Sports clubs and associations holding the personal data (i.e. information that identifies a living individual) about a number of individuals including employees, members, volunteers, athletes, coaches and others. In which case, you will need to be aware of the General Data Protection Regulation (‘GDPR’).
The GDPR has been described by the ICO as a “game changer for everyone” and will require all sports clubs and associations to change the way they think about personal data. It comes into effect on 25th May 2018, and organisations will need to use the lead in time wisely in order to ensure compliance by that deadline.
The headlines in relation to the GDPR have tended to concentrate on the considerable increase in the levels of fines for non-compliance with data protection law, from the current upper limit of £500,000 to €20 million (£18million) or 4% of annual global turnover (whichever is greater), however, these headlines do not address the practical implications that the GDPR will have for sports clubs and associations.
So what are the key considerations for sports clubs and associations getting to grips with the GDPR?
1.Demonstrating Compliance
Under the new principle of accountability sports clubs and associations will need to be able to demonstrate their compliance with the GDPR. This will require having appropriate policies and procedures in place, complying with record keeping requirements, data management, including determining appropriate retention periods for different categories of personal data and conducting data protection impact assessments to determine risk levels of processing activities, particularly when processing sensitive personal data.
What you should do:
A data inventory should be completed to ensure organisations understand what processing activities are being undertaken and who’s data is being processed. This data inventory will help you to identify any compliance gaps or vulnerabilities and will form the basis of the mandatory record of data processing that must be maintained by most organisations under the GDPR.
-
2. Privacy information
Individuals are entitled to be told about what you intend to do with their personal data. This is currently the case, but under GDPR the amount of information which must be provided to individuals when you collect their personal data is significantly increased. This includes, telling people the purpose and legal basis for processing, the period for which the individual’s personal data will be held and the rights that they have in relation to that data.
What you should do:
All your privacy notices will need to be reviewed and brought up to GDPR standards. Consider how you communicate the information e.g. on a membership form or as a pop-up notice for online communications. Remember, when you’re collecting the personal data directly from the individual they should receive this privacy information at the point of collection.
-
3. Consent
It is likely that consent will be the legal basis most commonly used by sports clubs and associations at present. However, once GDPR is in force, guidance from the ICO states that consent will no longer be available to employers processing employee data, because there is deemed to be an imbalance of power in such a relationship meaning the employee may feel obliged to provide consent in order to facilitate their employment, which would mean that the consent is invalid. Also, consent should only be used where no other legal basis for processing is appropriate i.e. as a last resort.
Even if consent is the most appropriate legal basis for processing, under the GDPR the standard for obtaining consent is higher than it is currently, requiring a freely given, specific, informed and unambiguous indication of the individual’s wishes. Agreement has to be demonstrated by clear, affirmative action, so pre-ticked boxes or opt-outs will not be GDPR compliant. Existing consent can still be used after the GDPR comes into force provided that it meets these more stringent requirements.
What you should do:
Sports clubs and associations are going to need to review situations where you are currently asking for consent and consider whether you should continue to do so or whether another legal basis, such as legitimate interests or legal obligation, better fit the situation. If consent is still required, you need to ensure it meets the higher standard under GDPR and that individuals have the option to withdraw their consent if they wish.
-
4. Data processors
The GDPR requires specific contractual terms to be included in the contract with processors engaged by organisations to process data on their behalf. These could include for example payroll administrators, cloud storage providers or consultants such as performance analysts. In addition, only processors who give sufficient guarantees regarding GDPR compliance should be engaged.
What you should do:
The engagement of processors by sports clubs and associations will require review before the GDPR comes into force. You will need to ensure that you have a written agreement with the processor, that the processor gives you sufficient guarantees regarding its compliance with the GDPR and that the contract contains the specific contract terms that are listed in the GDPR (these are far more detailed that the requirements under current data protection law). As a result, you are going to need to future proof your existing contracts with processors to ensure you tick all the necessary boxes. Existing processing contracts that will still be in place when the GDPR comes into force will need to be amended.
-
5. Security and Mandatory Breach Notification
The GDPR requires all organisations to have appropriate security measures in place to ensure the security of all personal data processed. In the event of a personal data breach which poses a risk to individuals then the ICO must be notified within 72 hours of an organisation becoming aware of the breach and in certain circumstances the individuals themselves must also be notified.
What you should do:
Sports clubs and associations will need to ensure data security measures such as encryption and fire walls are in place. In addition, you need to train staff as staff are often an organisation’s weakest link when it comes to data security, IT security solutions can be monitored and tested, however there is no accounting for human error. Staff must be made aware of the importance of the security of personal data and the standards expected under the GDPR. A personal data breach can be anything from a cyber-attack to inadvertently sending an email containing personal data to the wrong recipient.
Due to the incredibly tight timescale for notifying the ICO of a breach, it will be imperative for all sports clubs and associations to have a Data Breach Reporting Procedure in place to deal effectively and efficiently with any personal data breach that occurs.
Achieving compliance by May 2018 may seem like a daunting prospect, and there is certainly a lot to do. However, the WSA training sessions for sports associations to raise awareness of the GDPR and obtain governing body buy in to undertake the steps needed for compliance is a great first step. This gives sports associations in Wales an understanding of the key changes required, which coupled with providing standard policies and procedures for you to use in your organisations should stand you in good stead come the May deadline next year.
Please visit our events page for further details on courses or contact us on 029 2033 4974.
.
