The ‘Bear’ Necessities of the EU General Data Protection Regulation
Data protection has hit the radar of sports organisations following last year's high profile data leaks and cyber-attacks on the likes of WADA by the “Fancy Bear” group.
Changes to come
The EU has reacted to these changing times by drawing up the General Data Protection Regulation (EU) 2016/679 (GDPR), which comes into force throughout Europe on 25 May 2018 and replaces current legislation. With Brexit anticipated for April 2019, current indications are that the GDPR will be applicable in the UK initially. Post-Brexit the UK will have the option of developing its own law that is deemed adequate by EU Regulators (but which will, we anticipate, follow the GDPR principles).
Whilst many of the core principles will remain the same, the GDPR places some onerous and cumbersome obligations on both data controllers (persons who determine the purposes for which and the manner in which any personal data is to be processed) and data processors (those who process personal data on behalf of the data controller). It is essential that your organisation plans its approach to GDPR compliance, starting today.
7 things you need to know now
- Who’s in charge?
Your organisation and its key decision makers should be aware of the changes which will be brought in by the GDPR. Data protection should become (if it is not already) a boardroom issue and board level training should be a priority. Identify who monitors data protection compliance within your organisation. You may need to appoint a Data Protection Officer to take responsibility for data protection compliance within the organisation.
- Review your internal policies, procedures and contracts
Review your internal data protection policies to ensure they meet the new GDPR principles and requirements. Internal training sessions should be rolled out to ensure staff are aware of the changes in the law. Privacy notices on websites and on customer facing documents should be reviewed to ensure they are transparent and in clear language. Familiarise yourself with the ICO’s guidance on Privacy Impact Assessments. Deadlines for dealing with subject access requests will also shrink from 40 days to one month so be prepared to act promptly if such a request is received. From May 2018, your organisation will also need to ensure that its contracts include more detailed data processing provisions.
- Know your data
Your organisation should assess the information that it holds, where it has come from and with whom it is shared. You could use a detailed questionnaire across the organisation to ascertain what personal data is collected and about what categories of individuals. Information gathered can then be used in a report to inform strategy and next steps. Study your data processing activities, identify your legal basis for carrying it out and document it. If you have inaccurate personal data and have shared this with another organisation, from May 2018 you will need to let this organisation know. This will be a difficult task unless your organisation is aware of the information it holds. Review how you are seeking, obtaining and recording consent from individuals whom you collect data from. Existing consents will need to meet the more stringent requirements of the GDPR.
- Notifying the ICO of a data breach
The GDPR will contain a new requirement to notify the ICO of all personal data breaches (unless certain exemptions apply) without undue delay and, where feasible, within 72 hours (currently there is no specific deadline). Your organisation should therefore review its data breach procedures regarding detection, reporting and investigation of a personal data breach. Failure to report a breach could result in a double fine – for the failure to report the breach and for the breach itself.
- International reach
If your organisation operates internationally review and map out your international data flows. Assess what protections are built in to your international data transfer mechanisms. The GDPR contains new and complex arrangements in relation to international data transfers which you should be aware of if your organisation’s reach is international.
- Special protection for children
If your organisation works with children, you will need to think about putting new systems in place as the GDPR will implement special protection for children’s data. For example, your organisation will need a parent or guardian’s consent in order to process a child’s personal data lawfully.
- Fines for non-compliance
The GDPR takes no prisoners. With potential administrative fines of up to 4% global turnover or €20 million (whichever is greater) for breach of GDPR provisions. Adverse publicity from the fallout along with the real possibility of on-the-spot audits make it critical to ensure your organisation knows the GDPR inside and out.
The message for clubs and sports organisations is act now to protect yourself later on. Research drawn from the ‘Global Databerg Report’ by Veritas Technologies suggests that 54% of organisations are yet to begin any work on meeting minimum GDPR compliance. Make sure your organisation is not among them.
If you would like any further advice on data protection and how your business may be affected by the GDPR, please contact one of our data protection experts at Mills & Reeve, Paul Knight or Sarah Whyman.