Why Personal Data Protection is important?

In the context of technical developments which enable access and processing of unprecedented amount of data, the risks of spying, hacking, phishing and abusive usage of data significantly increased and requires a strong legal setup to ensure an adequate control of personal data and build trust and confidence with individuals.

Are you concerned by the GDPR?

GDPR applies to the processing of personal data of data subjects

Processing means: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration”

Personal Data means:  any information relating to an identified or identifiable individual include considerations on what is and what is not GDPR

Data subjects means: any individual concerned by the personal data being processed

GDPR Applies inside and outside EU Territory

“GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

• the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union
• the monitoring of their behaviour as far as their behaviour takes place within the Union.”

GDPR Background

The European Parliament on 14-April-2016 approved the GDPR which replaced the previous Data Protection Directive 95/46/EC.  The GDPR was designed to provide a harmonized framework for personal data protection rules across the EU.  Compliance enforcement under the GDRP is set to go into full force beginning May 25, 2018. Failure to comply with the GDPR can result in penalties of up to the greater of 4% of an organization’s annual worldwide turnover or €20 million.

To understand the basic dynamics of the GDPR framework, one must appreciate the roles of the following three players:

• Data Controllers (determine the purposes and means of the processing of personal data);
• Data Processors (processes personal data on behalf of the controller);
• Data Subjects (natural person whose personal data is processed).

However, in response to the perceived disparity in treatment between Data Processors and Data Controllers under the 95/46/EC directive, the GDPR removes many of these distinctions and impose obligations equally on both.

The GDPR sets forth seven specific rights for Data Subjects (individuals):

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure (right to be forgotten)
• the right to restrict processing
• the right to data portability
• and the right to object

Each of the Data Subject rights need to be incorporated into an organization’s future business operations.

Part of this privacy by design requires data controllers and processors to adhere to the following principles:

• lawfulness
• fairness
• transparency
• purpose limitation
• data minimization
• accuracy
• storage limitation
• integrity and confidentiality

Another key aspect of the GDPR framework is the Consent requirement of the Data Subject, however, organizations will need to account for potential consent requirement differences between EU and other national law.

An additional consideration that organizations will need to incorporate into its existing security operations is that the requirement that data breach notifications must be made to a Data Protection Commissioner within a specified period of time from the first detection of a breach. This makes the data breach response action plan of paramount importance, covering not only the technical issues but also the communication issues. Given the global footprint of most International Federations, they will need to ensure that there is a response plan that accounts for the data breach requirements in each jurisdiction that they operate.

Consent

Data processing by sport organisation are often based on consent from the data subjects, and consent constrains have been strenghten with the GDPR.

Where relying on consent as the basis for lawful processing, ensure that:

• consent is active, and does not rely on silence, inactivity or pre-ticked boxes;
• consent to processing is distinguishable, clear, and is not “bundled” with other written agreements or declarations;
• supply of services is not made contingent on consent to processing which is not necessary for the service being supplied;
• data subjects are informed that they have the right to withdraw consent at any time but that this will not affect the lawfulness of processing based on consent before its withdrawal;
• there are simple methods for withdrawing consent, including methods using the same medium used to obtain consent in the first place;
• separate consents are obtained for distinct processing operations; and
• consent is not relied on where there is a clear imbalance between the data subject and the controller (especially if the controller is a public authority).

Recommended measures to take

Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR

Data audit

Data audit includes identification of data streams and retention time of data and dentification of sensitive data

Sensitive data

Sensitive data cover genetic, health and biometric data

There is also a broad ability for Member States to adduce new conditions (including limitations) regarding the processing of genetic, biometric or health data.

Specific limitations linked to the processing of sensitive data : Automated decision-taking based on sensitive data is further restricted. Decisions based on these types of data may only take place:

• with explicit consent; or
• where the processing is necessary for substantial public interest reasons and on the basis of Union or Member State law – which must include measures to protect the interests of the data subjects.
• Specifically, controllers must ensure that a PIA (Privacy Impact Assessment) has been run on any “high risk” processing activity before it is commenced – measured by reference to the risk of infringing a natural person’s rights and freedoms.
• Specifically, controllers must ensure that a PIA has been run on any “high risk” processing activity before it is commenced – measured by reference to the risk of infringing a natural person’s rights and freedoms.
• Obligation to appoint a DPO for organization whose core activities require large scale processing of sensitive data. Large scale is not clearly in the GDPR but it is mainly linked to the number of individuals affected and geographic extent of processing.
• Record of processing activities : Whilst an exemption from the record of processing activities applies to organisations employing fewer than 250 people this exemption will not apply where sensitive data are processed

Data streams

Includes audit existing supplier arrangements and update template RFP and procurement contracts to reflect the GDPR’s data processors obligations.

Retention time

One of the obligation of Data Controller or Data Processor is to inform individuals about the retention period of their data.  It is therefore key to implement adequate retention policies related to all categories of Personal Data processed.

Adapting process

Review processing notices, privacy policies and consent forms

Identify the lawful basis for the processing activities

Prepare for individuals to exercise their many rights.  See above the list of 7 rights of the individuals.  Most relevant in the case of sport organisations are the following :

Right to erasure

This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?

Right to data portability

The right to data portability is new. It only applies:

• to personal data an individual has provided to a controller;
• where the processing is based on the individual’s consent or for the performance of a contract;
• and when processing is carried out by automated means.

You need to check if your data and associated meta data can easily be exported in structured, machine-readable formats so that it may be transferred by the data subject to another data controller without hindrance.

Look for industry initiatives to develop interoperable formats.

Right of access

The principle of “fair and transparent” processing means that the controller must provide information to individuals about its processing of their data.

You will have a month to comply, to a request to access.You can refuse or charge for requests that are manifestly unfounded or excessive.

If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.

If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.

In most cases you will not be able to charge for complying with a request.

Right to object

There are rights for individuals to object to specific types of processing:

Direct marketing : The right to object to direct marketing is absolute (i.e no need to demonstrate grounds for objecting, no exemptions which allow processing to continue)

Processing for research of statistical purpose.  In the case of data collection for Scientific/historical/statistic purposes, there is an exception to the right to object where the processing is necessary for the performance of a task carried out for reasons of public interest.

There are obligations to notify individuals of these rights at an early stage, clearly and separately from other information

Online services must offer an automated method of objecting.

Data security measures

• Train and make staff aware of data protection issues
• Review IT measures (encryption, fire walls, passwords, regular backup)
• Consider appointing a Data Protection Officer (DPO) if engaged in high-risk activities
• Adopt Privacy by Design and by Default approach
• Carry out Data Protection Impact assessment

An additional consideration that organizations will need to incorporate into its existing security operations is that the requirement that data breach notifications must be made to the Data Protection Commissioner within a specified period of time from the first detection of a breach. This makes the data breach response action plan of paramount importance, covering not only the technical issues but also the communication issues. Given the global footprint of most International Federations, they will need to ensure that there is a response plan that accounts for the data breach requirements in each jurisdiction that they operate.

Data Breach

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

The GDPR introduces a duty on all organisations to report certain types of data breach to their controlling authority, and in some cases, to individuals. You only have to notify controlling authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.

You should put procedures in place to effectively detect, report and investigate a personal data breach. You may wish to assess the types of personal data you hold and document where you would be required to notify your controlling authority or affected individuals if a breach occurred. Larger organisations will need to develop policies and procedures for managing data breaches. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.

A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:

• where a new technology is being deployed;
• where a profiling operation is likely to significantly affect individuals; or
• where there is processing on a large scale of the special categories of data.
• If a DPIA indicates that the data processing is high risk, and you cannot sufficiently address those risks, you will be required to consult the controlling authority to seek its opinion as to whether the processing operation complies with the GDPR.

You should therefore start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?

Record processing activities

• Build up and gather documentation in order to demonstrate compliance with GDPR
• Determine appropriate retention period

Data protection officer

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.

You should consider whether you are required to formally designate a Data Protection Officer (DPO). You must designate a DPO if you are:

• a public authority (except for courts acting in their judicial capacity);
• an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
• an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions. The Article 29 Working Party has produced guidance for organisations on the designation, position and tasks of DPOs.
• It is most important that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.