Results of Sport Sector GDPR Readiness Survey - Data Protection Report

Introduction 

This survey was conducted by LawInSport and received over 200 responses from sports organisations, government agencies and professional services firms from across Europe. The survey was published on LawInSport.com and distributed to LawInSport’s network. The survey was sponsored by MyDailyGDPR. 

The results of the survey demonstrate that there is an urgent need for more awareness, training and support necessary across Europe to prepare sports organisations for the introduction of the EU’s General Data Protection Regulation (“GDPR”) which comes into force in 25th May 2018.  This piece of legalisation has been described as “the most important change in data privacy regulation in 20 years” and "replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.1

It can be easily overlooked that the GDPR applies to organisations outside of the EU who are capturing and processing the data of EU citizens. It is notable that a number of the sports organisations outside of the EU highlighted their concerns about how to approach the processing of EU citizen data. In particular, the lack of  information and general awareness was highlighted as an issue here. 

 

Demographic of Respondents

214 respondents:

  • Sports Organisations - 138 from sports agencies, clubs, leagues, national governing bodies, media businesses, betting companies, anti-doping agencies and non-governmental organisations and governments.

  • Professional advisors - 76 from law firms, accountancy and consultancy firms. 

 

To download a PDF copy of the survey report Sport Sector GDPR Readiness Survey 2018 Report click here.

 

 

Key Findings

Implications of the GDPR 

84% of sports organisations were not fully aware of the implications of the GDPR for their organisation. This is surprising given the coverage the GDPR has received and its goal to create data privacy protection transparency as a right of each EU citizen. There remains a significant of amount of work to be done to educate and assist sports organisation in advance of the GDPR coming into force in May 2018. Regardless of the GDPR, it will serve sports organisations well to fully understand the data they hold and to have clarity over what they can and cannot do with it, as consented to by individuals.

Fines & Personal Data of Minors

40% of sports organisations were not aware that non-compliance can result in fines as much as 4% of annual turnover or €20m, whichever is higher. 63% of professional advisors said their clients were not aware that that the GDPR applies to all enterprises that process EU citizens' personal data, including data for children under 16 years old. This is concerning given the importance of the protection of minors, with parental consent necessary in order to process children’s data, and the severity of fines for non-compliance and data breaches.

Data Sources

42% of sports organisations find it difficult to manage compliance for multiple data sources (incl. social media, internally and 3rd party hosted). This is representative of survey respondents requests for data mapping, records management, and consent solutions.

Legal & IT/Tech Teams Involvement

Only 23% of sports organisations said that neither their IT/tech or legal teams were involved in the compliance of GDPR. This is concerning given the need to understand both the legal and practical application of the GDPR and domestic data protections laws. This may be indicative of the fact that many sports organisation have not conducted a data audit and are unclear about the requirements they must meet. 

Business Buy-In

43% of sports organisations did not feel their business was supportive in being compliant with GDPR. There appears to be a need for sports organisations to take ownership over their data protection policies and procedures and provide the necessary resources and support to help those working on data protection matters within their organisations, such as their legal teams, to ensure they are compliant with the GDPR and other data protection laws. 

Data Protection Officers

80% of sports organisations said they did not have an appointed Data Protection Officer (DPO). This is concerning and indicates a lack of designation of responsibility with organisation with regards to data protection. Those organisation that are mandated for to have a DPO should to be mindful of the issues around conflicts: and they must inspect the usage of existing employee designated as a DPO as someone not already processing company data.2

Automation for Compliance 

75% of sports organisations had not explored using technology to automate or outsource the DPO function to help monitor regulations and manage compliance. This was echoed by 79% of professional advisors. The lack of awareness of the implications of the GDPR shows there is a need for greater education around GDPR and general data protection regulations. Given the increasing reliance by sports organisation on capturing and processing personal data combined with the concerns over the time consuming nature of monitoring compliance, it is likely many organisations will be exploring the use of technology and automation in the coming months to assist them.

 Group Of People Of Peak Of Mountain 1 1

The biggest challenge sports organisations face to be  compliant with the GDPR

From the responses to survey we have identified five key areas of concern and, understandably, areas that sports organisations require most help:

  1. Awareness and education

  2. Jurisdictional and enforcement

  3. Data Management & consent to process personal data 

  4. Person(s) responsible (DPO-related): Management, Advice, Training/Amount of Time

  5. Cost Effective Solution(s)


To illustrate these points below we have included direct quotes from the respondents.

 

1. Awareness & Education

Concerns

Lack of information or advice from governing bodies.

Guidance from governing body for clubs and development officers

Changing behaviours and persuading personnel within the organisation that it is necessary to follow procedures.

Lack of awareness…knowledge and understanding of requirements and implications

Be aware of GDPR consequence and be careful with daily data protection good compliance politic

To ensure compliance message has to be spread from board level downwards.

Getting board level buy-in is the biggest challenge.

Understanding what to do…and the additional administrative time required to ensure ongoing compliance

Misinformation and the view that there are more urgent and important matters to deal with.

How To Help

Some practical guidance on what sports clubs need to do in order to be compliant.

Information on how GDPR impacts other confederations and regions.

More explicit guidance in terms for each specific sport

A organisation to give practical advice on compliance and monitoring, specific to the sports industry.” 

Specific guidelines from governing bodies related to the impacts of GDPR in sports sector. There is a lot of specificities in this sector that must be identified and clarified.

Guidance regarding what approach it can take to ensure regulatory activities of an international sport.

Some practical guidance on what sports clubs need to do in order to be compliant.

Details on how the rules apply to clubs.

Guidelines for amateur sports clubs

Training for staff with specific reference to sporting organisations and other voluntary bodies.

Summary of application outside of EU and simple set of guidelines.

Practical examples.

Concrete steps to become compliant.

Some basic guidelines on scope, implications and basic application.

More simplified information.

Knowing very well what its meant for and how it works.

Simple, breakdown of the GDPR for use across the business with stakeholders who have no concept of it.

Best practice guidance specific to the sports industry.

Someone to give us advice. Someone who can come to one of our meetings and advise our member clubs.

A one-pager on what are the most important aspects for International Federations.

Main impact on how it effects information being provided by 3rd party suppliers.

Clear guidelines about flows of data to/from EU and non EU countries.” 

How to know they are fully compliant” 

 


 

Compliance Concept 2

 

2. Jurisdiction & Enforcement

Concerns

Continued implementation and compliance with the regulations (losing momentum to the next big thing in sport).

Cross-jurisdictional issues and third party enforcement.” 

Uncertainty about how this applies to non-EU entity who receives data from the EU.

Issues of transferring data outside the EU.

Determining who is resident of EU.

Volume of regulation to implement.

Understanding what needs to be done and the implications.

Representative of Legal data / transmission country - country non EU (once UK leaves).

How To Help

Domestication of the law.

Greater clarity and guidance produced by the ICO - lacking at the moment.” [UK specific]

Inform about penalties.

Information and assistance from a trusted adviser

The implementation when specialist resources are not available.

 


 

Financial Graphs and businessman with Laptop 3

 

3. Data Management & consent to process personal data 

Concerns 

Assessing what data we hold.

Gaining consent to process data – including gaining consent from all individuals and parents/guardians of children, supporters, etc. Lack of knowledge of the subject.

Ensuring accurate data records and finding out how much data we are dealing with.

Data retention scope and periods.

Data related to health of athletes.

How to organise information to be compliant.

Systematic approach across the Club regarding the collection and processing of data.

We are not a data controller, but rather a data processor, so we are acting in support of our clients who are DCs. Fortunately we are an enabler of GDPR although we are fine-tuning our systems and processes based on the specific reqs of GDPR. We are working on including contractual language encompassing GDPR, a Processor/Controller contract.

Understanding necessary technical controls

Mandating heightened internal standards

Having a good view on all information streams

The implications of information sharing agreements with other organisation and how this may increase the risk of sanctions under GDPR

Ensuring all 3rd party data processors comply and fully integrate with our CRM system

Knowing where all the data is stored, by whom and why in order to ensure that every item complies.

Establishing what data the business collects, what we do with it and identifying what third party providers we are using that process data on our behalf.

Ensuring that we have the necessary documents in place.” 

The discovery and auditing of the departments who collect and store personal data.

Legitimising the processing of sensitive categories of personal data in the context of regulatory activities (anti-doping, disciplinary actions, injury monitoring, etc).

The transfer of player data overseas.

Maintaining personal data with consent and using data in a day to day environment that is very reliant on volunteers.

Ensure consent requested for collection is adequate and documented and collection is transparent  Ensure that data is not kept longer than necessary.  Ensure that data is not kept in prohibited locations. Prepare processes and templates for replying to data subjects’ requests.

Culture change elements to ensure only relevant data is kept for the defined purpose and timeframes.

The identification of all the data processed by all the departments. The risk assessment and the creation of a incident response plan in order to be compliant with the GDPR.

Company-wide overhaul of approach to data - complete behavioural change - so as to understand all that we process/control.

Ensuring that all policies, especially the obtaining of consent, are compliant.

Mobilising and putting in correct systems.

How To Help

Sample consent form and privacy statement for amateur organisations.

Model privacy notice.

Monitoring and audit.

Data mapping.

Clear measurements of compliance.

Clear guidelines, education, probably automatic control of some functions in software.

Knowledge of how to collect sensitive data in a compliant manner.

Having an up to date and complete data register.

Inspection & report from the organisation.

Records management.

Templates for data audits.

Having a detailed data mapping process completed.

Understanding that personal data should no longer be sent via spreadsheet would be useful

Checklists, toolkits and how-to guides.” 

A clear step by step checklist of what needs to be done in order to ensure compliance.

Outsourcing of service.

Whether any of this matters to grassroots clubs at the data they "process" when little appears to be done currently when a large organisation loses control of data.

Automate the processes.” 

 


 

Business people analyzing Statistics 4

 

4. Person(s) responsible (DPO-related): Management, Advice, Training/Amount of Time 

Concerns 

Embedding data protection considerations and compliance into day-to-day operations, to deliver on the "accountability" obligations.” 

Identify who responsible within an organisation for ensure compliance.

Understanding the implications of GDPR on a small local organisation. I have tried to get advise on the requirements, but have not found any available.

Adapting internal policies

Time to prepare, the big amount of personal data they find they are in possession of

Cost additional staff more administration

Extra cost for lawyers

How To Help

Making someone responsible for GDPR within the organisation.

Staffing and administrative burdens.

Resources to assist with organisation-wide education and up-skilling of stakeholders/third parties.” 

"A full time member of staff working on the GDPR for a significant period of time.

Obtaining legal advice on the subject without excessive charge out rates.” 

To be correctly advised, hence we have engaged data protection lawyers.

Involving an external expert.

Clear instructions” 

Information and assistance from a trusted adviser and official guidance from the ICO.

Training.

Engage consultants as soon as possible.

Having legal certainty that what they are doing is GDPR compliant.” 

Concise handbook explaining implications of non-compliance and a cost effective way to ensure compliance.

Materials which would provide clarity on their requirements.

Validity of consent declarations.

 


 

Business people on tech Devices 5

 

5. Cost Effective Solution(s) 

Concerns 

To pay for the resources required to ensure continued compliance with the requirements.

Allocate time and resources, including finding ways to make a cumbersome process the least time-consuming.

Cost of additional staff and more administration.

How To Help

"An increased legal budget to outsource our compliance programme

A practical cost effective approach

 


 Todays Preparation Concept 6

 

Conclusion 

 

It is clear from the GDPR Sport Readiness Survey that sports organisations and their partners are largely:

  1. Unclear on what the introduction of the GDPR means for their organisation;

  2. Unsure of how they should assess and monitor compliance with GDPR;

  3. Unsure about how data protection laws in general impact their organisation.

 

Therefore there needs to be:

  1. More tailored education and training for sports organisations;

  2. Clear and accessible language used with regards to data protection regulations for sports organisations;

  3. Sustainable step-by-step data privacy protection solutions that are made accessible for sports organisations.

 

Further Reading

"The legal implications for big data, sports analytics and player metrics under the GDPR"

https://www.lawinsport.com/topics/articles/item/the-legal-implications-for-big-data-sports-analytics-and-player-metrics-under-the-gdpr

"How UK Sports Governing Bodies can prepare for the new General Data Protection Regulation"

https://www.lawinsport.com/topics/articles/item/how-uk-sports-governing-bodies-can-prepare-for-the-new-general-data-protection-regulation

"WP243 Annex - FAQs on the requirement to appoint a DPO, European Commission"

https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_annex_en_40856.pdf 

 

Feeding Back and Training

If you would like to discuss the findings of this report or have any feedback or require education and training for you and/or your organisation please email This email address is being protected from spambots. You need JavaScript enabled to view it..

 

 

 

 

https://www.eugdpr.org/

Hits

5869

Related Articles

About the Author

Sean Cottrell

Sean Cottrell

Sean is the founder and CEO of LawInSport. Founded in 2010, LawInSport has become the "go to sports law website" for sports lawyers and sports executives across the world.

  • This email address is being protected from spambots. You need JavaScript enabled to view it.

Leave a comment

Please login to leave a comment.

Official partners 

BASL
Soccerex Core Logo
SLA LOGO 1kpx
YRDA Logo2
SAC logo LawAccord

Copyright © LawInSport Limited 2010 - 2018. These pages contain general information only. Nothing in these pages constitutes legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. The information provided here was accurate as of the day it was posted; however, the law may have changed since that date. This information is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. LawInSport is not responsible for any actions taken or not taken on the basis of this information. Please refer to the full terms and conditions on our website.