Why sports teams should avoid relying on consent to comply with GDPR
Published 15 August 2018 By: Katie Russell
In the run-up to 25 May 2018, or "GDPR day", many organisations made huge changes to the way they process “personal data”. However, due to blind spots in guidance available (both form the Information Commissioners Office (ICO) and other sources), there remains uncertainty around what organisations must do to comply with the General Data Protection Regulation1 (GDPR).
By way of initial background, “personal data” means “any information relating to an identified or identifiable natural person”2. "Special category" data (previously called "sensitive personal data"), which attracts heightened protection under GDPR, includes: data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life, sexual orientation or trade union membership3. Data concerning an individual’s health will also be classed as special category. Sports clubs are in a unique position in an employment context as they are likely to regularly process health information relating to their players, including medical histories, medication, allergies, injuries and potentially medical information which may or may not be not be specific to the sport itself. Great care is therefore needed to keep the information safe.
One major area where sports clubs and organisations could face particular difficulties is where they have relied on consent as a basis for processing data under GDPR, as it may not be the easy fix they thought it was. Accordingly, this article examines why it is essential that organisations identify a legal basis for processing personal data and avoid the trap of falling into reliance on consent. Specifically, it looks at:
The new obligations on employers when processing employees’ personal data
What the "big problem" is with relying on consent
What employers should be doing now
Consequences of non-compliance
Practical guidance going forward
Get access to this article and all of the expert analysis and commentary at LawInSport
Already a member?
Articles, webinars, conference videos and podcast transcripts
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission is granted to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Tags: Data Protection | Data Protection Act 2018 | Employment | European Union | General Data Protection Regulation (GDPR) | Governance and Regulation | Information Commissioners Office (ICO) | United Kingdom (UK)
- Key information on the General Data Protection Regulation for the sports industry
- Top 10 tips for safeguarding children and vulnerable adults in sports
- New survey launched: How is the sports sector coping post GDPR?
- How the GDPR could impact the handling of sports disputes
Katie Russell is an Employment Partner in the Business of Sport Group at law firm Shepherd and Wedderburn LLP. Katie uses her experience of employment law combined with her knowledge of sports law to provide highly specialised advice to sports organisations and their teams to help address the specific challenges they face.