It can be a challenge for sporting bodies to meet their obligations under existing data protection law, not to mention the enhanced obligations under the General Data Protection Regulation ("GDPR"). However, because of the GDPR, data protection is a significant risk management issue. Like any other risk, it needs to be assessed, continually monitored and in many cases insured against. Fines under the GDPR will increase, as will the scope of compensation payable to data subject whose rights have been breached.
This article by Aidan Healy considers the challenges of the GDPR, as well as existing regulations such as the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (which are particularly relevant as regards fundraising) and the steps sporting bodies need to take.
The GDPR, as I'm sure readers are well aware, came into effect on 25 May 2018. It represents a development of data protection law rather than a rewrite. Many of the GDPR's requirements are already in place under existing data protection law. It is important to stress that data protection is principles-based and so the answer to any question will often be 'it depends' and may differ from organisation to organisation. This leads to uncertainty in many sectors and this is not helped by one-size fits all software solutions promising GDPR 'compliance'.
There is no exemption for the sports sector in terms of the fines and compensation which could arise. While the maximum fine of the higher of €20 million or 4% of turnover has been much heralded, the ability of data subjects to claim compensation for breaches of their data protection rights, even where they have suffered no financial loss, is a more clear and present danger for organisations.
It isn’t possible in the space available to deal comprehensively with a behemoth like the GDPR and so the following are some top tips for sports bodies and common myths about the GDPR.
Before you do something with somebody’s personal data, stop to think ‘am I entitled to do this’ and 'if somebody did this with my personal data would I have a difficulty with it'.
You don’t need consent for every use of personal data, but if you don’t have consent you need to know what other legal basis you have that allows you to use the data. In broad terms, the other bases are that the processing is necessary (i) to fulfil a contract, (ii) to comply with a legal obligation, (iii) to protect vital interests, (iv) for the performance of a task carried out in the public interest / in the exercise of official authority or (v) for the purposes of your organisation's legitimate interests.
Your organisation must have data protection policies and procedures and document decisions made in relation to data protection.
Data access requests have long been a tool in litigation and employment disputes. They may become more prevalent in terms of disciplinary disputes in sport. They could for example be used in relation to an athlete appealing a selection decision for the Olympics or another international event.
For anti-doping matters and potential match-fixing, sporting bodies need to ensure they have a legal basis for transferring potential evidence (i.e. personal data). This ground is unlikely to be consent and it may be possible to justify such transfers on the basis of legitimate interests basis (e.g. the sports body is protecting the integrity of a sport in the interests of the organisation, its participants and indeed the wider public).
The right to erasure may cause a difficulty for governing bodies engaging in regulatory investigations and enforcement processes, particularly in the area of integrity and sports betting. The legitimate interest and in some cases the public interest in monitoring gambling data may come into conflict with an individual's right to have personal data erased.
Issues may arise in relation to the publication of disciplinary and other decisions relating to players or athletes. Any dissemination of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is disseminated.
Volunteers are no different to employees; they must be trained and equipped to comply with data protection law.
The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 mean you cannot send unsolicited communications electronically for direct marketing purposes. This is an additional layer of law, separate from the GDPR, and applies solely to the delivery mechanism of direct marketing. The following table summarises the rules that apply.
The following table summarises the rules that apply.
Sports bodies can use soft opt-in if selling products and services, but not in relation to fundraising or other marketing updates for example. This is because soft-opt in only applies to customers of an organisation and if you are not selling products or services they cannot be customers.