General Data Protection Regulation (GDPR) for Sports Clubs
Since the GDPR law came into force back in May of 2018, it has really transformed data handling and management throughout the EU. The law has been applied in all sectors and organisations that process personal data for EU citizens. And by all sectors, we mean even the sports sector. So, in this article, we will look at how GDPR affects the sports clubs in the EU. But first:
What is GDPR?
Before you understand how GDPR applies to the sports industry, you need to understand what GDPR really is first. Now, at its core GDPR, which stands for General Data Protection Regulation, is a set of rules established by the EU and were aimed at giving the EU citizens more control over their personal data. The law also aims to simplify the regulatory environment, making it super easy for both organisations and citizens to fully enjoy the digital economy. See, the world that we are living in today is constantly changing, especially on the data privacy aspect, and the governments of Europe needed to come up with reforms that would reflect the changes. And as you may know, our lives revolve around data, whether it is on social media, banks, retailers, and even the government, where almost every service involves the collection and analysis of personal data. So, the governments saw it necessary to regulate the data processing to ensure that privacy and consent of the personal data are strictly adhered to.
In terms of application, the GDPR applies to any organisation that processes, or controls, personal data, and operates within the European Union, or outside the EU but serves EU citizens. They are called processors or controllers, where the latter refers to any organisation, public authority, agency, or any other body that determines the purpose and means of processing data, while the former refers to any organisation or body that processes the data on behalf of the controller.
So, does GDPR apply to sports clubs?
Here is the thing, all sporting bodies in Europe are guided by the GDPR law in some shape or form. Just like any other organisation, or industry, sports clubs do collect personal data from fans, players, volunteers, or employees. The governing bodies are in charge of all performance data, while the anti-doping agencies require appropriate measures so as to process health records. Basically, there is a lot of data being held by the sporting organisations, and therefore, there is a need for its regulation under the GDPR law. All the data subjects involved have way more enhanced rights under the new laws. Essentially, the GDPR laws do preserve subjects’ rights under the previous law, such as the right to access their own personal data, challenge automated decisions about them, rectify inaccurate data, and even object to direct marketing. In addition, the law did introduce new rights, including the right to data portability as well as the right to erasure.
Now, for other organisations, failure to comply with the new law results in fines of up to 4 percent of the annual turnover, or 20 million (whichever is higher), but for sports organisations, the penalty can be quite concerning, as the Code for Sports Governance, the sporting clubs risk losing all their public funding if they fail to comply with the GDPR regulations. Governing bodies need to demonstrate the presence of appropriate compliance policies and procedures.
GDPR and sports performance analysis
Sporting organisations monitor and collect information regarding the performance of their athletes. This information includes the player’s speed, or how the players are performing in general. There are also special category data – that’s defined under the GDPR law, article 9 – that the sports club collects such as health, biometric, and any other information regarding the players’ well-being. With all these data about the players, the sports organisations need to establish a lawful basis when they want to process the data, described under article 6 of the GDPR law, and when it comes to the processing of special category data, the basis is described under article 9.
For instance, article 6(1)(b) of the GDPR law allows the signing of a contract that stipulates the collection of personal data, and it’s what sports clubs rely on when collecting and processing the players’ data. So, in doing so, it will be for the performance of a contract to which the data subjects (players/club members) are party. They may also need to process data for the purposes of carrying out their obligations as well as exercising their specific rights for the protection of the players and their employees. For instance, sports clubs do have the responsibility of maintaining a healthy and safe work environment, and in doing so, they might need to process health data in order to identify risks that may affect the players. This way, the organisations develop ways to avoid such risks, and hence maintain a safe working space.
GDPR is designed to apply to all EU member states. However, the interpretation and implementation of the law, specifically the exemptions and derogations, in each of the member states is entirely upon them. In fact, the member states can amend the law to fit their jurisdictions. Now, in the context of disciplinary processes, the GDPR law provides for exemptions when it comes to international data exchanges to issues of public interests, such as eliminating doping in sports. The law allows the sport governing bodies and regulators to process even special category data about the players for integrity and regulatory reasons, especially those in the public interest. Now, there are two public interest conditions under the GDPR law, one is anti-doping in sport, and two, standards of behaviour in sport.
With regards to the anti-doping condition, the exemptions allow the processing of data to facilitate the elimination of doping in a game or sports in general, and also to provide more information about suspected doping. As for the behavioural standards condition, the derogations allow processing for purposes of protecting the integrity of the sport. The processing of data, in this case, isn’t allowed to be disclosed to the data subjects given that you might prejudice the ultimate purpose.
How to ensure that you are compliant with the GDPR Law
Now that you know how GDPR and sports clubs integrates, how can you ensure that you are fully compliant with the law to avoid penalties? Well, here are a few steps on how to go about it:
Pinpoint the data – first and foremost, you need to think about data storage – you need to have a plan first. Think about where the data is stored; do you have a cloud-based sports participation management system, or is all the data needed on paper? You will need to figure out some answers to these questions! If the data is on paper, first of all, are satisfied with the accessibility of the data therein, and most importantly, is the data safe. And if the data is stored on the cloud, which is a single and centralised record, then, the better. It is actually preferable. However though, for a cloud-based platform, the platform providers must be able to demonstrate compliance with GDPR laws – as a matter of fact, it is the responsibility of the sports club (controller) to ensure that they are! Sorting out the data storage is a vital step to GDPR compliance, so while at it, you have to be thorough!
Why is the data needed? – one of the main reasons why sports clubs collect data from players and other members is to process the club membership, take care of the players, and also to raise funds. Regardless of the amount of data you hold, you need to clearly state the purpose for which you are holding it as well as the duration you intend to hold it. As you may know, this is something that’s required under the new GDPR law, and so, sorting it out will also be of vital importance towards full compliance.
Who is responsible – the one who is responsible for gathering all the data from everyone within the club also plays a key role towards compliance. Now, the club officers are the ones responsible for gathering, storing, and processing the personal data. They are responsible for managing the data, and if any individual wants to change or erase their data, these are the people who would help. This is a very important role and should always be clear from the onset.
Getting consent – it doesn’t matter what the club’s intention with the data is, consent must be obtained from the data subjects unless the objective is a police investigation, or fulfilling a matter that’s high in the public’s interests. The major purpose of the GDPR in the first place was to give the Data Subjects specific rights over their personal data, and obtaining consent from them before processing their data is one of the rights. So needless to say, this is certainly an important step towards full compliance with the law.
Members rights – every member within the club have a right to access, update, or erase their own personal data that’s with the club. This is a right that must never be violated, otherwise, it will attract heavy penalties. So, the sports clubs need to ensure that the data subjects are aware of the data being held. And if they wish to update or erase anything, the club officials need to facilitate that to happen.
Data security – other than facilitating the rights of the data subjects, GDPR law was also about the security of the data collected. In our case, it is the responsibility of the sports club to make sure that the data collected from everyone is safe, wherever it is stored. In case of a fire, theft, or even vandalism, make sure that there is a backup stored elsewhere. We can agree that you would never want to be in a position where you will have to create the data record from scratch, in case of data loss. So, you need to be prepared. Online storage solutions are always the best when you want to protect your data from physical harm. However, you still have to remember that there are threats online, so, you also need to have online security measures. The bottom line is, when the sports club collects personal data from its members/players, the security of that data is of key importance and will have to do anything possible to guarantee it. Otherwise, it will be violating the GDPR law.
Prepare for the worst – here is the thing, as a data controller, anything can happen at any time. And by that we mean, you may find that you are collecting personal data from members/players promising them total safety this minute, and then the next minute, all the data is lost. This is not far-fetched, it is very possible! In fact, it happens quite a number of times to various organisations. So, what are you doing in preparation for the worst-case scenario? As you may know, under the GDPR law, there are heavy penalties put in place for negligent data management. And you can be sure that the amount you can use to safeguard the data, may be way less compared to the amount you will pay for the penalties. Having said that, the club needs to have a policy in place that guides handling of a data breach, in that, when the breach happens, the Data Protection Commissioner is notified of the same within 72 hours, failure to which will result in heavy penalties. You must demonstrate that you have taken important steps in an attempt to mitigate the risks, which is a crucial step towards being compliant.
In the modern world, the power balance between organisations and individuals is shifting constantly. And with the creation and implementation of the GDPR law, individuals now have more power, especially when it comes to their personal data. And when it comes to GDPR for sports clubs, the same applies. Consent and data security are very crucial when handling club members’ data, and any processing of the data should only be carried out on lawful bases.