Author: Fiona Green | read time: 6 min
SPORTO’s readers who have seen Manchester United’s “Stay United” campaign know that one of key differences under GDPR, when it comes to fan engagement, is that express consent must be given through a clear opt-in, as opposed to implied opt-ins that were deemed permissible under the previous legislation.
While GDPR compliance is enforceable as of 25 May 2018, that does not necessarily mean that every organization will be fully compliant the day after the regulation comes into force. However, it is expected that the right processes will be underway and that the working towards GDPR compliance can be demonstrated.
In addition to the slow evolution process in the field of data compliance, there are many grey areas with respect to the GDPR and solutions will only be discovered through the application of case law. An important question that has not yet been answered concerns legacy data – that is, the information you currently hold. For example, anyone who previously opted-in for communications under the previously accepted soft opt-in can continue to receive messages under the GDPR, but what about profiling the data and using it for retargeting? So much of what we do now – specifically, list retargeting – was not around when we first started using email, so what do we have to do to use these records in this way?
The change required for the subject to receive the attention of the most data-weary management teams is the scope of potential fines. Under the EU Data Directive (the legislation replaced by the GDPR), the maximum fine was about €500,000, but after 25 May, this will be increased to €20 million or 4% of the turnover, whichever is greater.
Another major change that is important for rights owners to understand is that under the previous legislation, only the data controller was considered liable for data breaches. The data controller is the person or organisation that determines the purposes and the way in which any personal data is processed and used. Under the GDPR however, both the controller and the data processor (any person or organisation processing data on behalf of the data controller – subject to the specific nature of the commercial and vendor agreements you enter into, this will largely be your service supplier) are jointly liable. Both could receive a fine.
If you are reading realizing that you still have not done anything about it, there is no need to panic. But do start moving things along. What follows is a snapshot of some key articles that rights owners need to be aware of when it comes to the rights of their ‘data subjects.’ Whether a fan, ticket buyer, shop customer, web visitor, player/athlete, coach, referee, volunteer, staff member, sponsor or any other entity whose data you hold in any of your systems, each of these individuals has the rights listed below. Note that the list is not exhaustive:
- Information disclosure – the way data is used and processed, whether for communication, profiling or other decision-making.
- Access – access given to the users to their own data, including confirmation that their information is processed and any other additional information concerning them.
- Correction – correction of any incorrect or incomplete information concerning users. In reality, this should be in place regardless of the GDPR, as inaccurate data is not good for business.
- Restriction of processing – the possibility of blocking any further processing, although existing information may be retained.
The last one is an interesting one for me and aligns with my mantra that ‘no data should be thrown away,’ because it can provide valuable insight. For example, just because a fan unsubscribes from receiving your emails, that does not mean the information you have about them has no further use. Any profiling you have conducted up to that point can still be used in your business intelligence strategy.
It is also very important that rights owners put internal processes in place to ensure GDPR compliance. It is not all about the way they interact with your fans – there are obligations to the local data regulation authority that must be respected, such as reporting a security breach, taking care of children and appointing a data protection officer.
Rather than approaching the GDPR with fear, I have been advising organisations to conjure up enthusiasm for the benefits it will create: better systems and processes to support our customers and fans, a clearer set of guidelines for rights owners crossing borders, and a greater understanding of local data regulations.
Fiona Green is the Director of Winners, a CRM, data and analytics consultancy that uses data to increase revenue, participation and engagement in the sports industry. You can read more about the topic in Fiona Green’s forthcoming book “Winning with Data: CRM and Analytics in the Business of Sports.”
The column was first published in SPORTO Magazine No. 11 (May 2018).