

For every critical system, you need a backup approach. The standard rule of thumb is 3-2-1: three copies of your data, on two different types of storage, with one copy off-site.

For most sports organisations using modern cloud-based systems, this is largely handled for you. If your membership data lives in a cloud platform (and it should), the platform provider handles replication and backups. But you should verify this - check your provider's terms of service and backup policies. Know their Recovery Point Objective (how much data you'd lose in a worst case) and their Recovery Time Objective (how quickly they can restore service).

For data that lives locally - spreadsheets, documents, email - you need your own backup. Google Workspace or Microsoft 365 for business accounts give you cloud-based document storage with version history and recycle bins. At minimum, use these instead of storing documents on individual devices.

The NCSC backup guidance recommends testing your backups regularly. A backup you've never tested is an assumption, not a backup.

Responsibilities

Your data recovery plan needs named people. Not "the IT team" (you probably don't have one). Not "the committee" (which is everyone and therefore no one). Specific names, for specific systems, with specific contact details.

The UK Sport guidance recommends having a second named deputy for each area - because if the primary person is the one who's unavailable during the crisis, having only their name in the plan defeats the entire purpose.

Testing

Test the plan. Once a year is fine. The test doesn't have to be elaborate.

Pick a system. Ask the deputy (not the primary) to demonstrate that they can access it, find the most recent backup, and explain how they'd restore it. If they can't, the plan has a gap.

The UK Sport guidance suggests testing in a "simulated environment." For most sports organisations, this means: pick a quiet week, pretend your treasurer is on holiday, and see if someone else can process the weekly payments. If the answer is no, fix it before you need to find out the hard way.

Cloud systems changed everything (if you're actually using them)

I'm going to say something that will sound self-serving, so let me say it plainly: the single most effective data recovery measure for any sports organisation is moving critical data from personal devices and personal accounts into a shared, cloud-based system.

Not because cloud is a magic word. Because of what it eliminates.

When your membership data lives in a proper membership management system - rather than in a spreadsheet on someone's laptop - the backup problem is solved by the platform provider. The access problem is solved by role-based permissions. The "person leaving" problem is solved by transferring their account rather than hoping they forward an email.

When your financial records live in Xero or QuickBooks rather than in a personal spreadsheet, your auditor can access them directly. Your backup is automatic. Your new treasurer can see what's been done and pick up where the old one left off.

When your documents live in Google Workspace or Microsoft SharePoint with proper organisational accounts, they survive any individual leaving. Version history means accidental deletions are recoverable. Shared access means knowledge isn't locked in one inbox.

None of this requires an IT department. It requires a decision, a weekend of migration, and a commitment to actually using the shared systems instead of drifting back to personal ones.

Passwords and access management

This deserves its own section because it's the issue I see most often.

Sports organisations are terrible at password management. Shared passwords written on Post-it notes. One person's personal email as the admin account for everything. "The password is the same as it's always been" - which nobody knows because "always" predates every current committee member.

Get a password manager. Bitwarden has a free tier. 1Password has a teams plan that costs next to nothing. Create organisational accounts for every service your organisation uses. Store the credentials in the password manager. Give access to at least two committee members for each account.

Turn on multi-factor authentication for everything that offers it. The NCSC is very clear on this: multi-factor authentication is the single most effective thing you can do to prevent unauthorised access to your accounts.

And when someone leaves the committee, change the passwords they had access to. This sounds obvious. It almost never happens.

A plan doesn't need to be long

The temptation with any governance requirement is to produce something impressive and comprehensive. A beautifully formatted 30-page document that demonstrates how seriously you take the subject.

Don't. Your data recovery plan should be short enough that people actually read it. The UK Sport guidance agrees - plain language, practical, and known to the people who'd need to use it.

A useful data recovery plan for most sports organisations is probably three to five pages:

• Page 1: Inventory of systems and data
• Page 2: Backup arrangements for each system
• Page 3: Recovery procedures (what to do when things go wrong)
• Page 4: Responsibilities and contact details
• Page 5: Review log (when was the plan last tested and updated)

Print a copy. Give it to the Chair. Give it to the CEO or lead volunteer. Make sure the Board knows it exists and where to find it. Review it once a year or whenever a major system changes.

That's it. That's a data recovery plan that meets Requirement 2.7 and, more importantly, actually works when you need it.

The [Code for Sports Governance](https://www.sportengland.org/guidance-and-support/governance) is published by [UK Sport](https://www.uksport.gov.uk/) and [Sport England](https://www.sportengland.org/). For practical cyber security guidance, visit the [National Cyber Security Centre's Small Charity Guide](https://www.ncsc.gov.uk/collection/charity). For data protection obligations, see the [Information Commissioner's Office guidance for small organisations](https://ico.org.uk/for-organisations/advice-for-small-organisations/).

References

• Sport England - Code for Sports Governance and Requirement 2.7 on data recovery planning
• UK Sport - Governance code guidance and data recovery requirements for funded organisations
• Xero - Cloud accounting software that eliminates single-device financial data risk
• TidyHQ - Cloud-based membership platform that centralises organisational data and eliminates key-person data dependency
• Stripe - Payment processing with built-in transaction records and audit trails