Data protection
Significant advancements in the field of information and communication have radically increased the ease with which data may be collected, transmitted, stored, manipulated and, most importantly, disseminated.
Significant advancements in the field of information and communication have radically increased the ease with which data may be collected, transmitted, stored, manipulated and, most importantly, disseminated. These developments, together with a general increase in awareness of fundamental rights, particularly the right to privacy, have led to legislative changes and the emergence of a new regime of privacy protection.
Overview of the General Data Protection Regulation
The most significant development in this area that affects organisations, regardless of the sector, is the General Regulation of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). It examines the nature and scope of the regime and the rights of data subjects. It also provides information on the obligations of controllers and processors and summarises the restrictions on the transfer of personal data outside the EU.
The GDPR replaced the Data Protection Directive when it became directly applicable from 25 May 2018. The reform was intended to respond to new technological challenges and to put in place a harmonised framework for the protection of personal data. Because the GDPR was incorporated into UK legislation – via the Data Protection Act 2018, amended on 1 January 2021 to reflect the UK’s status outside of the EU – its requirements survive the UK’s exit from the EU, and all organisations handling data must have regard to it.
Although originating within the European Union, the legislation builds upon existing UK data protection law to strengthen the protection of an individual’s personal data. It requires that the personal data of every UK citizen, especially if sensitive, must be protected, however and wherever it is stored.
The GDPR applies to an organisation if it:
- alone or with others determines the purposes for processing personal data relating to living individuals (known as acting as a data controller) or processes personal data relating to living individuals strictly in accordance with the instructions of another (known as acting as a data processor); and
- is ‘established’ in the EU, meaning that the business exercises real and effective activity through stable arrangements in the EU – including through a branch or subsidiary.
Key changes introduced in the GDPR include:
- Governance – organisations have increased responsibility and accountability on how they control and process personal data.
- Consent – a more active consent-based model is introduced. Wherever consent is required for data to be processed, it is defined as ‘freely given, specific, informed and unambiguous’. In other words, consent must be explicit rather than implied.
- Transparency – organisations have increased transparency obligations.
- Data processors – organisations processing data on behalf of other companies are required to comply with a number of specific data protection related obligations.
- Security – there is no definitive standard to adhere to when it comes to data security. Rather, controllers and processors are required to evaluate risks involved with their processing activities and implement appropriate measures to prevent loss and unauthorised access to data, such as pseudonymisation, encryption or restricted access.
- Enforcement – stronger enforcement means non-compliance could lead to much heavier, turnover-based sanctions. For the most serious breaches, the sanctions available are a fine of £17 million or up to 4% of total worldwide annual turnover.
Organisations that handle personal data about individuals have legal obligations to protect that data under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
An organisation that is a data controller processing personal data must pay a fee to the Information Commissioner’s Office (ICO) unless they are exempt from that requirement.
Whether or not an organisation is obliged to pay the fee, it has a range of other obligations under the legislation.
Data Protection Principles
There are seven Data Protection Principles that underpin the legislation:
Principle one – lawfulness, fairness and transparency
Lawfulness requires a data controller to satisfy at least one ‘processing condition’ when processing personal data. These include explicit consent, necessity for performance of a contract with the data subject, necessary for compliance with a legal obligation to which the controller is subject, or necessary for the purposes of a legitimate interest of the controller. Going forward, data controllers will need to tell data subjects what conditions they are relying on for each of their processing activities. There is a supplemental list of processing conditions for sensitive data, which are very restrictive and will, in most instances, require explicit consent.
Fairness and transparency is where privacy policies and data capture notices come in. An increased amount of information will need to be given and must be presented in a clear and concise manner and tailored for the specific audience.
Principle two – purpose limitation
Personal data should be collected for specific, explicit and legitimate purposes, it should not be processed in a manner incompatible with those processes.
Principle three – data minimisation
Personal data should be adequate, relevant and limited to what is necessary in relation to the purpose for which processed.
Principle four – accuracy
Personal data must be accurate, up-to-date and rectified or deleted if not.
Principle five – storage limitation
Personal data must be kept in a format that enables the identification of individuals for no longer than necessary to achieve the purpose.
Principle six – integrity and confidentiality
Personal data should be stored in a secure and confidential way.
Principle seven – accountability
Data controllers must continuously assess risk, implement appropriate policies and procedures and keep them under review as to suitability and effectiveness.
There is stronger legal protection for more sensitive information, such as:
- Race
- Ethnic background
- Political opinions
- Religious beliefs
- Trade union membership
- Genetics
- Biometrics (where used for identification)
- Health
- Sex life or orientation
The role of the data protection officer
A sports organisation (whether a processor or controller) is required to appoint a data protection officer (DPO) if it:
- is a public authority or body
- undertakes regular and systematic monitoring of individuals on a large scale
- processes sensitive categories of data on a large scale
- processes data relating to criminal convictions/offences
- considers appointing a DPO is necessary following its own internal risk assessments
A DPO needs to have expert data protection knowledge (with reference to the type and complexity of processing carried out by the organisation) and must act independently (although it can be an internal appointment).
If the sports organisation does not fall into any of the above categories, then it should still designate at least one person who is familiar with GDPR who can assist with compliance but avoid labelling them as DPO to ensure they are not subject to the strict DPO regime.
Transferring data outside of the EU
Transferring personal data outside of the jurisdiction of the GDPR (the European Economic Area) will be particularly relevant to NGBs and national Olympic committees, as they will potentially be transferring data internationally.
The requirements of the GDPR in this respect remain much the same as under the previous regime. Organisations are able to transfer personal data outside of the EEA where it is going to an ‘adequate country’ (i.e. one which the EU Commission has approved as having appropriate safeguards in place), and where the organisations put in place appropriate safeguards, such as binding corporate rules or model clauses. Other grounds relating to data transfer also apply, such as explicit data subject consent (but noting the more stringent consent requirements) or where the transfer is necessary for the performance of a contract.
In 2020 a European Court of Justice decision invalidated the EU-US Privacy Shield Framework, which had been used by organisations to comply with the GDPR when transferring personal information to the United States. This decision necessitated organisations to re-evaluate whether the assurances in place in any agreements around the use of US-based servers for storing or processing personal data – a sizeable consideration given the number of popular platforms and services which operate out of the United States. The Privacy Shield decision prompted organisations to ensure that they have adequate standard contractual clauses inserted into agreements covering data transfers. Questions have been raised, however, over the long-term efficacy of SCCs. The EU and the US are negotiating a new US-EU Adequacy Agreement, but this has not been finalised.
In January 2022 new standard contractual clauses were laid before Parliament and are expected to come into force from 21 March 2022. The EU implemented new SCCs in June 2021. The New UK SCCs allow data to be transferred from the UK to countries which are not deemed to have adequate data protection laws - these include the US, China and India. Existing arrangements using Old EU SCCs can be used until 21 March 2024.