It is now less than a year until the General Data Protection Regulation (“GDPR”) comes into effect (on 25 May 2018). In the UK, the ICO has issued guidance for business preparing for compliance with the GDPR, including a 12-step guide, published to mark the one-year countdown to the GDPR’s implementation.
Data represents a key asset for businesses in the sport sector, particularly with the increasing emphasis placed on factors such as fan and participant connectivity, meaning that the ownership, maintenance and growth of an extensive customer database often represents one of the most significant investments in a business.
One area of focus in the run-up to implementation of the GDPR has been the concept of consent as a lawful basis for data processing. Under the GDPR, consents will become harder to obtain. In broad terms, this is because the GDPR will require a significantly higher standard, namely clear, freely given, specific, informed and unambiguous consent from an individual to the processing of their personal data. Until now, businesses in the UK have been able to rely on implied consent and many substantial and valuable databases rely almost entirely on this process. However, once the GDPR comes into force, those consents will no longer provide a lawful basis for processing the underlying data. This means that, during the course of the next year, many businesses will need to begin considering factors such as:
- the extent to which their customer databases rely on implied consents;
- how they will go about refreshing / enhancing these consents were necessary;
- how they will achieve the necessary standard of consent in the future; and
- how they will evidence that they have obtained the necessary standard of consent.
In fact, the ICO has recently updated its 12-step guide on the issue of consent and recommends that businesses “refresh existing consents now if they don’t meet the GDPR standard” (emphasis added).
In view of this, many businesses will be asking “should I re-contact my entire database now?”
Businesses are rightly concerned by the prospect of their databases become devalued assets in the event that the consents on which they rely are invalidated. However, before beginning the (potentially mammoth) task of re-contacting an entire customer database at this stage, there are a number of important points to be considered; in particular, the evolving nature of the ICO’s guidance, as well as factors such as the new e-Privacy Directive, which may retain a ‘soft opt-in’ consent for email marketing of similar products and services within an existing customer relationship (an option which would prove beneficial to various sports organisations using customer databases for certain purposes).
For further guidance on the appropriate steps to take now to prepare for the GDPR, and factors which businesses should be considering at this stage, see our Global IP & Privacy Law blog.