On 25 May 2018, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) came into force.
This short guide sets out the key changes that the GDPR has made to the UK data protection regime, what sports clubs need to do to comply with data protection law and relevant examples of how GDPR applies to sports clubs.
Who is subject to the GDPR?
- The GDPR applies in some way to any organisation which collects and processes personal data. This includes all sports clubs and governing bodies, whatever their size or level of funding.
- It covers not only the personal data of a club’s members but also the data of the club’s employees or volunteers.
- Sports clubs receiving individuals’ personal data and deciding what they do with it are deemed ‘Data Controllers’ under the law.
- Clubs must ensure that any third parties engaged to process data on the club’s behalf, referred to under the law as Data Processors, also comply with the law. A data processor could be a marketing company engaged to carry out a campaign or survey on behalf of the club’s members (e.g. SurveyMonkey or Mailchimp), a website host or data storage platform in the cloud that manages the club’s data collection and storage.
- ‘Personal data’ is any information from which an individual can be identified or is identifiable. This will include name, address, and financial details. It also includes identifiers such as an IP address collected when an individual visits a website.
- The law also covers ‘Special Category Data’ such as race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sexual life or orientation.
What is the point of GDPR and the DPA18?
The legislation is a product of the digital age: more and more organisations of all types and sizes are processing and sharing individuals’ information in the course of delivering a service or product. The law recognises that individuals are entitled to have their personal data protected and to be in control of that data regardless of how it is used or who is using it. The GDPR governs how data controllers process, obtain and use data to ensure it is managed in a fair, lawful and transparent manner.
For breaches of the GDPR, a data controller or processor can receive a fine of up to 4% of its annual worldwide turnover or €20 million (whichever is the higher). Individuals also have the right to claim compensation for financial loss or distress resulting from a data breach.
The DPA18 preserves the enforcement powers of the UK data protection regulator (the ICO – Information Commissioner’s Office) so that it can issue an assessment notice, undertaking an enforcement notice to bring about compliance with the law in a timely manner. The ICO wants to work with all forms of organisations and a fine is the last resort. They key is to get your club ‘in order’ to prevent any penalties from the ICO.
There are six principles on which the lawful bases of processing personal data rest:
- Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly, and transparently
- Purpose limitation: data should only be collected and processed for a specific, legitimate purpose and not used any way that is not compatible with that purpose
- Data minimisation: only that data that is necessary in relation to the specific requirement should be collected and processed
- Accuracy: personal data should be accurate and, where necessary, kept up to date
- Storage limitation: the personal data should identify the data subjects to enable accurate record keeping so that it is kept for no longer than is necessary
- Integrity and confidentiality: appropriate security measures should be put in place (such as encryption, passwords, and securely locked cabinets) to protect against unlawful or unauthorised processing, and against loss, destruction, or damage.
Accountability is a key element of all six principles. By embedding these into a club’s daily operations and showing how it is accountable at the board and senior level as well as operationally, a club can prove it meets its GDPR obligations.
For a sports club processing data, this means:
- Before a club obtains and starts to use an individual’s set of data, it must identify the lawful basis on which it will rely before it proceeds and document this accordingly.
- There are different lawful bases for personal and special categories of data. A good starting point is to review the ICO’s section page.For example, a sports club’s lawful basis for processing could be for fulfilling membership obligations as part of its membership application form (performance of a contract or to enter into a contract). A further example: those who sign up as members of sports clubs will expect to be kept informed about the club’s activities so the lawful bases of performing a contract and legitimate interests to keep them informed on club events, competitions and products could apply.
- However, if there is any doubt, clubs will need to obtain informed consent (outlined below).
- For employees, clubs can rely on the need to comply with their legal obligations as employers as the lawful basis for processing employees’ personal data.
GDPR and DPA18 give individuals the following rights in relation to their personal data:
|To be informed||Access their data||Rectification||Erasure|
|Restrict processing||Data portability||Object||Automated decision making and profiling|
These are the bedrock of a data controller and processor’s obligations to demonstrate accountability. A sports club should ensure its policies, procedures, training and notices are fully compliant with these rights and inform individuals in a manner they would understand about what these rights mean to them and how to exercise them.
The right to access is a key change introduced by the GDPR. An individual has a right to access their data. It can be requested by any means and there is no fee unless the request is deemed manifestly unfounded or excessive. If the request is deemed manifestly unfounded or excessive, the one month timeframe to supply the data can be extended by a further two months. It is important to have a procedure and a trained person in place to carry out the assessments when such requests (called Subject Access Requests) are received.
The DP Regulator published useful and easy to follow ‘fact from fiction’ notes. The note on consent will help at grass roots level. If sports clubs have to rely on informed consent as the basis for processing personal data, then there are specific rules of which they need to be aware:
- Consent must be given freely, be specific, informed and unambiguous.
- When collecting consent for marketing, make sure the individual knows exactly what they are consenting to receive and how to withdraw consent.
- Any request for consent must be:
Prominent, concise, separate from any other terms, and be easy to understand.
Pre-ticked boxes or opt-out boxes which presume consent must not be used.
An individual must be given the option to consent to different types of processing if their personal data needs to be processed for different purposes.
Keep records of the consent being given; and make it easy for people to opt out (using a preference management tool is a simple way to do this).
Keep consents under review and update when required.
An individual has the right to withdraw their consent to data processing at any time. This means that clubs need to prove that they have obtained affirmative consent and record that they have informed the individual of the following:
Children’s rights under GDPR
- Children need particular attention because they will be less aware of the risks involved. A sports club needs to think about the need to protect children from the outside and design all sporting operations on this basis.
- When relying on consent as the lawful basis, and where online services are offered direct to the child, in the UK only children aged 13 or over are able to provide their own consent. If they are under this age parental consent must be recorded.
- Sports clubs must also ensure that their privacy notices are in a language understood by children.
- When collecting data, make sure there is an effective means of determining the age of the people from whom the data is collected and, if necessary, ensure that parental consent mechanisms are put in place.
The ICO supplies useful information on how to obtain and use childrens’ data
Privacy notices allow data controllers and processors to set out all the necessary information relating to the collection and processing of individuals’ data.
- Such notices need to be posted on club websites or otherwise made accessible to all so that an individual has every opportunity to receive and read it.
- Provide clear, simple ways for people to indicate their agreement to the different types of processing.
- Keep privacy notices up to date and review regularly, particularly if complaints are received or when new forms of processing take place.
- Explain to club members why their data is being collected. Usually this will be as a record of their membership/attendance at the club as well as keeping them informed about activities and fixtures.
- Inform people if their information will be shared with any third parties e.g. volunteers, sponsors, governing bodies or local authorities, website hosts or data storage platforms.
As a minimum, a privacy notice must include the following:
- the identity of the controller and categories of processors the club uses;
- how the club intends to use their data;
- the legal basis for processing their data;
- who the data will be shared with
- the security arrangements to protect their data;
- the club’s data retention periods;
- individuals’ rights; and
- information about the individual’s right to complain to supervisory authorities (i.e. the ICO).
- The privacy notices need to be broken down into their component parts, allowing an individual to follow a link for more information about the different types of data being collected, why it is being collected and how, and for how long the data will be retained.
Data Protection Impact Assessments
Clubs should get into a routine of carrying out ‘Data Protection Impact Assessments’ (DPIAs).
- DPIAs help to determine the most effective way a sports club can comply with the data protection legislation and help to identify any risks to the processing of the data and put measures in place to mitigate these risks.
- The legal requirement is to complete a DPIA when the sports club deems that the processing of the data is likely to result in a high risk to individuals.
- DPIAs are particularly recommended when implementing new IT systems or if the data is going to be used or shared for a new purpose.
- A DPIA must be carried out whenever a club is planning to carry out “high risk” processing (which would include profiling individuals and processing special categories of data on a large scale). If the risk is high there may be a need to consult with the ICO who will supply written advice within eight weeks, or 14 in complex cases. Where they deem the risk to be too high they may issue a formal warning not to process the data, or ban the processing altogether.
- Consider how childrens’ and young peoples’ data is being processed by the club and its data processors and if there are high risks, carry out a DPIA.
Examples of when a club might carry out a DPIA are:
- when they engage in an information sharing operation with another organisation(s) (e.g. regional, local and national governing bodies) for a common purpose;
- when safeguarding information is to be shared;
- when there is a large scale or routine set of data being shared for a common purpose e.g. results from competitions, events, and shows.
- when a club is considering undertaking or engaging a new form of technology which will hold individuals’ data and where the processing may significantly affect, or have an impact on, the individuals.
Appointing a Data Protection Officer
- In some circumstances organisations have a statutory requirement to appoint a Data Protection Officer (DPO).They help to monitor internal compliance, inform and advise on data protection obligations, provide advice on DPIAs, and act as point of contact for the ICO and individuals.
- The obligation to appoint a DPO is dependent on certain conditions and every club should check to see if its meets those conditions. The conditions are based on whether the organisation is a public body or authority; if a large volume of personal and special category data is held and processed; or if the processing operations ‘require regular and systematic monitoring of data subjects’.
- Depending on a club’s resources and the amount of data it handles, it should consider appointing a DPO voluntarily. The law would expect this person to still comply with the tasks of the DPO as outlined in the GDPR and DPA18.
Reviewing and updating contracts
- Many clubs will have contracts in place with third parties for the supply of goods and services. Some of these contracts may rely on processing personal data of the club’s members and employees (e.g. the outsourcing of PAYE).
- If this is the case, these contractors, as data processors, will need to comply with the GDPR and clauses relating to data protection considerations must be written into any contract between them and the sports club.
- Create a register of all third party suppliers, agencies and/or sport sector bodies that obtain and receive data, and their compliance regime. Issue a compliance form asking them to demonstrate how they will comply with the law.
Internal policies and procedures
- Clubs are advised to create, retain and review their internal policies and procedures relating to the management, retention and protection of their members’ and employees’ personal data. Depending on the scale of their data processing activities, most clubs will need a set of policies which inform how the club will record lawful bases for processing, how they store data and for how long, how they keep the data secure, and how they ensure they keep their staff up to date with the requirements of the GDPR.
- Clubs can also demonstrate compliance by having in place appropriate internal data protection policies, providing training to staff and conducting audits. A useful guide can be found on the ICO website.
Data breaches and fines
- Data controllers and processors must report certain types of breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. The ICO has a useful set of information which is clear and concise, and you can view the recent webinar on reporting data breaches.
- Reporting a breach is necessary where there is a high risk to an individual, for instance if they are likely to suffer damage (such as identity theft, financial loss, harm or discrimination).
The ICO has made it clear that it will not levy punitive fines on organisations that can demonstrate they are actively working towards compliance.
What should you be doing now?
If your sports club has not yet assessed how it will comply with the GDPR and the DPA 2018, you must address this immediately. However, if you are already compliant with pre-GDPR data protection law, updating your policies to comply with the new regime should not be overly onerous.
Besides obvious changes such as determining the need to appoint a Data Protection Officer, and updating privacy statements and policies, clubs must check that they have sufficient internal procedures in place to comply with the new rules. For example, is there an effective internal procedure for identifying when a Privacy Impact Assessment is required?
We can help protect your organisation by carrying out a review of your existing policies and practices and advise on how to comply with the GDPR. We can also train and advise on all GDPR-related matters.