Key information on the General Data Protection Regulation for the sports industrySophie Wilkinson, Adam Leadercramer
This article answers some of the key questions on the General Data Protection Regulation (GDPR) that the authors are frequently asked. In doing so, the authors hope that it dispels certain “GDPR myths”, offers practical guidance for interpreting the new law, and helps readers understand key risk areas and think more logically about how to be compliant come this spring.
What is GDPR?
GDPR stands for the General Data Protection Regulation; the new EU wide data protection regulation coming into force on 25 May 2018. It will repeal the existing law (Data Protection Act 1998 (DPA)) which is very outdated, particularly in light of dramatic advances in technology and the rise of “Big Data”.
What about Brexit?
GDPR will automatically apply in the UK until we leave the EU, at which point we will need to put in place a new data protection law. The UK is in the process of trying to agree the Data Protection Bill (which will become the new Data Protection Act…rather confusingly) for this purpose. Once in force, this will need to be read in conjunction with GDPR until we leave the EU, and on a standalone basis once we have left. The Bill refers back to GDPR and essentially adopts the same standards as well as modifying other areas which member states are permitted to under GDPR.
Is GDPR a complete overhaul of the DPA?
There are a few new concepts such as the role of a Data Protection Officer, “pseudonymisation”, direct application to processors of certain GDPR obligations and privacy by design and by default. However, in our view GDPR does not present a drastic overhaul to the current DPA framework but rather, it plugs gaps, or strengthens existing rights and obligations and defines certain concepts more precisely. Therefore, if your organisation is compliant with the DPA this will put you in good stead for the move across to GDPR.
Will GDPR apply to my organisation?
Yes, if your organisation:
alone or with others determines the purposes for processing personal data relating to living individuals (known as acting as a “data controller”) or processes personal data relating to living individuals strictly in accordance with the instructions of another (known as acting as a “data processor”); and
is “established” in the EU (meaning that your business exercises real and effective activity through stable arrangements in the EU – including through a branch or subsidiary) or is established outside the EU but offers goods or services to individuals in the EU or monitors the behaviour of individuals in the EU.
In a key departure from the DPA, processors will have direct obligations under GDPR (which are discussed further below). GDPR also has specific provisions dealing with “joint data controllers”; the situation where there is more than one data controller in respect of a particular set of personal data.
Back to basics - what do "processing" and "personal data" mean under GDPR?
As with the DPA, “processing” basically means doing anything with personal data (i.e. collecting, organising, transferring, altering etc). The scope of what is considered “personal data” is slightly broader: personal data will cover any data relating to an identifiable natural person who can be directly or indirectly identified, in particular by reference to an “identifier”. These “identifiers” are broad in scope and reflect technology changes, now including things such as location data and online IDs (such as IP addresses and cookies).
The processing of sensitive categories of data – such as health data or data revealing someone’s religion or ethnicity, sex life or political views, and also now under GDPR, biometric and genetic data - requires more onerous conditions to be satisfied. The processing of data relating to criminal convictions also has more stringent conditions attached.
Will any of our data activities fall outside of GDPR?
You will not be caught by GDPR if you are processing non-personally identifiable information or personal data relating to deceased individuals. There are also a few other limited exceptions (e.g. processing of personal data by an individual purely for household or personal reasons with no connection to commercial activity).
Therefore, anonymising personal data fully (i.e. irreversibly preventing the identification of an individual) will ensure that data falls outside of the scope of GDPR.
What is pseudonymisation and how does this differ from anonymisation?
Pseudonymisation is a new concept formally introduced in GDPR. It is the processing of personal data in such a way that the data can no longer be attributed to specific individuals without linking that data to additional data ANDensuring that the linking data is kept separate. The use of pseudonymised data is not exempt from GDPR but is one way that organisations can demonstrate they are managing data risks appropriately in the context of privacy by design and default (as explained below). Anonymised data, on the other hand, is permanently non-identifiable even when connected to other data.
What are the "data protection principles" and are these the only thing I need to comply with?
These are the key principles which underpin the new law. The DPA currently requires data controllers to comply with eight principles and GDPR doesn’t depart from these significantly. There are now seven principles, which are listed below, some of which already exist. It is important to always consider these principles when processing personal data but to also remember that there are other requirements under GDPR which must be complied with in different circumstances (e.g. in relation to overseas transfers of personal data, record keeping requirements and data subject rights).
Lawfulness, transparency and fairness – “Lawfulness” requires a data controller to satisfy at least one “processing condition” when processing personal data. These include explicit consent, necessity for performance of a contract with the data subject, necessary for compliance with a legal obligation to which the controller is subject, or necessary for the purposes of a legitimate interest of the controller. Going forward, you will need to tell data subjects what conditions you are relying on for each of your processing activities. There is a supplemental list of processing conditions for sensitive data, which are very restrictive and will in most instances require explicit consent. “Fairness and transparency” is where privacy policies and data capture notices come in. An increased amount of information will need to be given and must be presented in a clear and concise manner, and tailored for the specific audience. Data controllers will need to think more creatively as to how best to get the key messages across; we think it is helpful to put yourself in the shoes of the data subject – what would you want to know about how your data is being handled and how would you like this to be presented to you?
Purpose Limitation – personal data should be collected for specific, explicit, legitimate purposes and shouldn’t be processed in a manner incompatible with those processes.
Data Minimisation – personal data should be adequate, relevant and limited to what is necessary in relation to the purpose for which processed.
Accuracy – personal data must be accurate, up to date and rectified or deleted if not.
Storage Limitation – personal data must be kept in a format which enables the identification of individuals for no longer than necessary to achieve the purpose.
Integrity and Confidentiality – personal data should be stored in a secure and confidential way.
Accountability – data controllers must continuously assess risk, implement appropriate policies and procedures and keep them under review as to suitability and effectiveness.
My organisation predominately processes data on behalf of others - should I be concerned?
As mentioned above, under GDPR (unlike the DPA), data processors will now have direct responsibilities for certain aspects of compliance (such as record keeping requirements and data breach reporting). Data subjects will also be able to bring a claim directly against a processor. Therefore, contract negotiations between controllers and processors will become far more interesting (…to lawyers) and the allocation of risk and liability will be more of a focus. Data controllers will also need to do more extensive due diligence on data processors before contracting with them.
Will I always need to obtain consent for processing personal data?
Clients often ask us whether consent will always be required going forward. The answer is definitely not. Consent will be much harder to rely on under GDPR. It will need to be unbundled (i.e. obtained for each type of processing), given on a free, informed and unambiguous basis, with an affirmative action (so an opt-in) and can be withdrawn at any time in a simple way. Therefore, it is only really relevant in the context of optional services such as third-party marketing and where possible, other processing conditions should be relied on for processing data for core purposes (where consent isn’t really optional). It is important to note children under 13 cannot give consent going forward for online services and 13-15-year olds will always need parental or guardian consent.
Current guidance also indicates that you will need to name any third parties who will be relying on the consent (e.g. third parties with whom you share data who wish to contact your customers for direct marketing purposes). This departs from common practice of seeking consent for “relevant third parties” or “our trusted partners” for example.
Will I need to notify the Information Commissioner's Office (ICO) of my processing activities?
The DPA currently requires controllers to have an ICO notification, which entails the payment of a fee and confirmation of processing activities on an annual basis. This notification requirement is being abolished but there are new record keeping requirements in respect of processing activities, which apply to both controllers and processors. Helpfully, SME’s (companies employing less than 250 people) will not be required to maintain these processing records unless their processing is high risk.
It is important to highlight that although the notification fee is not being retained under GDPR (as referred to above) the Digital Economy Act makes provision for the payment of fees by data controllers to the ICO (albeit that the level of such fees is unclear at this stage). In addition, we note that if your ICO notification is due to expire before GDPR comes into force, it will still need to be renewed as it will continue to be a criminal offence not to do so until 25 May 2018.
What is a Data Protection Officer and will we need one?
In keeping with GDPR’s focus on self-regulation and accountability, an organisation (whether a processor or controller) is required to appoint a DPO if it:
Is a public authority or body; or
Undertakes regular and systematic monitoring of individuals on a large scale; or
Processes sensitive categories of data on a large scale; or
Processes data relating to criminal convictions/offences; or
Considers appointing a DPO is necessary following its own internal risk assessments.
A DPO needs to have expert data protection knowledge (with reference to the type and complexity of processing carried out by the organisation) and must act independently (although it can be an internal appointment).
If your organisation does not fall into any of the above categories, you should still designate at least one person who is au fait with GDPR who can assist with compliance, but avoid labelling them as DPO to ensure they are not subject to the DPO regime.
Are individuals being given significantly more power under GDPR?
Yes and no. Several data subject rights currently exist but are simply being enhanced, including subject access requests, the right for data to be corrected and the right to object to direct marketing. Taking subject access requests as an example, the scope of information which an individual can request is being broadened and where possible, controllers will need to provide remote access to a secure system to give the person direct access to the requested data.
There are a few new rights being introduced, namely: (i) the right to be “forgotten” (which will essentially require companies, when requested, to delete data which is being processed unlawfully); (ii) the right to restrict processing (meaning that the controller cannot process the data further until the individual has explicitly consented or other limited exemptions apply); (iii) the right to object to certain other types of processing, including processing based on legitimate interests of the controller; and (iv) data portability, which requires the controller to be able to transfer personal data to the individual in a commonly used and machine readable format so it can be transferred to another controller (or where practical, directly from one controller to another).
The exercise of each of these rights, and your obligations in dealing with these rights are set out in GDPR and you should familiarise yourself with these processes ahead of time. We expect that the administration involved in dealing with data subject requests will increase, particularly given that the fee which companies can currently charge for access requests is being abolished (save in limited circumstances) and you will now have one month (in most cases) to respond to the relevant request rather than the current 40-day period. Therefore, it is crucial to start thinking about how you will meet the new deadlines for dealing with these requests, both internally and across your data network (including your processors and sub-processors).
Are the security requirements going to be more onerous?
Yes. There is no definitive standard to adhere to when it comes to data security. Rather, GDPR will require controllers and processors to evaluate risks involved with their processing activities and implement appropriate measures to prevent loss and unauthorised access to data e.g. pseudonymisation, encryption, restricted access. Doing research as to what constitutes best practice in your industry will certainly help in this respect and can be used as a suitable benchmark for evaluating the appropriate security standards for your organisation.
You also need to start thinking about your processes for breach reporting. Data breaches will need to be reported to the ICO as soon as the controller is aware and no later than 72 hours after the breach, unless they can show that the breach is unlikely to result in risk to individual. If the breach is likely to result in high risk to individual, the individual must be notified without undue delay. It is therefore crucial to build in buffers with processors and sub-processors to ensure you are notified of any breaches in time to enable you to comply with your reporting requirements.
What is privacy by design and privacy by default, and what are "PIAs"?
These are “buzz” words under GDPR, but do not seem to introduce anything particularly revolutionary. Essentially, they require data protection compliance to be fundamental to the designof technology, systems, products and services which process personal data, as well as throughout the lifecycle of such processing activities. Controllers are also required to implement technical and organisation measures to ensure that, by default, only personal data necessary for the processing purposes are processed. e.g. pseudonymisation, internal training, encryption methods, robust policies and procedures.
Technical and organisational measures which are designed to implement the data protection principles should be implemented both at the time the purposes for processing are chosen and at the point of processing. Controllers should consider “state of the art”, costs of implementation, nature, scope of processing and risks to individuals when formulating and implementing appropriate measures.
You may also have heard of “Privacy Impact Assessments” or “PIA’s”. These are only mandatory where processing is likely to be high risk to individuals (e.g. systematic and extensive profiling of individuals which produces significant effects on those individuals or processing of sensitive data on a large scale). GDPR stipulates the process for conducting a PIA and what this should cover. If the risks identified cannot be mitigated by findings of the PIA, processing shouldn’t happen without consultation with the ICO.
Going forward, how will we lawfully transfer personal data outside of the EEA?
In a very similar manner to how you do so currently. You will still be able to transfer personal data outside of the EEA where it’s going to an “adequate country” (i.e. one which the EU Commission has approved as having appropriate safeguards in place), where you put in place appropriate safeguards, such as Binding Corporate Rules, Model Clauses or rely on the US Privacy Shield for US transfers. Other grounds also apply, such as explicit data subject consent (but noting the more stringent consent requirements referred to above) or where the transfer is necessary for the performance of a contract. As with the DPA, you also need to ensure you are in compliance with the data protection principles in relation to the transfer (e.g. ensuring that your processing is lawful).
Are the increased sanctions really as bad as they sound?
The potential fines under GDPR have significantly increased from those under the DPA:
€10,000,000 or, if an undertaking, up to 2% of total worldwide annual turnover of the preceding financial year (whichever is higher). This tier of fine applies to breaches which are less serious in nature, for example failure to put in place an adequate processor agreement or to implement appropriate technical and organisational measures appropriate to the risk.
€20,000,000 or, if an undertaking, up to 4% of total worldwide annual turnover of the preceding financial year (whichever is higher). This higher tier of fine is obviously reserved for more serious breaches of the fundamental principles of data protection, but does cover a significant number of the obligations set out in GDPR, including a breach of the data protection principles and data subject rights.
The increase in maximum fines has really caught the attention of businesses for obvious reasons. That said, factors such as the severity and scale of the breach, whether the breach was intentional, whether the infringer has co-operated with the ICO and whether there was any financial gain from the breach will almost certainly be considered (as they are in the context of any normal damages claim). Therefore, businesses which carry out “high-risk” processing activities which operate in sectors traditionally the focus of regulatory review (e.g. marketing companies, call centres and companies carrying out large-scale profiling) will need to think seriously about how they will manage their risks.
Even if you don’t think your organisation is at risk of these fines, you should still consider the impact of any breach in the context of damage to reputation and customer complaints.
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Tags: Data Protection Act 1998 | European Union | General Data Protection Regulation (GDPR) | Governance | Regulation | United Kingdom (UK)
- How UK Sports Governing Bodies can prepare for the new General Data Protection Regulation
- Results of Sport Sector GDPR Readiness Survey - Data Protection Report
- The legal implications for big data, sports analytics and player metrics under the GDPR
About the Author
Sophie is an associate at Onside Law who specialises in commercial, IP, IT and data protection work for clients in the sports and entertainment sectors. Sophie covers a broad range of matters, including endorsement, hosting, outsourcing and other commercial contracts, IP and IT related arrangements and data protection issues.
Adam is a partner specialising in commercial law in the sport and entertainment sectors and is our Head of Commercial. He joined Onside Law in January 2010, having spent over 6 years with leading City firm, Allen & Overy, primarily in its Communications, Media and Technology department.