GDPR? No, it’s not the former East Germany …. that was the GDR!
What is it then?
GDPR stands for General Data Protection Regulation.
It outlines the privacy rights of every EU citizen and the ways in which an individual’s ‘Personal Data’ can and can’t be used.
Personal data is information about an individual such as name, address, phone number etc. and includes special categories of personal data including one’s race, ethnicity, religion or sexual orientation.
When is it coming in?
The EU will be enforcing these laws across the 28 member states from May 25th 2018. We will return to the Brexit conundrum facing clubs from Northern Ireland later!
Why is it such a big deal?
Failure to comply with the GDPR will result in the risk of incurring massive fines ranging from €10m to €20m or 2% to 4% of an organisation’s total worldwide annual turnover in the preceding financial year (depending on whichever is greater).
Where a club forms part of a bigger organisation there is a potential for significant fines when the worldwide annual turnover is assessed. It’s in the interest of any individual or organisation to be compliant and up to speed!
Why does this affect me or my club?
The law puts the onus on the person or entity that collects a person’s information (Data Controller), to comply with the legislation and to demonstrate compliance.
However, there is no need to panic!
Most of the Data Protection procedures should already be in place by your club but there are several keys changes that must be highlighted. The Irish Data Protection Commissioner has published a 12-step guide which is worth a read.
What are the key points?
1. GDPR sets out rules about how personal Information (data) can be obtained, how it can be used and how it is stored. Sports clubs often collect the data of its members and players via membership forms, Garda Vetting forms, summer camp applications, text or messaging systems, email list or distribution groups, team sheets or training attendance lists, and information captured on club websites.
2. Should a member consent to the holding of his or her data by the club, this must be communicated to them at the time the data is obtained. A single box tick will not suffice for multiple purposes.
Three separate boxes should be offered to request consent to use one’s information in the following practical example: i) using training facilities, ii) signing up for club lotto and iii) getting updates about the club.
3. Clubs must explain to members the legal basis for the use of the data. There are many legal grounds for using personal data such as ‘performance of contract’ and the ‘legitimate interest’ of the data controller. If relying on the member’s consent to use data, it should be easy for an individual to withdraw their consent. The chance to review their consent should be given on a regular basis (e.g. yearly). In Ireland, it is anticipated that parental consent for children under 13 will be required in relation to the use of digital technology e.g. apps.
4. Data must be kept safe and secure and must be kept accurate and up to date.
5. An Individual can request a copy of all of the personal information held about them (this is called a Subject Access Request) and must be allowed to have all of their data deleted or returned to them, if they so wish, within a month.
6. Each club should consider the appointment of a Data Protection Officer (DPO) or identify someone to manage the requirements of the role. The DPO will advise on the GDPR, monitor compliance and represent the club on engagement with the Data Protection Commissioner.
What should you do?
Become Accountable
It is up to the club to make an inventory of all the data they have of their members and to maintain a record of what they do with this data, this is called ‘data processing’. The object is to find out why, where and how the data is stored? Also, why was it originally gathered, how long it is being retained, how secure it is and whether it is shared with any third parties?
So, all paper forms, emails and computer files should be checked, updated and irrelevant data should be deleted. Data Controllers must be able to demonstrate that consent was given or another lawful grounds for processing can be relied upon and an audit trail is maintained.
The GAA, for example, stores all registered member information on their Central Games Management System (Servasport) and jointly shares responsibility for this data with each club/team/county. Some clubs may have other systems in place (Excel) or use third party providers such as Clubify to manage their digital systems. Third party providers must be well aware of GDPR compliance and discussions should be held with third parties in relation to responsibilities arising and where liability for a failure to comply will rest.
Update Forms
If relying on consent, it must be ‘freely given specific, informed and unambiguous’. In order to comply with GDPR, membership (or any other) forms should include the following information…
Although GDPR does not kick in until May, it might be wise to bring these changes in this month if memberships are being renewed to save a data dilemma a few months down the line.
Make it a New Year’s resolution! If consent was already gathered in a way consistent with GDPR, then it is not necessary to do so again.
Personal Privacy Rights
As a data controller your club must protect the rights of individuals.
They include the right to have information erased, inaccuracies corrected and the ability to object to direct marketing.
Data portability is a hot topic at the moment — it’s the process where an individual’s information is gathered and moved to another provider or to the individual in a technical format. This is more relevant to switching banks or utility services but could crop up when a player transfers club.
Data Breach
If there is unauthorised access to personal data or it is lost or stolen, the Data Protection Commissioner must be informed within 72 hours.
Where there is a high risk to the rights and freedoms of the individual affected, he or she should also be made aware of the breach.
Brexit ramifications
Clubs in Northern Ireland may be concerned over the effect of Brexit on data protection. It is expected that when the UK formally leaves the EU in 2019 it will have enacted legislation that mirrors GDPR. However, this remains to be seen.
FURTHER INFORMATION