On 25th May 2018, a new Global Data Protection Regulation launched in the EU, significantly improving the control European citizens have on their personal data collected by third parties. While GDPR covers many complex areas around the subject of data collection, storage and transfer of personal data by third parties, the key topics that are normally highlighted when discussing this new regulation are that an individual must now provide consent prior to a third party collecting data about themselves and that said individual has also the right to request the data collected to be deleted at any point in time, as well as to revoke any prior consent given to collect personal data.
How does the new regulation affect sport organisations?
Like any other company in any industry, sport clubs and organisations also require to reassess the data they collect from their fans, volunteers, employees and any other member of the club. No organisation that collects and stores personal data of an EU citizen, even in sports, is exempt of the €20 million or 4% of yearly turnover fines if they are found noncompliant.
One of the biggest changes a club now needs to manage is around fan collected data, often used to increase fan engagement and delivering marketing campaign to grow the club's fan base. Like many marketing departments in numerous organisations collect a wide variety of information about their customers, such as interests, personally identifiable data (PII) purchase history and any actions individuals take on websites and physical events they attend, such as a football match. Clubs need to reevaluate the level of consent they receive to continue to store and collect all this data points about their fans and prospective supporters. Similarly, GDPR applies to the employer-employee relationship and data sharing. This means the clubs will also require consent from players, coaches and members of staff.
Aside from evaluating their data management and applying new procedures, clubs will also require to be able to demonstrate compliance by updating and making public their data privacy policies and new processes they put in place for GDPR. This includes clearly informing how individuals can request their data store, update it or remove it altogether, as well as the steps to follow to revoke consent if they wish to do so.
And how does it affect Sport Performance Analysis?
Player profiling is one of the various key tasks of a performance analyst. It can involve either evaluating your own player's performance or assessing the players from the rival club the team will be facing on their next fixture. An analyst would gather data on the player's recent performances, strengths, weaknesses and playing styles to compile detailed reports to present to the coaching team.
In Article 22, GDPR tackles profiling directly as it refers to it as building up a picture of the type of person someone is by evaluating certain personal aspects relating to a natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. However, the new legislation also specifies that consent is only necessary if automatic decision-making is applied based on this profiling, and also only if such automatic decision-making creates any legal effects or significantly affects the individual in question. This means that the simple task of profiling should not require the consent of the individual unless sensitive personal data, such as health, race or other sensitive data, is collected during profiling.
This suggests that player profiling in sports can be interpreted as not requiring the player's consent. Firstly, decision-making based on profiling in this scenario is not an automatic one. This means that even though player profiles are collected to make decision on tactics, training session preparation or recruitment, there is always a element of human review of such profiles, usually by the coaching team, which could rule out the classification of this processes as being for "automated decision-making" as required in order to apply to GDPR guidelines. Secondly, the profiling carried out by analysts should not have any legal effects or significant affect the individual being profiles. The human intervention in reviewing these profiles also backs up this argument, as no "automatic" effects are generated by this activity.
There is, however, a counter-argument worth considering, and that is around the sensitive nature of the data used in profiling. Player profiling can include sensitive information about the player in question, particularly around his or hers health. Injuries are bound to appear in a majority of player profiles generated by analysts, particularly if the goal is to optimize injury prevention. In such cases, consent is required to be provided by the player as the profiling now contains sensitive data of that natural person. It is also worth considering the application of GDPR in the scouting of youth talent, were profiling is carried out by gathering data on minors where parental consent should be obtained. Data collected from minors cannot fall be considered as having a legitimate reason for gathering such information without prior consent.
Navigating the complex world of GDPR is undoubtably challenging for many teams and analysts. However, it is important to know the scenarios when consent is required to produce a piece of analysis involving player data and when, as Articule 6(f) states, there is a "legitimate reason" to collect data without consent. Nevertheless, while consent might not always be required, it is always important to evaluate the scope, transparency and long-term purpose of the profiling process before assuming no consent is required. This can include areas such as the player's right to decline their data from being collected and request the deletion of any previously collected data. One way or another, a performance analysis team now needs to consider the implementation of new processes around data management in their day to day roles.