Whether you are a Premier league football club or a local gymnastics club, you will have both members and fans. Should you be a larger organisation, you may also have associated leisure facilities or even a hotel. All of this means that you will be holding the personal information of many individuals, as well as information relating to your employees and volunteers. If this sounds like your club, you need to be aware of the forthcoming General Data Protection Regulation (GDPR).
The GDPR is a new EU regulation which comes into force on 25th May 2018 and it’s set to radically reform the way that all organisations handle individuals’ personal data. Delivering the biggest shake-up in data protection law for over twenty years, you may have seen headlines relating to the huge potential fines for organisations which don’t comply - either €20m or 4% of global turnover. What isn’t always addressed – and is arguably even more damaging than a fine - is the negative impact on an organisation’s reputation, the costs of remedy, loss of the data and the long term commercial implications.
Data is a key asset for organisations in the sport sector, especially with greater emphasis now being placed on fan and participant engagement. This means that the ownership, maintenance and growth of databases represents one of the most significant investments for sports clubs, and a key factor in their ongoing commercial development.
At present, many sports organisations hold a vast amount of personal data for members and other individuals that they engage with, or market too. These databases have been created using data gathered by the organisation itself, and sometimes acquired from other sources. This is where the first challenge lies for the majority of organisations - understanding what form of consent was given. Was there any consent given? Was consent given on an opt-out basis (i.e. the individual failed to tick the ‘no’ box)? Does it fit the new requirement for informed consent? The need to understand all of this is crucial to maintaining compliant engagement with your members, supporters and fans.
Under the GDPR, companies are required to obtain a significantly higher standard of consent. The individual must provide clear, freely given, specific, informed and unambiguous consent for the organisation to process their personal data. This means that, in the run up to May 2018, organisations need to consider factors such as:
1. the extent to which their customer databases rely on implied consents
2. how they will go about refreshing / enhancing these consents were necessary
3. how they will achieve the necessary standard of consent in the future
4. how they will evidence that they have obtained the necessary standard of consent
We have only spoken about ‘consent’ so far, which is just one aspect of the forthcoming GDPR.
There are a number of other key considerations all sports organisations need to be aware of, some of these include:
• how is the data being used e.g. profiling?
• is any of the data being held ‘Sensitive Personal Data’ e.g. health information, children’s information (summer camps)?
• do you have the processes and ability to manage Subject Access Requests, remove all data associated to an individual across all data types if requested (right to be forgotten), and manage and notify data breaches to both the ICO and the individuals impacted?
• is the data stored safely and securely?
• are your partners and suppliers processing and managing your data correctly e.g. marketing partners, payroll providers, CCTV suppliers?
• can you provide evidence of your organisation’s compliance?
This final point relating to the evidential requirements placed on every organisation to be compliant to the GDPR is another hugely important consideration, so we’ll delve a little deeper. The GDPR has no certification of compliance, so to prove compliance you will need to retain clear, date stamped evidence covering all data processing undertaken across your organisation.
This will include demonstrating understanding of your risks, details of how you have mitigated the risks, details of the data processing activities carried out in delivering marketing campaigns, information about requested and responded to Subject Access Requests, Data Breaches, type of consent etc.
Despite all of these changes and new challenges, the GDPR does present opportunities for organisations. The framework outlined by the regulation is designed to facilitate digital business and, once compliance is achieved, your organisation will have the solutions and processes in place to maximise the value of personal data securely and confidently. You will be in a fantastic position to operate with clear and demonstrable consent from your club’s members, fans and employees.
By complying with the requirements of the GDPR, and communicating your compliance to your external audiences, you can build trust and strong relationships with your members, fans and employees. It is clear that individuals will connect with brands they trust and employees will seek employers they trust – the whole notion of trust will become far less abstract and far more commercial in its value.
To mitigate the risks, comply with the regulation and take advantage of these opportunities, organisations will need to be flexible and embrace the GDPR as a strategic initiative.
This is only the start, as the regulation will be interpreted and updated over time. It is vital that organisations learn how to adapt the way they operate to achieve compliance, otherwise they may struggle as the GDPR disrupts the traditional ways in which they engage with fans, members and employees.
David Woolley, Head of UK at Sytorus Data Protection Specialists, recently spoke at FEC Brighton where he shared his knowledge and experience. If you have any questions about how the GDPR will affect your organisation, please call the Sytorus team on 0207 936 9442 or email [email protected].
