Hammered by the GDPR04/12/18
The reported data breach at West Ham United FC is a salutary warning to sports clubs of the potential consequences of an inadvertent data breach and highlights the potential long reach of the GDPR.
Sports clubs and organisations have access to a vast amount of data, about players, members, staff and supporters. The public is also starting to recognise the data is valuable – anyone who has read Moneyball by Michael Lewis will be aware of the utility of using data driven-insights to obtain competitive advantage, and reports of repeated mass-simulations of Championship Manager correctly predicting the World Cup to assist gamblers made the news earlier this year.
However, from CCTV footage of a stadium, to credit card details of those buying tickets, and performance data about an athlete (potentially including sensitive health information), the sector also handles information which is sensitive and where the repercussions of misuse, loss or unauthorised access are significant.
Against this backdrop, the revised legal regime for data protection means that compliance is both more important, and more challenging.
The GDPR and personal data
On 25 May 2018, the GDPR came into force in the UK, accompanied by the Data Protection Act 2018. Overnight, individuals gained enhanced rights and the statutory obligations on those organisations that handle personal data became more onerous. The GDPR defines personal data as ‘information that relates to an identified or identifiable individual’ and includes, names, postal and email addresses, telephone numbers, medical records, records of opinion or intention, location data and CCTV footage.
The GDPR sets out 6 key principles. These provide that personal data:
- Must be handled for a good reason (known as a ‘legitimising condition’), fairly, lawfully and transparently;
- Not used for purposes incompatible with the reasons it was obtained;
- Must not be excessive;
- Must be accurate and kept up-to-date;
- Must not be kept for longer than is necessary; and
- Must be kept confidential, safe and secure.
Organisations are subject to various other requirements under the new legislation. These include:
- a duty to respond to requests from individuals in connection with their personal data – an issue which caused the Information Commissioner to issue an enforcement notice against Nottingham Forest FC a couple of years ago. The primary time period for compliance is now shorter than under the old Data Protection Act 1998, and organisations can no-longer typically charge a fee to individuals seeking to exercise their rights;
- an obligation to report certain incidents to the Information Commissioner and affected data subjects. The obligation to the report to the Information Commissioner is typically within 72 hours of becoming aware of an incident;
- enhanced governance and contractual requirements, particularly when sharing information or hiring other organisations to process data on your behalf. Organisations may sub-contract or outsource a number of activities which interface with data, such as ticketing and security, and routinely share personal data with a range of other bodies and agencies: the arrangements surrounding this need to be carefully considered;
- limitations around the use of profiling and fully automated decision-making – with the rise of biometric other performance data, as well as ‘big data’ about supporters etc., this needs to be undertaken carefully; and
- undertaking impact assessments when considering and using data in novel ways.
Organisations ultimately are accountable for their use of data and are required to show how they are complying with the law.
The above obligations apply to all organisations in the EU responsible for processing personal data and will remain in force post-Brexit.
West Ham United FC
In August 2018, it was reported that West Ham accidentally shared the personal email addresses of hundreds of supporters when confirming successful ticket applications for a Carabao Cup fixture. The club has reported the breach to the ICO and apologised to fans.
Falling foul of the GDPR
The GDPR introduced more severe penalties for non-compliance with the data protection principles. As is well known, the headline ‘worst case’ scenario from a regulatory perspective is a fine of up to €20 million or 4% of turnover, but there are a range of other enforcement tools available to the Information Commissioner. Reputational damage can be substantial and individuals may bring a civil claim for damages and in a major data incident, these costs could well eclipse even the most punishing regulatory penalty. The recent decision in the WM Morrisons case shows that there is no defence for an organisation even if the disclosure is perpetrated by a ‘rogue’ employee – 5,000 members of staff have successfully brought group litigation against Morrisons after their personal data was stolen by a colleague and offered for sale on the Dark Web.
The WHUFC case involved only the email addresses of supporters, but any professional sports club is likely to hold extensive personal data (1st team, reserves, youth, academy), including ‘sensitive’ medical records, financial information and potentially information about criminal or anti-social behaviour.
Given the worldwide reach of big name sport, fans may not be resident in the UK, which raises the question of lawful transfer of that data internationally, as well as the prospect of international claims or enforcement if problems arise in respect of their information.
What to take away
- All clubs whether professional or amateur should have a robust GDPR policy.
- Staff at all levels should receive comprehensive data protection training.
- If an incident occurs, it should be reported promptly to the relevant supervisory authorities and potentially to affected individuals. Reporting needs to reassure the regulator (and affected individuals) that there were, as far as possible, effective governance arrangements in place in the first place.
How can we help?
Capsticks advises on all aspects of the law relating to data subject rights – including handling complex requests for disclosure of records, legal claims and ICO complaints. We can also undertake health-checks on policies and provide training on this area. For more information on the above issues please contact Majid Hassan, Andrew Latham or Siwan Griffiths.