Dry January has been and gone, but dry topics continue to dominate the year's agenda. Sports organisations will already be advanced in their preparation for the General Data Protection Regulation (GDPR), which takes effect on 25 May 2018. However, the complex data communities that make up sporting industries – fans and customers, children and adults, coaches and players, volunteer staff and stadium visitors – mean that simply getting a handle on all that personal information is no easy task. And that is only what is needed to fire the starting gun.
The sports sector has exposure on a large and very public scale to some high-risk information, including that relating to safeguarding, DBS checks, doping, biometrics, health, analytics, participation (from elite to grassroots) and performance. The risks include not only potential legal liability for any failure to process the data lawfully and responsibly, but also the consequent reputation risk of such failure.
Some organisations may have to settle for mere sufficiency by 25 May 2018 if they are not at an advanced stage in their preparations, but all must at least be able to demonstrate they are on the right path and not an easy target for the regulator (the ICO) or potential claimants in litigation.
As we ease into 2018, we take a pause to consider where we are – specifically in respect of expected ICO Guidance and the latest on the new UK-only Data Protection Bill – and where we ought to be.
Where should you be as of today?
Hopefully, all data controllers (including virtually every sports organisation) will have by now appointed a compliance lead in this area – whether or not called a "Data Protection Officer" (or DPO – see below) – and begun to raise awareness across the organisation. This person will have a task on his or her hands to get support and buy-in from key staff and management.
This ought to have precipitated an audit designed to understand what data the organisation holds, and why it holds it (both in the sense of "for what purpose" and "on what legal basis"). This step is recommended, and indeed we would say an essential first step. After this has been completed, organisations can embark on the more tangible outputs of GDPR presentation, such as a new Privacy Notice and a comprehensive review of the following:
- Data collection forms and consent wording, giving careful thought to where it is wise to move away from "consent-based" processing (and where it is not possible).
- All relevant policies where data protection has an impact: Data Protection Policy for Internal Use, Safeguarding, Anti-Doping, Retention of Records, CCTV / Use of Images, IT: Acceptable Use, data sharing with other organisations, etc.
- Key internal contracts with individuals – employment, coaching contracts, player development and funding contracts.
- Key external contracts and outsourcing including IT, hospitality and broadcasting (noting that while personal data process for the purpose of journalism is largely exempt from data protection regulation, commercial offshoots like promotional images and betting are not).
The above are the outwardly-visible signs of compliance. However, GDPR also requires you to have internal records demonstrating how compliance and privacy have been considered in major projects or risk areas: for example, whizzy new CRMs, performance analysis and live data capture, and safeguarding. Someone in your organisation needs to know how to carry out data "Privacy Impact Assessments" (PIAs or DPIAs) for these tricky areas, starting with a general one documenting the outcomes of the audit referred to above.
Until you have carried out these internal assessments, and identified where you will be relying on grounds such as legitimate interests rather than seeking consent for the use of personal data, it is unlikely to bring much benefit to attempt to draft any of your key policies, forms, or the Privacy Notice itself.
What happened to the guidance from the Information Commissioner?
One of the key roles of the ICO is to produce intelligible guidance, both general and sector-specific, to assist organisations (and the public) in getting to grips with the complex and lengthy rules around data protection law. For data controllers such as sports organisations, this generally means understanding where the line of compliance will be drawn in practice (and ideally in good time before it takes effect).
In the past, a common complaint about the ICO was the sheer weight and wordiness of their guidance. Another was its caution and specificity in interpreting the law. But in the build-up to GDPR, the opposite complaints have been heard: all sectors have been crying out for final-form ICO guidance on key areas such as consent, legitimate interests, children, drafting PIAs, the appointment of a DPO and so on.
However, despite some ever-expanding general guidance to the GDPR (accessible here), the critical final form of the guidance in the key areas likely to have the largest day-to-day impact is still outstanding in almost every area.
What guidance is now available?
Nevertheless, the above should not fool anyone into thinking that the ICO does not have plenty of useful resources, for example:
1. General guidance, such as the evolving Guide to the GDPR document referenced above, is also conveniently linked from the above page alongside FAQs, step plans and self-help checklists. The most recent changes to the Guide to the GDPR (at time of going to press) were issued in December 2017, and key new or adapted sections cover the following areas:
- Lawful basis for processing personal data. Central to both current and new data protection law is establishing a "lawful basis" for any processing of personal data. These include consent and "legitimate interests" (see below). The ICO Guide emphasises the need to consider any existing or new processing and determine which lawful basis is met; and the new requirement to document and publish this in a Privacy Notice to be actively provided (wherever possible) to relevant individuals.
- Consent. As above, the ICO is still due to publish fuller guidance on "GDPR consent", but the Guide (and the ICO draft: see below) gives a clear idea of its thinking: that GDPR sets a high bar. The ICO Guide reminds you to be clear that individuals can withdraw their consent to the organisation's use of their personal data; and that if consent is withdrawn, you cannot then look for a different lawful basis. This makes it all the more important to consider what lawful means are available to process without consent, and the ICO Guide concedes that this is a legitimate approach.
- Legitimate interests. The Guide notes how flexible this very useful alternative to consent can be, but spells out that you need to (1) identify a legitimate interest for processing the data and set it out in your Privacy Notice; (2) be able to show that your processing is necessary for that legitimate interest; and (3) balance your interest against the privacy interests of the individual. It recommends that you carry out and document a "legitimate interests assessment" for relevant processing activities, and suggests an approach to this. Please note that legitimate interests alone will not be sufficient to process special category or criminal offence data; or to send electronic direct marketing.
- New Subject Rights and how to comply with them (found here) now termed "special category" and criminal conviction/offence data). In addition to a lawful basis, these categories of data (including information relating to race, religion, health and sex life) require you to meet a further, narrower, condition. Again, this must be documented and communicated to relevant individuals.
2. Draft guidance on consent: At the time of going to press, the ICO's draft consent guidance from March 2017 remains the most detailed record of its intentions in this regard, and the longer WP29 draft (i.e. the EU Guidance) from December 2017 is available here.
3. Draft guidance on the GDPR and children: (noting the specific rules and allowances made for minors, and still in consultation until the end of February 2018) here.
4. Brief guidance on Privacy Notices under GDPR (see here) and a relatively up-to-date, but more general Privacy Notice guide which was drafted in 2016 but with trends towards GDPR in mind (available here) .
5. A Code of Practice for drafting Privacy Impact Assessments available through this link, which is now three years old, and is perhaps more heavy-handed than it needs to be, but which still has merit in its approach as a tool for GDPR compliance.
6. Draft guidance for consultation on the relationship between data controllers and data processors under GDPR (see here). ISBA has also published materials on this.
7. A series of "myth-busting blogs" by the Information Commissioner, which do help cut through some of the scaremongering and misinformation – while reminding organisations that GDPR does mean change and a higher standard of data protection must be met. One reassuring message is that the ICO intends to use its new fining powers "judiciously and proportionately", and that its enforcement priority will be action against those who "systematically fail to comply with the law or completely disregard it, particularly when the public are exposed to significant data privacy risks". All good news for those taking reasonable and proportionate care to comply with the new law (including, as above, documenting whatever steps are taken).
What guidance is still to come?
In addition to the final consent, children and data processor guidance as above, the ICO has promised guidance on where personal data can be process on the basis of legitimate interests (which many sports organisations will be relying heavily on).
Looking beyond these, we still await: a more granular, sector-specific view from the ICO on who needs to appoint a DPO, given that it is by no means clear what types of non public authorities will (and noting the many inherent headaches with the role); a fully GDPR-focused guide to Privacy Notices and PIAs; updated GDPR guidance on the impactful area of Subject Access and fuller guidance on the other, new individual rights; and new guidance on direct marketing (while further on the horizon lies the ePrivacy Regulation).
Is there anything else to watch out for?
As mentioned above, the new ePrivacy Regulation will have a particular impact on telephone and email direct marketing (including business to business), use of social media, and website cookies. It is still being negotiated in Brussels. Finalisation of the new law is lagging some way behind GDPR – but data controllers are likely to have at least a year to digest the new rules, once agreed, before they take effect.
Finally, a new UK-only Data Protection Act will sit alongside GDPR and, broadly speaking, plug the gaps left by the EU to member states to fill in on a domestic basis. The bad news is that the first draft of this (September's Data Protection Bill 2017) ran to 194 clauses; and even at the time of publication it is some way off and being debated in the Lords, even though it must come into force on 25 May 2018. The better news is that, very broadly, the government is looking to plug those GDPR gaps by mirroring existing data protection law quite closely. The most relevant feature for sports organisations is the "substantial public interest" processing ground which permits sensitive personal data processing for measures – either undertaken by or under the supervision of a responsible body, or for the purposes of providing information to them – designed to eliminate, identify or prevent doping in sport or at a sporting event.
Finally, watch out for turbo-enhanced data subject access rights (SARs). Those who have already encountered subject access rights will not to be told the business cost and staff effort required in dealing with these often somewhat emotive disclosure processes: with GDPR, compliance times will be shorter (1 month, not 40 days) and the ability to charge a fee removed. In addition, SAR cover letters will need to shout from the rooftops about other data subject rights: to be forgotten (albeit this is not an absolute right); to withdraw consent; to object to marketing; to have one's data moved on, amended or erased; and so on. This provides a strong imperative to organisations to ensure their IT / CRM systems are fully auditable, retrievable, amendable and so on.
Although it is getting late in the day, a core message remains not to panic. Acceptable levels of compliance may still be achievable – even for complex organisations – but the key is to do a lot more than nothing. Get on top of the new concepts, learn to conduct PIAs internally (they are a record-keeping shield as well as a compliance tool and risk register), and start to amend at least the outward-facing notices and contracts.
Above all, don't leave your organisation wide open. Choose your preferred sporting simile – like a Kyle Edmund forehand, like a Mitchell Starc bouncer, like a crisp Paul Pogba half-volley – but if you take your eye off the ball, the next four months will whistle past your nose before you have a chance to get into position.
If you require further information on anything covered in this briefing please contact Owen O'Rorke or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2018