Gdpr: Defence Is The Best Form Of Attack
As the build up continues to 25th May, Tom Quy of Miller Insurance Services LLP addresses how sport is exposed to the new GDPR regulations…
Data has become the lifeblood of the sports sector and the ability to collect, store and utilise data is central to commercial and administrative operations, from Real Madrid to community rugby clubs and all points in between.
But from 25th May clubs, governing bodies, event managers and promoters who rely so heavily on the data they hold about fans, athletes and the people who work for and with them, come under new obligations covering the way they store and manage that data. And they face potentially ruinous penalties if they fail to comply.
Tackling GDPR
The new EU General Data Protection Regulation applies to every organisation which holds or controls data within the EU and, in some cases, organisations outside the EU that hold or control data relating to EU residents. The regulation is designed to ensure personal data held by commercial and other organisations is secure and gives people stronger rights with regard to how their data should be processed and access to information held about them.
There are wide ranging implications at every level of the sports industry. At the very top, the financial juggernauts of world football are increasingly reliant on data-based marketing and sales to create new revenue streams to supplement those from television rights and ticket sales.
In fact, Real Madrid CEO Jose Angel Sanchez once described the ability to acquire, process and monetise data as ‘a complete disruption of the established business model of football’ and while Madrid may have been among the leaders, clubs across all sports are increasingly reliant on data for revenue. Data is a valuable commodity which the law says must be better protected.
And while the billionaires of Madrid may seem a million miles from community sports teams or national federations, the same new rules apply. If you hold personal data to organise events or teams you could face significant fines – up to €20 million or 4 per cent of worldwide turnover – if the new regulation is ignored.
Central to GDPR is the principle of transparency, consent and security. An organisation is obliged to ensure that a person understands clearly how their data will be handled and processed and, in a number of cases, will need to provide the organisation with consent to do so. The organisation must ensure that the data is not used for any other purpose. GDPR also allows people to withdraw their data at any time, referred to as ‘the right to be forgotten.’ Critically it also obliges organisations to take steps to ensure the security of data to avoid breaches which, in spectacular recent cases, have seen personal information, including bank details, leaked and leaving the individuals concerned prey to criminals.
The data an organisation holds can be vulnerable on a number of fronts. While criminal hacking of data tends to attract most of the headlines, less publicised data breaches happen regularly and often unintentionally. A laptop or memory stick left on a train or in a coffee shop could lead to a serious breach while disgruntled or avaricious employees are another potential weak link in the security chain. Then, of course, there is always the potential for basic human error in the form of data sent to unintended third parties by mistake.
GDPR makes it essential for every organisation to have a clearly understood and implemented Data Protection Policy, to develop a Response Plan in event of a breach and, in some cases, appoint a Data Protection Officer.
AVOIDING AN OPEN GOAL
It is worth considering that while the fines possible under GDPR are scary, failing to keep data secure could leave an organisation open to significant financial claims from those whose data have been exposed and potentially misused. Inevitably, that could result in significant legal costs on top of the PR costs associated with handling the reputational damage arising from a breach and any fine that may be imposed.
While establishing clear policies and carrying out regular Data Protection Audits are a sensible line of defence and will help mitigate the financial fallout of a serious breach, insurance also offers options for sports organisations that become victims of a data breach, as cyber policies can cover legal and other associated recovery costs.
Cyber insurance will typically indemnify:
• The cost of hiring IT forensic, legal and PR consultants.
• The cost of notifying individuals, such as letters, call centres and credit monitoring services.
• Third-party liability, including defence costs, settlements and judgements.
• Regulatory action costs, including defence and investigatory costs as well as penalties (where insurable by law).
Cyber insurance can also assist companies by providing data breach response services that kick in once a breach is discovered. Many insurers offer policies that give organisations instant access to the expert services that are critical when dealing with a data breach and notifying the regulator and individuals.
Notes on the author
Tom Quy is a cyber insurance specialist and leads Miller Insurance Services international cyber strategy. Contact Tom directly or one of the Sports and Entertainment team at Miller to discuss the subject further. The team also arranges access to a wide range of cover, so whatever your needs are the team can find the right contact for you. For full details, click here.
