Why sports teams should avoid relying on consent to comply with GDPR
In the run-up to 25 May 2018, or "GDPR day", many organisations made huge changes to the way they process “personal data”. However, due to blind spots in guidance available (both form the Information Commissioners Office (ICO) and other sources), there remains uncertainty around what organisations must do to comply with the General Data Protection Regulation1 (GDPR).
By way of initial background, “personal data” means “any information relating to an identified or identifiable natural person”2. "Special category" data (previously called "sensitive personal data"), which attracts heightened protection under GDPR, includes: data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, sex life, sexual orientation or trade union membership3. Data concerning an individual’s health will also be classed as special category. Sports clubs are in a unique position in an employment context as they are likely to regularly process health information relating to their players, including medical histories, medication, allergies, injuries and potentially medical information which may or may not be not be specific to the sport itself. Great care is therefore needed to keep the information safe.
One major area where sports clubs and organisations could face particular difficulties is where they have relied on consent as a basis for processing data under GDPR, as it may not be the easy fix they thought it was. Accordingly, this article examines why it is essential that organisations identify a legal basis for processing personal data and avoid the trap of falling into reliance on consent. Specifically, it looks at:
The new obligations on employers when processing employees’ personal data
What the "big problem" is with relying on consent
What employers should be doing now
Consequences of non-compliance
Practical guidance going forward
The article assumes that readers have a basic knowledge of GDPR. For readers wanting an introduction to the topic, please see here4.
To continue reading or watching login or register here
Already a member? Sign in
Get access to all of the expert analysis and commentary at LawInSport including articles, webinars, conference videos and podcast transcripts. Find out more here.
- Tags: Data Protection | Data Protection Act 2018 | Employment | European Union | General Data Protection Regulation (GDPR) | Governance and Regulation | Information Commissioners Office (ICO) | United Kingdom (UK)
- Top 10 tips for safeguarding children and vulnerable adults in sports
- Key information on the General Data Protection Regulation for the sports industry
- How the GDPR could impact the handling of sports disputes
- New survey launched: How is the sports sector coping post GDPR?
Katie Russell is an Employment Partner in the Business of Sport Group at law firm Shepherd and Wedderburn LLP. Katie uses her experience of employment law combined with her knowledge of sports law to provide highly specialised advice to sports organisations and their teams to help address the specific challenges they face.
Very informative article for an organization's GDPR/DPA compliance options for their employees, with slight feedback on the title including 'Employees.'
Challenges are often arising from organization's non-employees special categories of data or employees co-mingling non-organizational technologies that process their special categories of data.
Articles like this one from Katie are great in advancing the education of the ecosystem.