How UK Sports Governing Bodies can prepare for the new General Data Protection Regulation

Published 05 December 2017 | Authored by: Thomas Barnard, Ghilas Lounis

With the 25 May 2018 deadline for implementation of the General Data Protection Regulation1 (the GDPR) fast approaching, it is crucial that national Sports Governing Bodies (SGBs) have taken, or are imminently about to take, appropriate measures to ensure they comply with the legislation.

This article outlines the key provisions of GDPR and how they are likely to apply to the UK’s SGBs. In doing so, it takes account of the obligations on SGB under the UK’s new Code for Sports Governance (the Code). Specifically, it looks at:

  • The application of the GDPR to UK sports governing bodies

  • How the Code interacts with the GDPR

  • What the GDPR does and why it is relevant to SGBs

  • The role of the UK’s Data Protection Bill

  • What should SGBs be doing now to ensure compliance with the GDPR?

The application of the GDPR to UK SGBs

GDPR applies to any organisation that processes personal data relating to data subjects based in the EU, regardless of whether the organisation is based in the EU or processes that personal data from outside of the EU. Of course, all SGBs are almost certain to hold personal data, for example:

  • general information on athletes as well as their performance data;

  • sensitive information, such as the health data of athletes and anti-doping records;

  • data on children, for example information used to research participations in the SGB’s particular sport; and

  • data on fans and members.

Further, unlike the Data Protection Act 1998 (the current legislation), it applies to both:

  • "controllers" of personal data (who decide how and why personal data is processed); and

  • "processors" of personal data (being those who act solely on the controller’s behalf). It is therefore almost certain that any organisation operating in the EU is going to be affected by GDPR in some way shape or form.

Many may be thinking that we in the UK need not worry about the GDPR given Brexit. However, given the importance of data protection in securing continued open trade with the EU, the UK Government has been very clear that the GDPR will be imported into UK law. Indeed, at the time of writing, the Data Protection Bill 2017 (the Bill) is making its way through parliament, which “copies and pastes” GDPR into UK law, extends its scope and amends the GDPR in areas where the GDPR allows individual members states to do so.

SGBs need to be aware of how the Bill incorporates and supplements the GDPR. Further still, with the ever growing amount of public funding available to SGBs and the increased competition for that pot2, SGBs need to be certain they comply with the Code 3 if they are to be eligible to receive future funding from the public sector.

 

How the Code interacts with GDPR

The Code, which took effect from April 2017, was introduced off the back of the Government’s strategy for an active nation, known as "Sporting Future". To achieve the Government’s objectives, the Code was set up in order to “protect the value for money the public receives from investment into sport and maximise the effectiveness of those investments4. In brief, it works as follows5:

  1. The Code establishes five basic principles of good governance applicable to all organisations within the United Kingdom to whom Sport England and UK Sport provide funding to. Therefore, SGBs who require funding need to ensure compliance with the Code.

  2. There are then a set of requirements related to each principle, categorised under three distinct Tiers. The Tier into which an SGB falls is determined by the level of public sector investment sought, as follows:

    1. Tier 1 applies where the investment is under £250k;

    2. Tier 2 applies where the investment is between £250k and £1m; and

    3. Tier 3 applies where the investment is above £1m.

In order obtain investment in a certain Tier, the requirements relating to each principle must be met. In this way, the regulatory framework applicable to an SGB increases in its requirement and burden as SGBs seek increased levels of funding. The intention is to ensure the regulatory requirement is adequate and proportionate to all SGBs, no matter what their size.

The fifth of the general applicable principles relates to the GDPR and the Bill. The fifth principle provides that SGBs must “comply with all applicable laws and regulations… and have appropriate controls and risk management procedures6 in place to ensure such compliance.

While Tier 1 does not include any particular requirement that is directly related to data protection, SGB’s must adhere to the GDPR (and in time the Bill, when enacted) not only to ensure they are legally compliant, but to ensure they are eligible to receive funding.

To qualify for Tier 3 funding7, SGBs must demonstrate both that they understand the key legal and regulatory obligations applicable to them, and that they have appropriate policies and procedures in respect of those obligations. Additionally, SGBs must also maintain risk management and internal control systems and conduct an annual review of the effectiveness of these systems.

As discussed below, there will be very few SGBs to whom the GDPR is not applicable and, in this way, compliance with the GDPR and the Bill is essential if SGBs want to be eligible to receive public funding in the future.

For a full review of how the Code works, please see: A guide to the UK’s new code for sports governance.8

 

What the GDPR does and why it is relevant to SGBs

The GDPR is a newly introduced EU Regulation which governs how organisations (whether for profit or otherwise), including SGBs, process personal data. The intended purpose of GDPR is to more closely control the way in which organisation manage the personal data they hold, in turn allowing them to build trust and confidence with individuals.

SGBs need to be aware of the implications of the GDPR because they control and process personal data.

Some of the key changes that are implemented by GDPR include (but are not limited to):

  1. Compulsory record keeping requirements. Organisations will be required to keep records of, among other things, the data they process, why they process it, how long they process it for and the legal basis on which they process it (Article 30).

  2. Compulsory notification of data breaches. Data breaches which impact on privacy will have to be notified to the Information Commissioner’s Office (ICO) and the individuals affected within 72 hours of the occurrence of the breach. Breaches can range from a customer database being hacked to putting a letter in the wrong envelope (Article 33).

  3. Consent. Consent rules have changed significantly (the starting point of which is at Article 7), meaning there is a need to ensure that any consents used to legitimise the use of personal data are compliant and, if not, are refreshed appropriately. Notably:

    1. Consent must now be given by clear affirmative action in order to be compliant, meaning pre-ticked opt-in boxes and opt-out boxes will not constitute consent.

    2. There is added emphasis on consent being freely given. As a result, it will now be difficult to make an individual’s access to a service conditional on them giving consent, and will not be possible where there is a clear imbalance in relationship (e.g. employer/employee relationships).

    3. Each purpose for processing needs a separate consent.

    4. Individuals must be given simple, easy-to-access ways to withdraw their consent at any time. In particular, it must be as easy to withdraw consent as it was to give.

Recent draft guidance issued by the ICO demonstrates how the GDPR has increased the standard9 to be met when obtaining consent from data subjects and it will therefore not as be easy as it was under the previous regime to obtain. Given the extent of the changes to the requirements, many organisations will need to change the way in which they rely on and collect consent.

  1. Transparency. Crucially the GDPR requires organisations to be more transparent with individuals as to how their personal data is used (Article 5), and is more prescriptive on what information must be given to individuals. This will require a review of privacy policies and fair processing notices. Among other things, an individual must be told about what personal data is processed, why its processed, the lawful basis for processing it, how long it will be retained, who it might be shared with and what measures will be taken to protect it if it is being transfer or hosted outside of the European Economic Area.

  2. Increased rights for individuals. For Instance, individuals already have a right to access their data under existing law. After the changes implemented by the GDPR, it will no longer be possible to charge a fee for such requests, and you will have to respond within one month instead of 40 days.

  3. New rights. The GDPR introduces new rights for individuals, including:

    1. The right to be forgotten, which allows an individual to require an organisation to erase their information from systems, although such right only applies in limited circumstances (Article 17).

    2. the right to data portability, which allows an individual to receive a copy of their personal data in a commonly used and machine readable format, although again such right only applies in limited circumstances (Article 20).

Both rights are not as wide ranging as many think, and its important businesses properly understand their scope to swiftly deal with requests which have no merit.

It is imperative that SGBs are compliant with these and other requirements introduced by the GDPR. Breaches could lead to sanctions, including fines of the greater of up to €20 million or 4% of annual turnover (article 89). It is therefore surprising and concerning that, in an Irwin Mitchell survey conducted in May 2017, only 38% of senior decision makers in the UK were aware of the GDPR.10 Furthermore, those SGBs which hold sensitive data, such as data on an individual’s health, will need to ensure compliance to a greater extent as breaches including such data is likely to attract larger sanctions.

 

The Data Protection Bill

The GDPR applies in all EU member states (including the UK after Brexit) but individual Member States (and the UK following its exit of the European Union) do have a say as to how the GDPR is to be implemented in their respective territories. The Data Protection Bill therefore implements and applies the GDPR in the UK.

While entities may already have safeguards on data protection in place, it is important to revisit these in light of the new Data Protection Bill as such safeguards would likely have been put in place as a result of the Data Protection Act 1998. It is intended that the Bill will replace the 1998 Act.

The extent of the changes include ensuring sensitive health data can continue to be processed in order to assist with health and safeguarding process to be maintained, to provide a specific regime for processing data in respect of criminal law enforcement proceedings and to provide for appropriate restrictions on the right to access data where processing such data is linked to a strong public policy. Although the majority of the proposed changes to be introduced by the Bill may not directly affect SGBs, SGBs must still review the type of data they have in relation to the Bill. For example, an SGB which processes data in relation to disabled participants of the sport it governs will need to be aware of the safeguards made by the Bill on health.

In terms of sanctions, the Bill also makes provision for criminal proceedings to be commenced against data controllers. While this will apply in limited circumstances only, it demonstrates just how seriously the Government is taking the protection of personal data.

 

What should SGBs be doing now to ensure compliance with the GDPR?

GDPR and the Bill clearly needs to be taken seriously, both to avoid potential sanctions but also to unlock the public funding available to SGBs. Some steps that SGBs should consider taking include:

  • Carrying out a data audit to understand the data that is currently held, why it is held, how long it is held for and to determine what the lawful purpose of holding that data is where this has not already been done.

  • Ensuring there are appropriate processes in place in the event of a data protection breach.

  • Revisit how consent is obtained from individuals, whether such consent remains compliant, and how it can be made compliant. It may not be possible to make it compliant, in which case organisations should consider an alternative legal basis for processing that personal data.

  • Implementing appropriate systems when processing sensitive data.

  • Ensure transparency by reviewing fair processing notices and privacy policies alongside the GDPR requirements.

  • Consider appointing a Data Protection Officer to ensure compliance with the GDPR and the Bill.

  • Set out policies to deal with the enhanced existing rights of individuals and those rights which are new under the GDPR.

 

Comment

Although the GDPR will have wide ranging implications generally, the implications for any SGB will be specific to them, determined by the data processed by them and the adequacy of the policies and procedures that they already have in place.

For many organisations that have been very pro-active on data protection matters in recent years, GDPR will represent an opportunity to better safeguard member and stakeholder data, and to develop better relationships with individuals by building trust and confidence.

Related Articles

About the Author

Thomas Barnard

Thomas Barnard

Tom is a solicitor specialising in commercial litigation and sports law. He acts for a wide variety of high-profile athletes, including cricketers, footballers, gymnasts and cyclists.

  • This email address is being protected from spambots. You need JavaScript enabled to view it.
Ghilas Lounis

Ghilas Lounis

Ghilas is a Trainee Solicitor with a particular interest in both the contentious and non-contentious aspects of sports law. Ghilas has acted for players regarding image rights structures and employment matters. He has also assisted sports clubs on a variety of commercial matters.

  • This email address is being protected from spambots. You need JavaScript enabled to view it.

Leave a comment

Please login to leave a comment.

Official partners 

BASL
Soccerex Core Logo
SLA LOGO 1kpx
YRDA Logo2
SAC logo LawAccord

Copyright © LawInSport Limited 2010 - 2018. These pages contain general information only. Nothing in these pages constitutes legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. The information provided here was accurate as of the day it was posted; however, the law may have changed since that date. This information is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. LawInSport is not responsible for any actions taken or not taken on the basis of this information. Please refer to the full terms and conditions on our website.