David Woolley, Head of UK at Sytorus Data Protection Specialists, recently spoke at FEC Brighton where he discussed the impact that the GDPR will have on sports clubs and considered how clubs can continue to support fans and be compliant with the new data protection legislation. We’re pleased to share David’s knowledge and experience on this topic with you too…
Whether you are a local swimming club or Premier league football club, you will have both fans and members. You may also have associated leisure facilities or even a hotel, if you’re a larger organisation. As a result, you will be holding the personal data of many individuals, as well as information relating to your volunteers and employees. If this sounds like your sports organisation, you need to be aware of the upcoming General Data Protection Regulation (GDPR), which comes into force on the 25th May 2018.
The new Regulation will be a game changer
This new EU regulation is set to radically change the way that all organisations manage individuals' personal data, delivering the biggest reform in data protection law for over 20 years. You may already be aware of the huge potential fines for organisations which don’t comply - either €20m or 4% of global turnover. But, what isn’t always covered by the headlines - and is arguably even more damaging than a fine - is the impact to an organisation’s reputation, the cost of fixing an issue, loss of the data and the long-term implications commercially.
Data is a key asset for sports clubs
With greater emphasis now being placed on fan and participant engagement, data is a key asset for organisations in the sport sector. This means that the ownership, maintenance and growth of databases represents one of the most significant investments for sports clubs, and a key factor in their ongoing commercial development.
At present, many sports organisations hold a vast amount of personal data for members and other individuals that they engage with or market to. These databases have been created using data gathered by the organisation itself, and sometimes, acquired from other sources. This is where the first challenge lies for the majority of organisations - understanding what form of consent was given. Was there any consent given? Was consent given on an opt-out basis (i.e. the individual failed to tick the ‘no’ box)? Does it fit the new requirement for informed consent? The need to understand all of this is crucial to maintaining compliant engagement with your members, supporters and fans.
What will change?
Under the GDPR, companies are required to obtain a significantly higher standard of consent. The individual must provide clear, freely given, specific, informed and unambiguous consent for the organisation to process their personal data.
This means that, in the run up to May 2018, organisations need to consider factors such as:
1. the extent to which their customer databases rely on implied consents;
2. how they will go about refreshing / enhancing these consents where necessary;
3. how they will achieve the necessary standard of consent in the future;
4. how they will show that they have obtained the necessary standard of consent.
We have only spoken about ‘consent’ so far, which is just one aspect of the forthcoming GDPR. There are a number of other key considerations that all sports organisations need to be aware of, some of these include:
• how is the data being used e.g. profiling?
• is any of the data being held ‘Sensitive Personal Data’ e.g. health information, children’s information (summer camps)?
• do you have the processes and ability to manage Subject Access Requests, remove all data associated to an individual across all data types if requested (right to be forgotten), and manage and notify data breaches to both the ICO and the individuals impacted?
• is the data stored safely and securely?
• are your partners and suppliers processing and managing your data correctly e.g. marketing partners, payroll providers, CCTV suppliers?
• can you provide evidence of your organisation’s compliance?
How do you prove it?
This final point (above) relating to the evidence requirements placed on every organisation to be compliant to the GDPR is another hugely important consideration, so we’ll delve a little deeper. The GDPR has no certification of compliance, so to prove compliance you will need to retain clear, date stamped evidence covering all data processing undertaken across your organisation. This will include demonstrating understanding of your risks, details of how you have mitigated the risks, details of the data processing activities carried out in delivering marketing campaigns, information about requested and responded to Subject Access Requests, Data Breaches, type of consent etc.
Manage the challenges and opportunities
Despite all of these changes and new challenges, the GDPR does present opportunities for organisations. The framework outlined by the regulation is designed to facilitate digital business and, once compliance is achieved, your organisation will have the solutions and processes in place to maximise the value of personal data securely and confidently. You will be in a powerful position to operate with clear and demonstrable consent from your club’s members, fans and employees. By complying with the requirements of the GDPR, and communicating your compliance to your external audiences, you can build trust and strong relationships with your members, fans and employees.
Individuals will connect with brands they trust and employees will seek employers they trust – the whole notion of trust will become far less abstract and far more commercial in its value. To mitigate the risks, comply with the regulation and take advantage of these opportunities, organisations will need to be flexible and embrace the GDPR as a strategic initiative. This is only the start, as the regulation will be interpreted and updated over time. It is vital that organisations learn how to adapt the way they operate to achieve compliance, otherwise they may struggle as the GDPR disrupts the traditional ways in which they engage with fans, members and employees.
Based in Dublin and London, Sytorus offer a complete lifecycle approach. If you’d like to find out how our lifecycle approach can help you to identify and manage risks in your sports club and provide a simple way of managing and mitigating these risks on an ongoing basis, call our London team on 0207 936 9442 or email firstname.lastname@example.org; or call our Dublin team on +353 (0)1 683 3314 or email email@example.com.
Your fan, member and employee data is a key asset. Take steps now to ensure that this data does not become a liability.