General Data Protection Regulation is a European law with direct effect for all EU member states. It will harmonise data protection law across Europe and came into effect on May 25th, 2018.
Data Protection is an EU fundamental right for all individuals. All organisations including Sports Clubs that collect, control or process personal data are required under law to make sure that the data they collect is obtained fairly, stored securely and retained for no longer than is necessary.
The Right of Access is an important right for individuals, allowing them to obtain information about the kinds of data organisations process about them, and to verify that the information is accurate and up to date.
What are the key points?
- GDPR sets out rules about how personal Information (data) can be obtained, how it can be used and how it is stored. Sports clubs often collect the data of its members and players via membership forms, Garda Vetting forms, summer camp applications, text or messaging systems, email list or distribution groups, team sheets or training attendance lists, and information captured on club websites.
- Should a member consent to the holding of his or her data by the club, this must be communicated to them at the time the data is obtained. A single box tick will not suffice for multiple purposes.
- Clubs must explain to members the legal basis for the use of the data. There are many legal grounds for using personal data such as ‘performance of contract’ and the ‘legitimate interest’ of the data controller. If relying on the member’s consent to use data, it should be easy for an individual to withdraw their consent. The chance to review their consent should be given on a regular basis (e.g. yearly). In Ireland, it is anticipated that parental consent for children under 13 will be required in relation to the use of digital technology e.g. apps.
- Data must be kept safe and secure and must be kept accurate and up to date.
- An Individual can request a copy of all of the personal information held about them (this is called a Subject Access Request) and must be allowed to have all of their data deleted or returned to them, if they so wish, within a month.
- Each club should consider the appointment of a Data Protection Officer (DPO) or identify someone to manage the requirements of the role. The DPO will advise on the GDPR, monitor compliance and represent the club on engagement with the Data Protection Commissioner.
What should you do?
It is up to the club to make an inventory of all the data they have of their members and to maintain a record of what they do with this data, this is called ‘data processing’. The object is to find out why, where and how the data is stored? Also, why was it originally gathered, how long it is being retained, how secure it is and whether it is shared with any third parties?
So, all paper forms, emails and computer files should be checked, updated and irrelevant data should be deleted. Data Controllers must be able to demonstrate that consent was given or another lawful grounds for processing can be relied upon and an audit trail is maintained.
The GAA, for example, stores all registered member information on their Central Games Management System (Servasport) and jointly shares responsibility for this data with each club/team/county. Some clubs may have other systems in place (Excel) or use third party providers such as Clubify to manage their digital systems. Third party providers must be well aware of GDPR compliance and discussions should be held with third parties in relation to responsibilities arising and where liability for a failure to comply will rest.
If relying on consent, it must be ‘freely given specific, informed and unambiguous’. In order to comply with GDPR, membership (or any other) forms should include the following information…
- The Club’s identity
- The reasons for collecting the information
- The uses it will be put to
- Who it will be shared with
- If it’s going to be transferred outside the EU
- The legal basis for processing the information
- How long it will be retained for
- The right of members to complain
- Whether it will be used for automated decision making
- Other specific personal privacy rights relevant under GDPR.
Personal Privacy Rights
As a data controller your club must protect the rights of individuals.
They include the right to have information erased, inaccuracies corrected and the ability to object to direct marketing.
Data portability is a hot topic at the moment — it’s the process where an individual’s information is gathered and moved to another provider or to the individual in a technical format. This is more relevant to switching banks or utility services but could crop up when a player transfers club.
If there is unauthorised access to personal data or it is lost or stolen, the Data Protection Commissioner must be informed within 72 hours.
Where there is a high risk to the rights and freedoms of the individual affected, he or she should also be made aware of the breach.
Clubs in Northern Ireland may be concerned over the effect of Brexit on data protection. It is expected that when the UK formally leaves the EU in 2019 it will have enacted legislation that mirrors GDPR. However, this remains to be seen.
- Consent needs to be obtained and refreshed regularly
- Privacy statements need to be updated
- Information needs to be protected and accurate
- Specific locations of information must be known
- Subject Access Request must be facilitated within 1 month
- Breaches must be reported within 72 hours
- Privacy by design and by default must be adopted
- New procedures must be implemented to enable the above throughout the lifecycle of the data (Capture, Store, Use, Destroy).