The answer to many GDPR queries may have to wait for case law before we get real clarification on the implications for rights owners. But, to avoid being one of the parties referenced in case law, you will need to ensure you have already implemented a pragmatic approach to ensuring GDPR compliance. If you’re reading this with the realisation that you still haven’t done anything to prepare for GDPR, don’t panic. But do start moving.
Here are some of the key articles that rights owners need to be aware of. Please note, this list is not exhaustive:
The Rights of the Data Subject
Whether a fan, ticket buyer, shop customer, web visitor, player/athlete, coach, referee, volunteer, member of staff, sponsor or any other entity whose data you have in any of your systems, each of these individuals has the following right:
• Information disclosure – such as the way you use data and how you process it, whether for communication, profiling or other decision-making.
• Access – giving people access to their own data, including confirmation that their information is being processed and any other supplementary information you may have about them.
• Correction – correcting it if the information you have about individuals is wrong or incomplete. In reality, you would want to see this in place regardless of the GDPR, as inaccurate data is no good for your business.
• Restriction of processing – the potential to block you from doing any further processing, although you could retain the existing information you have. This is an interesting one for me and aligns with my mantra that ‘no data should be thrown away’ because it all provides valuable insight. For example, just because a fan unsubscribes from receiving your emails it doesn’t mean the information you have about them has no further use. Any profiling you’ve conducted up to that point can still be used in your BI strategy.
Your Obligation to Report Security Breaches
The GDPR places an obligation on you to report any breaches that are likely to result in harm to your data subjects. We’ve all read stories in the news of laptops being lost or stolen that contain sensitive information, such as the Nationwide Building Society fine reported in February 2007 where a laptop that contained sensitive customer data was stolen from an employee’s home (BBC News, 2007). You shouldn’t be carrying any fan data on your laptop, but if you do and it’s lost or stolen, you have an obligation to report it to your local enforcement agency. This is the same obligation that applies to a major hack in your security systems. With this in mind, while your IT teams will no doubt have processes in place to deal with issues they encounter, your marketing teams should have the same.
Need For a Data Protection Officer
It’s important to assess whether you need a DPO. According to the GDPR, there are three bases under which this would be the case. Do you fit under any of these?
1) Processing is carried out by a public authority.
2) Your processing operations require regular and systematic processing of data subjects on a large scale (note that there is no definition of ‘large scale’ here).
3) Your core activities relate to a large quantity of sensitive data or data relating to criminal convictions or offences.
On this last point, rights owners that are responsible for athlete registration may fall into this category if your records include health and medical information. For this reason, many of you may decide it’s prudent to appoint a DPO as a precaution.
Looking After Children
Like the EU Data Directive, the GDPR applies specific provisions that are intended to enhance the protection of children’s personal data. The general ruling is that consent obligations are applicable for a person under the age of 16. In this case, they cannot give consent themselves. Instead, consent much be secured from a person holding parental responsibility. However, it’s important to note that each EU member state is permitted to lower that age as long as it’s not below 13.
Second Party Data and Third-Party Opt-ins
Second-party data traditionally comes from customers of your partners (sponsors, ticketing and merchandise agents) who in Europe have ticked the ‘third-party opt-in’ box. It’s your ticketing agents or your sponsors’ first-party data, i.e. their customers who have said their data can be shared with you.
On this point, the GDPR is relevant. While your third parties, specifically your sponsors, ticketing and online store providers can assist with the growth of your databases, both from a quantity and quality standpoint, it’s important they have ensured the relevant opt-ins are in place in their processes before transferring the applicable data to you. This includes an opt-in for the data to be used by you for communication purposes, but also for profiling purposes.
When you work with your third parties to acquire their data (which is classed as second-party data) it’s important you do so with full sight of the relevant opt-in. Ensure the processes your partners used are GDPR-compliant, asking for proof if necessary, including the request that when they send you the applicable database, you can see a field that shows a clear opt-in. Without this understanding and proof of provenance, you could leave yourself exposed if your partners have not used the appropriate processes and your data subjects make a complaint.
This excerpt is an exclusive preview from our upcoming publication ‘Winning With Data: CRM and Analytics for the Sports Industry’.