- Sports organisations must understand the basic principles of GDPR: true consent, transparency, purpose limitation
- Third-party firms which handle data must also be GDPR-compliant
- Firms must be compliant by May 25, or risk substantial fines
Over the last decade, businesses and organisations of all shapes and sizes have realised that personal data is gold dust. In sport, it has enabled clubs, leagues, governing bodies and brands achieve everything from better-targeted marketing communications to improved on-field performances.
But the big data revolution has also brought a proliferation of spam and a widespread unease about who holds our data and what they are doing with it. Which is why the European Union has decided to tighten up the rules on data usage via a new legal instrument called the General Data Protection Regulation – GDPR for short.
Managed by domestic data protection regulators such as the UK’s Information Commissioner’s Office, the switch to the new regime has been known about for the last two years. But with the deadline for compliance [May 25, 2018] just a few weeks away, some parts of the sports sector haven’t got their act together. In a January 2018 survey conducted by LawInSport, it was estimated that 84 per cent of sports organisations “were not fully aware of the implications of GDPR”. Eighty per cent did not have an in-house data protection officer and 40 per cent were not aware of the severity of the fines for GDPR breach, which can be as much as four per cent of annual turnover or €20m whichever is higher.
As worrying is the number of enterprises that erroneously believe they are compliant. In a cross-industry survey conducted by Veritas Technologies, 31 per cent of respondents said that their enterprise already conforms to GDPR’s requirements. However closer inspection by Veritas found that only two per cent actually were.
The GDPR rules are intricate but essentially boil down to a few central requirements, says Matt Brown, partner at law firm Brabners: “The key point is that you need a legitimate reason to hold someone’s data, and consent to use that data needs to be freely given. You shouldn’t hold data you don’t need and the way you intend to use that data should be transparent. This applies to any data, whether for fans, employees, volunteers, club members or athletes. The rules also cover the use of data by third parties on your behalf.”
It’s not just EU businesses that need to be alert to the rules either, stresses Brown. “The new rules apply to anyone holding data about EU citizens – so that would include a body like the NFL which may have personal data about fans in Europe”. And if UK-based organisations think Brexit may be a way of shirking EU-imposed GDPR rules, Brown advises not to be fooled. “These data rules will continue to cover the UK after Brexit.”
One challenge created by the GDPR is what to do about legacy data that may have been collected in ways that aren’t compliant with the higher GDPR burdens. For sports organisations that haven’t grasped this nettle already, Matthew Pryke, partner at law firm Hamlins, says the crucial first step is to “self audit what data they hold and make a decision about what is crucial. Large organisations will have data officers but many will need to employ external advisors because it’s difficult to manage this kind of transition in isolation.”
At this stage begins the onerous task of recontacting everyone in the database or deleting their data. If all of that sounds like it will cost a lot, could organisations decide not to bother – in the hope GDPR will not be policed effectively? Pryke’s view is that it “would be foolish not to at least take the first steps towards compliance. I don’t think the ICO will be fining everyone on day one over data breaches, but they will want to see real efforts. There is a chance they will make an example of a couple of high-profile organisations to generate some media headlines.”
The fear of being used as a GDPR case study may explain why some big sports brands have acted decisively. For example, English Premier League side Manchester United created a two-minute animated video telling fans they would all have to resubmit personal data to buy tickets, enter competitions, view exclusive content and so on. To incentivise data sign up it also ran a competition giving away signed MUFC shirts. English championship side Middlesbrough did something similar, effectively wiping its fan database and starting again. Like Man Utd, it sought to put a positive spin on this, with head of digital and marketing development Bob Tait calling it “a huge step in enhancing the user experience of all supporters who wish to interact with the club online. We’re not asking for any details we don’t already have, just making the process smoother and putting the control in the hands of supporters.”
This makes sense for popular football clubs, says Pryke, but the issue isn’t so straightforward for a governing body or grassroots organisation that doesn’t have a loyal fanbase or compelling incentives. “GDPR compliance is tough for governing bodies, because they’re holding such a wide array of data – including medical data about athletes. Again the advice is to get started because it’s not just about fines. Poor data management by governing bodies could also lead to loss of public funding.”
While no one knows for sure what the post-GDPR environment will look like, it’s clear that data relating to athlete health and performance is going to be a minefield after recent high-profile hacking scandals. Suppose, for example, that an athlete chooses not to consent to the use of health data for fear it will be hacked on the way to international anti-doping body WADA. Can a governing body demand that data as a quid pro quo for competing in an event? Or is that an abuse of the consent rules? Image rights may prove to be a similarly thorny issue.
The capture of new data also carries key responsibilities under GDPR. For example, organisations need to keep a record of how data was collected and delete it when the purpose for which it was given is over. There is also a requirement to report a personal data breach within 72 hours. But the Veritas survey found that 48 per cent of organisations that said they were compliant do not have full visibility over personal data loss incidents. Moreover, 61 per cent admitted it would be difficult to identify and report a personal data breach within 72 hours. More generally, organisations have to be able to show that they have taken effective steps to secure data from attack.
There are, of course, software solutions to address some of these challenges. Premier League club Everton uses a cloud security platform from Netskope that will stop online threats and enable the club to respond quickly to incidents. Netskope chief executive Sanjay Beri says: “Any large repository of data can be a target, but sporting clubs are a lucrative avenue for cybercriminals. Everton FC understands the importance of protecting its confidential data, particularly when faced with stringent regulation requirements and an expanding threat landscape.”
In a blog on the new data rules, Etera Consulting operations manager Ryan Costello says GDPR “does not have to be the new 4-letter word. What many organisations may not realise is that Microsoft has included functionality in Office365 that can assist with GDPR compliance. The functionality for managing data retention and deletion is built into this platform.”
Having said this, Costello adds that “a critical piece of GDPR compliance, even with O365, will be the expertise, and support of the data protection officer.” This is where a company like Etera comes in, since it is able to offer an out-sourced DPO solution. “An outsourced DPO, in particular one with expertise in national and European data protection laws and practices, provides an important element for GDPR oversight and a potential cost-saving solution, particularly for US-based organisations that may not have the resources to hire a DPO.”
One way of minimising exposure to GDPR breaches, says Pryke, is for sports bodies to hand over some of the responsibility for data management to the owners of the data themselves. “There’s a widespread view that we’d all benefit from a transparent approach to data that allows people to go into a dashboard and manage what organisations know about them.”
Companies that have developed solutions along this line include San Francisco-based ForgeRock, which recently launched its Profile and Privacy Management Dashboard. According to ForgeRock, this “identity-centric approach” enables consumers to manage all identity data about them in a single platform, with self-service controls for editing personal information, opting-in or opting-out of data collection, and managing features such as the “right to be forgotten.”
Where to look
The GDPR rules are the same for grassroots organisations as they are for big clubs – so how will they cope given that they are unlikely to have the necessary resources? Well the best starting point is to look at the ICO’s guidance on GDPR. There are also plenty of guides to GDPR flying around that have been put together by governing bodies in partnership with lawyers. England Athletics’ nuts-and-bolts GDPR compliance advice to grassroots organisation has five key steps: process data securely, update it regularly and accurately, limit it to what the organisation needs, only use it for the purpose for which it is intended and ensure consent has been given.
For small organisations that see value in data but are worried about getting it all wrong, then some kind of out-sourced data management architecture may provide a solution. Or there’s social media, says Pryke: “Some organisations have decided it’s best just to delete their database and communicate with people via Facebook or other social media platforms.”
Jonny Murch, chief executive of data-driven communications agency REDTORCH, says his company is a long way down the road of GDPR compliance. His assessment is that “it is not an overnight job. It takes a while to gain a full understanding of what it involves and the areas of the business it touches. One of the biggest challenges has been developing a system of accountability so that we are able to demonstrate compliance to our clients. Everyone from the top down needs to be aware of GDPR – so you have to think about how you store any personal data, who can access it and you need to have an audit trail of data processing activities.”
While the switch has involved labour-intensive activities such as reissuing GDPR-compliant contracts to clients, Murch’s view is that the result is “greater data integrity, which everyone will benefit from. There is still some ambiguity that won’t be resolved until the rules come into force. But having been through this process once, we won’t have to think about it in the same way again – the aim is to build it into our culture.”
For brands like Man United, Murch believes GDPR will open the way for more creative data-based marketing. Andy Westlake, founder of Andy Westlake Consulting and chairman of the European Sponsorship Association, shares this positive view on GDPR, arguing that the end result should be richer, more usable data says: “ESA has held sessions on this subject and one of the points we’re keen to stress is that GDPR might lead to more trusted, relevant and inspiring communications. If the quality of data is better, there’s an opportunity for sports marketers to create engaging user experiences.”
Westlake’s advice in terms of understanding GDPR is to start with lawyers: “They’re the gatekeepers, the ones that know how to translate the official guidance. And there are plenty of them that are able to explain the complexities of GDPR.”
At very least, adds Pryke, GDPR is an opportunity to tidy up data management, “getting rid of all of that legacy paperwork which is administratively cumbersome and insecure.”