GDPR And Sport: Make Sure That You're On The Ball!

Introduction

All but a slim minority of sporting bodies will be affected by the General Data Protection Regulation ("GDPR") on some level. Whether a governing body holding performance data, an anti-doping agency processing sensitive health records or a local club storing the addresses of junior members, sports organisations will have to comply with significantly altered obligations in respect of personal data.

And the stakes are high: the increased fines under the GDPR have been well-publicised; but perhaps less obviously, under the Code for Sports Governance sports organisations risk losing their public funding for non-compliance with applicable regulations (and Tier 3 funding requires governing bodies to demonstrate that they have appropriate policies and procedures for compliance).

In this article, we highlight some of the principal enforcement risks facing sporting bodies under the new regime described by the ICO as a "game-changer". We also consider how the GDPR might feed into existing facets of sports dispute resolution.

Enforcement risks

The scope for sporting bodies to become the subject of data protection enforcement is of course as wide as the obligations under the GDPR; and enforcement action against data processing organisations operating in the sports industry is just as likely to be driven by complaints from members, fans and athletes as on the initiative of the ICO.

The GDPR's principle of accountability places the burden on sporting bodies to demonstrate compliance. This will be of particular concern to international and national governing bodies who process personal data on an industrial scale. The message is clear that the ICO will have little sympathy for well-resourced data processors who, for example, fail to carry out data audits and risk registers to the requisite standard. And the new requirement to report data breaches within 72 hours could trip up sports organisations of any size.

International governing bodies may find themselves embroiled in EU data protection enforcement for the first time: the territorial scope of the GDPR extends to data controllers and processors monitoring the behaviour of data subjects within the EU irrespective of whether the controllers and processors are also established in member states.

The plethora of sporting bodies which hold special category data (formerly "sensitive personal data") are also at increased risk. For example, anti-doping agencies processing test results will need to...