Data protection
A look at the legislation around data protection that sports bodies need to comply with
Significant advancements in the field of information and communication have radically increased the ease with which data may be collected, transmitted, stored, manipulated and, most importantly, disseminated. These developments, together with a general increase in awareness of fundamental rights, particularly the right to privacy, have led to legislative changes and the emergence of a new regime of privacy protection.
Overview of the General Data Protection Regulation (GDPR)
The most significant development in this area that affects organisations, regardless of the sector, is the General Regulation of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (GDPR). It examines the nature and scope of the regime and the rights of data subjects. It also provides information on the obligations of controllers and processors and summarises the restrictions on the transfer of personal data outside the EU.
The GDPR replaced the Data Protection Directive on 25 May 2018. The reform was intended to respond to new technological challenges and to put in place a harmonised framework for the protection of personal data.
The GDPR will apply to an organisation if it:
- alone or with others determines the purposes for processing personal data relating to living individuals (known as acting as a data controller) or processes personal data relating to living individuals strictly in accordance with the instructions of another (known as acting as a data processor); and
- is ‘established’ in the EU, meaning that the business exercises real and effective activity through stable arrangements in the EU – including through a branch or subsidiary.
Assuming the organisation was subject to the previous legal regime in this area or compliance, and so will also be subject to GDPR, the key changes in the GDPR include:
- Governance – organisations have increased responsibility and accountability on how they control and process personal data.
- Consent – a more active consent-based model is introduced by GDPR. Wherever consent is required for data to be processed, it is defined as ‘freely given, specific, informed and unambiguous’. In other words, consent must be explicit, rather than implied.
- Transparency – organisations have increased transparency obligations.
- Data processors – organisations processing data on behalf of other companies are required to comply with a number of specific data protection related obligations.
- Security – there is no definitive standard to adhere to when it comes to data security. Rather, GDPR requires controllers and processors to evaluate risks involved with their processing activities and implement appropriate measures to prevent loss and unauthorised access to data, such as pseudonymisation, encryption or restricted access.
- Enforcement – stronger enforcement means non-compliance could lead to much heavier, turnover-based sanctions. For the most serious breaches, the sanctions available are a fine of €20,000,000 or up to 4% of total worldwide annual turnover.
Data Protection Principles
There are seven Data Protection Principles that underpin the new law:
Lawfulness requires a data controller to satisfy at least one ‘processing condition’ when processing personal data. These include explicit consent, necessity for performance of a contract with the data subject, necessity for compliance with a legal obligation to which the controller is subject, or necessity for the purposes of a legitimate interest of the controller. Going forward, data controllers will need to tell data subjects what conditions they are relying on for each of their processing activities. There is a supplemental list of processing conditions for sensitive data, which are very restrictive and will in most instances require explicit consent. Fairness and transparency is where privacy policies and data capture notices come in. An increased amount of information will need to be given and must be presented in a clear and concise manner, and tailored for the specific audience.
Personal data should be collected for specific, explicit and legitimate purposes, it should not be further processed in a manner incompatible with those purposes.
Personal data should be adequate, relevant and limited to what is necessary in relation to the purpose for which processed.
Personal data must be accurate, up-to-date and rectified or deleted if not.
Personal data must be kept in a format which enables the identification of individuals for no longer than necessary to achieve the purpose for which it was processed.
Personal data should be stored in a secure and confidential way.
Data controllers must continuously assess risk, implement appropriate policies and procedures and keep them under review as to suitability and effectiveness.
The role of the data protection officer
A sports organisation (whether a processor or controller) is required to appoint a data protection officer (DPO) if it:
- is a public authority or body;
- undertakes regular and systematic monitoring of individuals on a large scale;
- processes sensitive categories of data on a large scale;
- processes data relating to criminal convictions/offences; or
- considers appointing a DPO is necessary following its own internal risk assessments.
A DPO needs to have expert data protection knowledge (with reference to the type and complexity of processing carried out by the organisation) and must act independently (although it can be an internal appointment).
If the sports organisation does not fall into any of the above categories, then it should still designate at least one person who is familiar with GDPR who can assist with compliance, but avoid labelling them as DPO to ensure they are not subject to the strict DPO regime.
Transferring data outside of the EU
Transferring personal data outside of the jurisdiction of the GDPR (the European Economic Area) will be particularly relevant to NGBs and national Olympic committees, as they will potentially be transferring data internationally.
Fortunately, the requirements of the GDPR in this respect remain much the same as under the previous regime. Organisations will still be able to transfer personal data outside of the EEA when it is going to an ‘adequate country’ (i.e. one which the EU Commission has approved as having appropriate safeguards in place) and where the organisations puts in place appropriate safeguards, such as binding corporate rules, model clauses or relies on the US privacy shield for US transfers.
Other grounds also apply, such as explicit data subject consent (but noting the more stringent consent requirements) or where the transfer is necessary for the performance of a contract.
This will still apply as and when the UK eventually leaves the EU, as the UK Parliament passed the Data Protection Act 2018 (replacing the Data Protection Act 1998) which ensures the standards set out in the GDPR have full effect in the UK.
Next, we turn to look at further issues which are governed by legislation and that sports organisations will need to ensure they show compliance with, such as money laundering, corruption and whistleblowing.