1. What is GDPR, and does it affect you?
The General Data Protection Regulation or “GDPR” is a new set of data protection laws that will apply to everyone doing business in the EU from May 25, 2018 (including the UK, despite the UK’s decision to leave the EU in March 2019).
Regarding the provision of software products and services to European clubs, SportsEngine Motion is a “processor” and acts on instructions from the clubs, which are the “controllers.” Both clubs and SportsEngine Motion will have their obligations under the GDPR, but the primary responsibility for the personal data collected and processed by controllers (including on their instructions by third parties) lies with them. Below, we highlight the key changes in the new law for clubs and also explain how SportsEngine Motion can assist clubs with some of their controller GDPR obligations.
2. What are the key changes?
While data protection laws have been in place for decades, the GDPR introduces a number of significant changes that will affect our European club customers and SportsEngine Motion:
More obligations for clubs: GDPR builds on the existing data protection rules that apply to clubs and creates a number of additional obligations, including the need to ensure a greater level of transparency around where data is stored and how it is used (e.g., through website privacy policies), have appropriate policies and procedures in place to deal with security and data breach notification, and to ensure contracts deal appropriately with data protection.
More detailed privacy notices and explicit consents (for health data): GDPR requires clubs to provide swimmers and members (i.e., swimmers’ parents/guardians and coaches) with more details about the clubs’ processing of their personal data. Online and offline privacy notices will need to be expanded to include details of the recipients of personal data (including club service providers), the data retention period, the fact that the individuals have rights under data protection law, and their right to complain to a regulator. Collection and processing of health and medical information (“special categories” of data under GDPR) will require explicit consent.
Broader rights for club members: GDPR enhances the existing rights of individuals about their personal data and also creates some new ones, which clubs will need to be able to deal with promptly.
Data Storage Limitation: Clubs can only keep data in a form that allows individuals to be identified for a specified period. This period must be set based on the purposes for which the data was collected (e.g., to manage club memberships, to organize specific events, to meet Swim England requirements) and, generally, must not be longer than necessary for those purposes.
Sanctions for non-compliance: GDPR introduces significant sanctions for non-compliance: the greater than 4% annual turnover or €20m.
3. What is SportsEngine Motion doing, and how can it help you?
In recognition of the serious compliance challenges posed by GDPR, we've been working hard to not only comply with GDPR requirements itself but also to be in a position to assist its European customers to do so:
Notice and Transparency
Under GDPR, European Clubs must explain to members, parents, coaches, and any other individuals whose personal information they collect (through and outside of the platform) how they use and share that information. Clubs also must obtain explicit consent from parents / legal guardians about any “special categories” of personal information of members they collect (e.g., information about swimmers’ allergies and medical conditions). SportsEngine Motion has prepared a template privacy notice, which each Club can adapt and present to members, parents, and coaches, as and where appropriate, to help them understand how the Club processes their data through the platform specifically. Each club will have the option to present its personalised privacy notice and obtain and track consent to processing personal information (including special categories of data) through the platforms.
However, clubs should note that the SportsEngine Motion template privacy notice must be supplemented with additional information to meet all of the GDPR’s increased transparency obligations. Clubs should, for example, also inform individuals—through the most appropriate online or offline communications channel—about any third parties with whom they share their data (of which SportsEngine Motion is one), the data retention period; the fact that the individuals have rights under data protection law; and their right to complain to a regulator. We strongly encourage clubs to seek specialist legal help about their broader website privacy policies. Clubs that host and operate their websites (outside of the platform) will still need to review and update their website privacy policies to ensure that they meet the GDPR’s increased transparency obligations. See detailed guidance from the UK Information Commissioner’s Office (the ICO) here: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/.
GDPR-Compliant Contract Terms
Under the GDPR, there is a mutual obligation on clubs and SportsEngine Motion to ensure contracts contain a number of important mandatory terms around privacy and data protection. We updated its Subscription Agreement to include the data processing language mandated by GDPR.
Individual Rights
GDPR grants individuals (e.g., members, parents, coaches) a broad range of rights over their data, including the right to access, rectify and delete personal data (in certain circumstances). Clubs will need to be able to recognize such requests and address them within 30 days of receiving them. We put in place the appropriate policies and procedures to make sure it is well-placed to help. For example, clubs can easily download a swimmer’s profile data held in the system and provide a copy (in Excel format) to account holders/parents on request. Parents and club administrators with appropriate access privileges can also quickly access and correct personal data fields (except for data fields required for Swim England identification purposes, which cannot be amended). We are also developing new technology solutions, which we will be rolling out over the next few months to assist our club customers with individual rights requests. In the meantime, if you receive a request for data that you cannot provide, please contact the SportsEngine Motion support staff for assistance.
Security
Like you, we understand the importance of data security for your Club’s continued success. SportsEngine Motion takes a number of organizational and technological measures to ensure that our Club customer data receives the protection it deserves. These include appropriate access controls, staff training, data encryption, and logs management and auditing. We also have a cybersecurity team that reviews the data security practices of any third parties to which we outsource the processing of personal data. For more information on our data security practices, please contact customer support staff.
Data Storage Limitation
In the future, we are considering sending regular prompts to European clubs reminding them to delete or anonymise personal data they no longer need. This will help clubs comply with their controller obligations around data retention and also will significantly reduce the risk of personal data loss or misuse (e.g., by a club administrator inadvertently sending personal information to the wrong recipient or through a malicious hacker attack or theft).
Cross-border Data Transfers
European privacy law restricts the transfer of personal information outside of Europe without an appropriate data transfer mechanism (e.g., Standard Contractual Clauses, Privacy Shield for US companies, consent, Binding Corporate Rules). For SportsEngine, Inc. (based in the United States), to help us and our Club customers comply with European cross-border data transfer rules, we have incorporated the European Commission’s Standard Contractual Clauses for processors into our updated subscription agreement. We may also, at times, engage non-European vendors to help us deliver the services you have requested from us (e.g., to relay emails). Where this is the case, we will adopt an appropriate data transfer mechanism to ensure that the personal data with which our club customers entrust us remains protected irrespective of location. To further demonstrate our commitment to privacy, we transitioned European Clubs from our data storage facility in the United States to Amazon’s Amazon Web Services data centre in Ireland.
Governance
SportsEngine Motion has in place a robust GDPR governance program. Key features include:
Implementation of a personal data breach management process to ensure that if something goes wrong, SportsEngine Motion is prepared to respond and assist clubs.
Development and rollout of training for all personnel with access to personal data.
Implementation of more detailed accountability and compliance practices, including audit procedures and processes, to ensure SportsEngine Motion’s compliance is monitored and adhered to continuously and to offer further reassurance to clubs.
4. Will SportsEngine Motion be appointing a Data Protection Officer (DPO)?
The GDPR only mandates the appointment of a DPO in specific circumstances. As we work closely with the privacy team at NBCUniversal (the company that indirectly owns our parent, SportsEngine, Inc.) and we are not strictly required to appoint a DPO under GDPR, we have decided not to do so at this time. We will continue monitoring the volume and types of personal data that we process for our European club customers and will revisit the need to appoint a DPO in the future.
5. Where can you find more information?
As you work on your GDPR compliance after May 25, 2018, you may find the following guidance from the UK’s data protection regulator (the Information Commissioner’s Office) helpful:
GDPR Compliance Self-Assessment (please select the checklist for “controllers”)
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/
General Guidance
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Privacy Notices
https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/your-privacy-notice-checklist/
Individual Rights
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
If you have any further questions on the GDPR compliance program or data processing and security practices, please do not hesitate to contact us.
Please note that we have prepared these FAQs to help our European Club Customers understand what we are doing to comply with GDPR and what we can do to help them. It is not a substitute for legal advice. We strongly recommend that Clubs obtain legal advice on this important topic.