Even though it’s now been with us for three years (or five if you think about when we first knew the detail of it), I thought now would be a good time to provide a GDPR overview.

Do you remember when we thought Y2K, the Millennium Bug, would cause planes to fall from the sky, power stations to meltdown, and computers to stop working? We were all convinced that when midnight passed on New Year’s Eve 1999, it would be Armageddon.

How many of you thought the same as we got closer to 25th May 2018? How many of you went through a process of clearing out your email marketing lists because you couldn’t prove they’d opted in, even though you’d been emailing them for years or months? And how many of you appointed vastly expensive lawyers to help you do that? OK, so the headline threat of fines of up to €20 million or 4% of global turnover (whichever is the greater) was bound to send some people into a tailspin, so if you were one of those rights owners that decimated your marketing lists, you might like this post: Can you recover your lost email opt-ins?


GDPR fines – as of 28th January 2021, Source:

But fast forward to the first quarter of 2021 and I think it’s fair to say things have settled down a bit. We’ve got our policies in place, we’ve got a handle on where our data is, who has access to it, what quantities we have, and how we’re using it. We’ve documented our processes so should there be a data breach, a customer wants to know what data we have on them, or a fan wants us to know why we’re emailing them, we can deal with the situation with confidence.

Are you not quite there yet and need a refresher? Carry on reading and I’ll revisit some key discussion areas.

Data Controller or Data processor?

At this point let’s clarify one point – you, as a rights owner, as a sports club, team, league, event, governing body, or federation – should always be the data controller when it comes to your fans, participants, customers, staff, etc.  Your third parties – your ticketing agencies, online store provider, athlete registration platform, etc. – should be your data processors.  If you’ve yet to ensure that position in your vendor contracts, please start looking at it the minute you finish reading this post – it can make a big difference to your access to, and usage of, YOUR customer data.

What is the General Data Protection Regulation?

The General Data Protection Regulation 2016/679 is the regulation in EU law on data protection and privacy in the European Union and the European Economic Area (“EEA”). It also addresses the transfer of personal data outside the EU and EEA areas and is commonly referred to as the GDPR (although I’ve often heard people mention “that four letter word” …)

It came about as the European Commission in 2012 listed their key priorities of a “Europe fit for the digital age”. Within this, they referred to a data strategy that called for the creation of a “single European data space” which needed a framework that could be applied to all member states.

GDPR territories, source:

Who is Subject to the GDPR?

The focus of the GDPR is not just the organisations that operate in the 31 countries that collectively make up the EU and EEA. The GDPR was written with the residents of the EU in mind, not the businesses. This means it’s not just sports rights owners who operate in this territory that need to be concerned with these legislation changes; it’s any rights owner who provides and offers services to residents of the EEUEA, regardless of where their business is located.

This is distinctly different to the Data Protection Directive, considered the “precursor” to the GDPR. Under previous legislation the rules applied to the organisation’s location – under the GDPR we must think about the location of our data subjects.

In layman’s terms, when the NFL is pro-actively trying to sell their Game Pass to me here in the UK, they must follow the GDPR. When they’re selling to fans in the US, they follow state-level legislation, or the CCPA (California Consumer Privacy Act) which provides the highest level of protection and rigour. However, note this is different to someone incidentally purchasing, or entering a competition, signing up for a newsletter, etc., who happens to be outside your territory. If the NFL were not specifically trying to sell to the UK and I could purchase via their US site, they would not be expected to implement the GDPR to accommodate me.

Requirements of the GDPR

The full text of the GDPR runs to 260 A4 pages, admittedly with double line spacing. This is way outside the 2,100-word count limit I’ve been given for this post so I’m just going to focus on some specific rights of “the data subject” and your GDPR requirements.

Whether a fan, ticket buyer, shop customer, web visitor, player/athlete, coach, referee, volunteer, member of staff, sponsor, or any other entity whose data you have in any of your systems, each of these individuals have the following rights:

  1. Consent – the principle that most of us must deal with, the right to consent for data to be processed. This is directly linked to the most common area of discussion: marketing opt-ins.
  2. Information disclosure – such as the way you use data and how you process it, whether for communication, profiling or other decision-making.
  3. Access – giving people access to their own data, including confirmation that their information is being processed and any other supplementary information you may have about them.
  4. Correction – correction if the information you have about individuals is wrong or incomplete. You would want to see this in place, regardless of the GDPR, as inaccurate data is no good to your business.
  5. Restriction of processing – the potential to block you from doing any further processing, although you could retain the existing information you have. This is an interesting one for me and aligns with my mantra that ‘no data should be thrown away’ because it all provides valuable insight. For example, just because a fan unsubscribes from receiving your emails it doesn’t mean the information you have about them has no further use. Any profiling you’ve conducted up to that point can still be used in your BI strategy.

Looking After Children

Unlike the Data Protection Directive, the GDPR applies specific provisions that are intended to enhance the protection of children’s personal data. The general ruling is that consent obligations are applicable for a person under the age of 16. In this case, they cannot give consent themselves. Instead, consent much be secured from a person holding parental responsibility. However, it’s important to note that each EU member state is permitted to lower that age if it’s not below 13. The following is a list of the lowest age of consent across the GDPR-relevant territories, as of March 2021:

13 years of age: Belgium, Denmark, Estonia, Finland, Iceland, Latvia, Malta, Norway, Portugal, Sweden, UK.

14 years of age: Austria, Bulgaria, Cyprus, Italy, Lithuania, Spain.

15 years of age: Czech Republic, France, Greece.

16 years of age: Croatia, Germany, Greece, Hungary, Ireland, Lichtenstein, Luxembourg, Netherlands, Poland, Romania, Slovakia, Slovenia.

Minimum age of consent in EU territories, plus UK

Minimum age of consent in EU territories, plus UK

Data Breaches

It’s also important to ensure we highlight the obligation that you must report data breaches; I’m sure you’ve heard about the €20 million maximum fine. You can read more about that in this post Data Breach Fine of £183 mn for BA – what does it mean for #SportsBiz? This is the same obligation that applies to a major hack in your security systems. While your IT teams will no doubt have processes in place to deal with issues they encounter, your marketing teams should have the same.

Data Protection Officer

I’ll highlight one final point here because it’s one that’s often misinterpreted – that’s the need for a Data Protection Officer

According to the GDPR, there are three bases under which this would be the case. If you don’t fit within any of these use cases, you don’t need one by law:

1) Processing is carried out by a public authority.

2) Your processing operations require regular and systematic processing of data subjects on a large scale (note that there is no definition of ‘large scale’ here).

3) Your core activities relate to a large quantity of sensitive data or data relating to criminal convictions or offences.

On this last point, rights owners that are responsible for athlete registration may fall into this category if your records include health and medical information. For this reason, many of you may decide it’s prudent to appoint a DPO as a precaution.

Note: these are not the only GDPR requirements to think about, but they’re a good place to start. And let’s face it, this is quite a lot to be getting on with. So, now let’s look at some things you can do to ensure you’re GDPR compliant in certain areas.

Steps to Ensure GDPR Compliance

It’s universally accepted that sports rights owners generally operate with a leaner office and business staff than most companies of their comparative size. So, when it came to implementing new, or improving existing, data-related processes to be able to demonstrate GDPR accountability and compliance, it has been a challenge for the sports industry. One of the key messages I want to give to anyone who has not yet addressed this is don’t panic but do start moving. To avoid being one of the rights owners handed a data breach fine, or even a complaint, you will need implement a pragmatic approach to ensuring GDPR compliance.

I’m often asked by clients what is GDPR compliance? And how do they become GDPR compliant? My number one recommendation is that you ensure you use the correct terminology on your website and your GDPR-relevant policies are in place, this includes your GDPR privacy policy.

  1. You need to be using a clear opt-in to send marketing messages, or you need to take advantage of the PECR soft opt-in. You can read more about that in our post YES you can use an opt-out instead of an opt-in!
  2. If you’re using cookies for marketing and analysis purposes (i.e., Google Analytics) you need a cookie pop-up for first time visitors that informs them of your cookie policy and ideally, how to opt-out of retargeting ads. You also need to ensure you provide a permanently visible cookie policy
Great example of a cookie pop-up, source:

3. You need a permanently visible privacy policy that informs your web visitors, in clear and simple language, how their data will be used, who you share it with, and how they can contact you to find out more.

A catchall statement of what you really need to do is create a data governance framework.  And, if you’re using data to quite an advanced level, we recommend you put together a data governance committee.  This article, 5 steps to sustainable GDPR complianceby Olivier Penel of SAS talks more about governance and provides a useful video, particularly for any US-based readers.

UK Data Protection Post-Brexit

Even though the UK is no longer part of the EU nor the EEA we will continue to operate under the core data protection principles, rights, and obligations of the GDPR. Specifically, the GDPR has been incorporated into UK data protection law as the UK GDPR.

There are some specific provisions around the transfer of data to and from the EU and EEA that are still being discussed, but for now nothing changes. I recommend that anyone operating in the UK – or indeed targeting customers in the UK – registers for news and updates from the Information Commissioner’s Office, our data protection authority. In fact, regardless of which country you’re based in, if you’re local data protection authority provides a newsletter service, sign up for it – you’ll get updates on iterms such as changes to local legislation and fines that have been issued. It also serves as a handy reminder that we should always be thinking about data legislation!

Here are three frequently asked questions about the GDPR:

1) What does GDPR stand for?

GDPR stands for the General Data Protection Regulation 2016/679. It is the regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. Even though the UK is no longer in the EU, we are following the core principles, tailored by the Data Protection Act 2018.

2) When did GDPR become law?

The GDPR came into effect for EU and EEA territories on 25th May 2018.

3) Who is responsible for enforcing the GDPR?

The GDPR will be enforced by the European Data Protection Board which will consist of the head of each national Data Protection Authority along with the European Data Protection Supervisor and European Commission. The Board will work in collaboration with each national Data Protection Authority. Conversely, each organisation or rights owner should also identify an individual or group with internal responsibility for enforcing GDPR. This is where a Data Protection Officer or Data Governance Committee steps in, but in the absence of either of those, a member of the senior management team should be the point person.

What Next?

So, you’ve just read a GDPR overview and now I’m hitting you with something else! The next thing we must prepare for is an amendment to the Privacy and Electronic Communications (EC Directive) Regulations 2003, ‘the e-privacy Directive’.  This sits alongside the GDPR and sets out more specific privacy rights in relation to electronic communications including SMS marketing, push mobile app messaging, and email. The EU is in the process of updating a new e-privacy Regulation (ePR), that will sit alongside the EU version of the GDPR. As with the GDPR, once the new legislation has been defined, we’ll have two years to prepare for its full enforcement. When that time comes, please get in touch with Winners – we’d love to help.