Whether you are a grassroots club, professional team or a sport governing body, you will have fans, members and athletes. As a result you will be holding the personal data of many individuals as well as information relating to volunteers and employees. Data is a key asset for sports organisations the maintenance and growth of which is crucial to the ongoing development and success of the organisation and allowing them to engage with and market events to members.
Sporting organisations of all levels need to be aware of the upcoming General Data Protection Regulation, which comes into force on 25 May 2018. This new EU regulation is set to radically change the way that all organisations manage individuals' personal data with the biggest reform in data protection law for over 20 years. It is crucial that all sporting organisations have taken or are planning to take appropriate measures to ensure compliance with the Regulation as there are huge potential fines for organisations which don't comply of up to 20 million or 4% of global turnover for serious breaches.
The GDPR applies to any data controllers or data processors, so it covers organisations who collect any personal data from members, employees, fans or athletes. "Controllers" of personal data are organisations that decide how and why personal data is processed. "Processors" of personal data are those who process data on the controller's behalf. Some of the key changes that are implemented by GDPR include:
Record keeping: - Organisations will be required to keep records of the data they process, why they process it, for how long they process it and the legal basis on which they process it. Notiﬁcation of breaches: - Data breaches that impact on privacy will have to be notified to the Office of the Data Protection Commissioner (the "ODPC") and any individuals that are affected within 72 hours of the occurrence of the breach. Failure to report a breach could result in a fine as well as a fine for the breach itself. Transparency: - The GDPR sets out the information that must be given to data subjects at the point of collection of the data. Data capture forms and privacy policies of sports organisations will need to be updated in order to fall in line with the minimum transparency requirements of the GDPR. Individuals must be told about what personal data is processed, why it is processed, the lawful basis for processing it, how long it will be retained for, who, if anyone, it might be...