Many of you will have woken this morning to see the story of British Airway’s giant £183 million fine from the Information Commissioner’s Office (ICO) for a data breach.
No, it wasn’t because they sent emails to customers who hadn’t opted-in (although I’m not making light of that matter), nor did they use wording on their forms that wasn’t clear enough (again, something we should be paying attention to).
It was because they had the data of 240K customers stolen last year – contact details and more importantly, credit card details – and while the thieves were the ones who committed this act, it was BA’s systems that allowed them to.
It’s Not Just About Opt-ins
While rights owners have been busy wringing our hands over whether or not we can show an opt-in status for our legacy data, and some unfortunate ones have been sending out emails asking fans to “opt in” without seeing the irony in that (you can’t email a fan asking them to opt-in because if you’re asking them to opt-in you don’t have the right to email them in the first place!) we may have forgotten about the “security principle”.
The security principle is the obligation for you to implement “appropriate technical and organisational measures” when it comes to processing data. And by the way, this isn’t new to GDPR – it was relevant under the EU Data Directive, it’s just the enormity of the new fines that’s drawing our attention to it now.
I wanted to highlight this case because when you consider where credit card details are generally stored in sports rights owner eco-systems, it’s with our partners, our ticketing providers and online store providers, it’s not usually within our own databases.
But here’s my question, we’re so busy asking our lawyers and our DPOs to check our opt-ins and our privacy policies, are we also asking them to interrogate our partners who hold our most valuable fan data?
Obligations of both Data Processor and Data Controller
We always advise our clients to ensure their contracts with third parties have a clause that not only place an obligation on their providers to operate within all relevant data legislation, but also to ensure that should they be found in breach and issued a fine, the partner is responsible for paying the rights owner’s share of the fine. This is because under GDPR – and this IS different to the EU Data Directive – in the case of a breach both the Data Controller (you, the rights owner) and the Data Processor (ticketing agencies, online store providers, etc.) are held responsible…..even if it’s actually their fault!
I think this fact has been missed by many rights owners – perhaps even by many businesses outside sport too – but it’s one we’re very attuned to. Indeed as we were working with a ticketing agency’s API last year we identified a process that could have caused a GDPR breach for one of our rights owner clients. We’d seen a misalignment in the quantities of data between our manual process and the integration during our test period so we kept running the manual process asking the ticketing agency to help us identify the issue. Unfortunately, this vendor didn’t take the issue seriously, so we had to keep running the manual process for 6 months until we finally reverse engineered the data feed and identified the error – the vendor’s API documentation was wrong, a data set was incorrectly labelled. And do you know what they did in response? Shrugged their shoulders!
OK so there was no harm done thanks to our commitment to finding the error and running a manual process until we did so, but I was staggered at the vendor’s response.
My point is, every rights owner reading his is no doubt using a third party in at least one area when it comes to the collection, storage and usage of data, so please, please, please place as much focus on their back-end systems and processes as you are their front end tick boxes and privacy policies.
Make your vendors accountable because if they breach with your fans, you may be held accountable.
Not only can the sports industry not afford a fine of the scale BA has incurred – we absolutely can’t afford the reputational damage.
Please contact me if you have any questions in this area – we don’t do security audits, but we can help you think about your next steps in this area.