GDPR is a new EU regulation set to radically reform the way we handle individuals' personal data, and will come into force less than a year from now. This month, we consider the effect of GDPR on the sports sector, providing practical examples of its impact along with how to prepare for the biggest shake-up in data protection law for twenty years.
It is a little misleading to say that GDPR is "new". It was debated by the EU for four years and published in its final form in 2016. This triggered the starting gun on a two year period of preparation, which we are now well over a year into.
Organisations who have already started the track to compliance are appreciating how complex and time-consuming this can be. However, the basic principles behind GDPR are not that difficult to understand:
it makes data protection a fundamental right for individuals – it seeks to put individuals in control of their data by requiring organisations to be much more transparent about what they do with personal data and making it harder to obtain consent;
it requires organisations to change their culture around data – they must be able to demonstrate compliance not just by issuing policies and procedures, but by being able to show that these have been absorbed into the culture of the organisation and are understood;
it globalises EU data protection law – the new laws will catch not just organisations based in the EU, but also those supplying products or services in the EU or monitoring individuals located in the EU;
GDPR backs all of this up with very serious sanctions, including regulatory fines of up to 4% of annual global turnover or €20M, whichever is the greater, as well as making it easier for individuals to enforce their rights directly.
Brexit will not mean that GDPR can be ignored. First, GDPR comes into force in May 2018, before the UK leaves the EU, so UK organisations will need to be compliant. Second, the UK Government supports GDPR and it will be retained beyond Brexit, as confirmed by the Information Commissioner (IC). Third, as UK organisations will continue to supply goods and services to EU nations, they will also need to comply with the new regime.
But what does GDPR really mean for the sports sector and how will organisations have to change their approach to personal data? A few examples should help to illustrate this.
Marketing to members and fans
At present, many sports organisations have vast databases of individuals that they market to, sometimes acquired by the organisation themselves and sometimes acquired from others. There are existing rules around direct marketing to those individuals, basically requiring a form of consent or other reasonable indication that the individual would expect to receive marketing. The problem is that the individuals may have given their "consent" on an opt-out basis (meaning they failed to tick the box that said "no"). That will no longer be sufficient under GDPR where a clearer indication of consent is required. In addition, even where consent has already been given, such as on an opt-in basis, it may no longer be good enough. This is because the explanations provided to individuals at the time they opted-in are unlikely to have been clear enough for GDPR purposes, so the consent is not properly "informed consent".
Some organisations are therefore already starting to ask individuals for consent in a GDPR-compliant way, using more transparent privacy notices. However, that will not work for existing members or fans without seeking renewed GDPR-compliant consent. Accordingly, continuing to rely upon non-compliant consent after May 2018 will be unlawful and organisations could be prevented from using it and fined. This is something that sports organisations must prepare for when considering how to communicate with their members and fans.
Data monitoring and reporting
Increasingly, we are able to monitor individuals in much more sophisticated ways. The sports sector is no different, for example, monitoring athletes' diet and performance. There are often important reasons for doing this (e.g. performance considerations), but what about the individual's rights in respect of this data? Some of it could be very sensitive medical data. GDPR potentially makes the position much more complex.
Consent of the athlete might be seen as the answer, but GDPR means that individuals who have no real choice but to consent (such as employees) are unlikely to be deemed to have given true consent. Organisations must therefore consider other lawful reasons under GDPR to gather and use this sort of data. The "legitimate interests" of the organisation might be one basis. However, that has to be balanced against the rights of the individual and documented to demonstrate GDPR compliance, an exercise that very few organisations are likely to have undertaken to date.
Alternatively, in relation to anti-doping measures, processing sensitive personal data (such as blood readings) is likely to be justified on the basis of compliance with regulations or in the public interest. But again, an assessment needs to be made and documented. The concept of transparency also means that the individual needs to be clearly informed about what is being done with their data and the lawful reason relied upon by the organisation in processing that data. Again, this may not have happened in a GDPR compliant way to date. Finally, if the anti-doping programme discovers a misdemeanour and the individual is sanctioned, the relevant governing body will typically report this publicly and sometimes retain that report in a publicly accessible way for a very long time. The right to do this may be challenged as no longer legitimate. An assessment would need to be made about how long it is reasonable to publish that information (which is a regulated act of data processing). This would include conducting assessments of information that has already being published.
Responding to regulatory requests
The sports sector is also heavily regulated, with regulators potentially being in a position to require participating organisations to disclose data about individuals. One might think that GDPR means there will now be an inherent clash between the rights of the affected individuals, and the new requirements from regulators to disclose personal information. However, GDPR recognises that there are a range of lawful reasons to process data, but at the same time it requires organisations to consider carefully what they are handing over and why. In this respect, the role of a new internal regulator for sports organisations, called the Data Protection Officer (DPO), becomes very important.
GDPR provides that the DPO has to have sufficient expertise about data protection laws and regulation, and have direct access to senior management. They must: be able to exercise their functions free of undue influence or pressure from the organisation; operate without conflicts of interest; and be involved in all aspects of the management of data within the organisation, including where regulators are requesting access to individuals' personal data. Due to the limited numbers of such individuals available, sports organisations would be well advised to move quickly in appointing someone with the necessary experience, or at least invest in training someone for this role. Even where a formal DPO is not required, it is still a good idea for an organisation to appoint someone with the necessary competence to guide them through to compliance and then maintain this thereafter.
As with all other industries, the sports sector is vulnerable to data breaches, whether caused by outside actors or from within. GDPR requires organisations to put in place proportionate technical and organisational measures to reduce the risk of data breaches, howsoever they may occur. The new regime also sets out criteria by which an organisation will be judged by the relevant national regulator which, in the UK, will be the ICO. This will include a 72 hour notification window of any breach. The extent of the fine imposed by the ICO will be significantly influenced by the steps taken by the organisation to prevent a breach, along with how it responds when faced with such an event. Given the potential fines, damages, costs and reputational harm consequent to a breach, all sports organisations would be well advised to review and implement, as appropriate, improved technical and organisational protections, as well as develop crisis management plans to enable them to respond to a breach.
These examples illustrate how GDPR will affect sports organisations. They provide a taste of the key steps that affected organisations need to take to achieve compliance by 25 May 2018. These are:
Make data protection a priority in the organisation at a senior level;
Appoint a DPO or compliance lead to steer you to compliance and manage it thereafter;
Find out what you currently do with data and your basis for that;
Adjust your processes and policies to be compliant;
Re-engage with your members, athletes, fans and customers to make sure that what you do with their data is GDPR-compliant;
Change your culture around data by training your staff about why it is important; and
Review and implement improved preventative measures and response plans.
There is a lot to do between now and May 2018. If this were an 800 metre race we would already be entering the back-straight on the second lap, approaching the business end of the race. Some organisations are aiming for a gold standard on GDPR compliance. However, any club, governing body or agency should at least be in a position to demonstrate a reasonable level of compliance once we reach the finishing line next Spring. Failure to do so will lead almost inevitably to significant consequences. Being one of the first to catch the attention of the ICO after May 2018 is likely to be a most uncomfortable experience, potentially resulting in very damaging outcomes.
If you require further information on anything covered in this briefing please contact Ian De Freitas or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, June 2017