The long awaited and much discussed EU General Data Protection Regulation (GDPR) enters into force across the EU and the UK on 25 May 2018, bringing with it a range of new and extensive requirements for organisations involved in the collection, processing and management of personal data. Additionally, from 25 May 2018, the new Data Protection Act 2018 replaces the Data Protection Act 1998 and will sit alongside the GDPR as the UK’s new data protection laws.
Our earlier article available here previously highlighted many of the broader issues under the GDPR which are still relevant, however, with the implementation of GDPR taking place, Centrefield has now provided some further thoughts for those involved in the sports industry to consider as they seek to address GDPR:
#1 The clock is ticking – whilst GDPR compliance should technically be completed by now, there remains some ‘added time’ and the ICO has made it clear that organisations are unlikely to face significant fines for non-compliance on day one, provided that their compliance plans are underway. However, for organisations that are yet to get to grips with GDPR, the clock is ticking so now is the time to consider and take advice on how best to comply with GDPR and accelerate the implementation process.
#2 Data mapping – have you carried out a data protection audit across your organisation? Organisations should now have a clear understanding of their data related operations, including how personal data is collected, processed, and transferred (whether within its organisational structure or to third parties). Understanding the flow of data within your organisation (sometimes known as ‘data mapping’) will be invaluable both during the implementation of data protection policies and when dealing with personal data on a day to day basis. As part of an audit/data mapping process, organisations should be clear what policies/procedures require updating and which contractual arrangements (mainly those with services providers acting as ‘data processors’) require amendment.
#3 Commercial arrangements – sporting organisations, whether clubs, sports brands, agencies or companies involved in sport (such as ticketing agencies, CRM providers and event organisers) will need to consider any existing and future commercial arrangements in the context of GDPR. For sports organisations (particularly clubs and teams) their sponsorship arrangements, which may be heavily reliant on the value of access to fan data, will need be reviewed to ensure they have both the relevant consents to utilise such data and that any potential sponsors agree to and are able to implement any necessary data protection arrangements.
#4 Fan / Customer data – consent to use personal data will now be harder to obtain particularly in relation to marketing communications. Silence, pre-ticked boxes/requirements to opt-out or non-specific/‘blanket’ consent requirements are no longer sufficient and consent must be “unambiguous”. Sports organisations should have clear processes and procedures to document how consent was obtained and for what purpose. Data protection laws do not exist in isolation and organisations are also required to comply with the Privacy and Electronic Communications Regulations 2003 which sets out rules about how you can contact fans/customers (e.g. whether by email and/or by phone etc.).
#5 Rights of individuals – the new data protection laws enhance the rights of individuals and put individuals in control of their own data more than ever before. Further, personal data breaches by organisations have been significant news topics recently, meaning individuals are now more aware of their data rights than ever before. New rules around ‘subject access requests’ (i.e. the right for an individual to receive a copy of his/her personal data held by an organisation) will mean that organisations will need a clear system in place to respond to subject access requests within the required time period. A subject access request could arise in a number of scenarios in the form of a request to a national governing body, a club or a team (e.g. from an aggrieved athlete/player, a parent of a young athlete/player or an employee /former employee).
If you would like any more information on any of the points raised above or any advice in connection with data protection matters, please contact David Bentham (Partner), Deirdre McCarthy (Associate) or David Anderson (Associate), or call 0161 672 5450.
Please note the information contained in this briefing is intended as a general review of the subject featured and is not intended as specific legal advice.