At the end of last week, the General Data Protection Regulation, or GDPR, went into effect. And while it’s a term that might make some planners’ eyes glaze over, it’s not something that can be ignored, particularly as the sports travel economy continues to grow.
The GDPR is a regulation in European Union (EU) law governing data protection and privacy for all individuals within the EU. Read on through some Frequently Asked Questions (FAQs) to learn the essentials.
What is the GDPR? The GDPR is major new piece of European regulation that addresses how EU citizens' personal electronically- held data can be used by corporations. At its heart, it introduces strict new rules about gaining people's consent to process their data. The GDPR furnishes Europeans with a number of additional rights when it comes to their data.
If I’m in the U.S., why should I worry about it? Because the GDPR also addresses the export of personal data outside the EU. Nobody needs to tell us that sports business has become its own global economy, with athletes and personnel from the EU coming in for everything from Boston-qualifying marathons to youth soccer tournaments.
What changes will I see and will I see them any time soon? You're probably already seeing them. You may have noticed an uptick in the number of e-mails from other organizations, noting "We care about your privacy" and discussing the way your computer records are being handled. One example follows:
GDPR COMPLIANCE: If you do not want to continue to receive press releases about (subject), please unsubscribe using the link below, and you will be removed from our mailing lists. You can also reply "unsubscribe" to this message, and we will take care of it.
What does this change in terms of the way we do business with our events? According to Business Insider, GDPR furnishes Europeans with a number of additional rights when it comes to their data. Companies need to ask customers for their data in a clear and accessible way. Those customers will have the right to demand organizations delete their data when asked. They will be able to ask for information on how and why their data is being processed. They will also be able to request copies of their data in a machine-readable format so they can take it elsewhere. And (take note, everyone), if a company that holds their data realizes it has been breached, it must, in some circumstances, inform people within 72 hours.
What kind of data are we talking about here? That’s part of why the GDPR is such serious business. The scope of data covered includes not just e-mail addresses, phone numbers, credit card information and the like, but personal data – birthdates, fingerprints and more.
We don’t have an office – or even any employees – overseas. Does it still affect us? Yes, as long as your organization handles the information of any athlete, team or other personnel in Europe. As Business Insider notes, “even if a company has no offices in Europe, and its employees have never set foot on the continent — if they've got EU data, they've got to play by EU rules now.”
What happens if we’re in violation? This is the other part of why it’s especially important: Those who fail to comply with the GDPR can receive heavy fines – and that includes companies in the U.S.
So what should we do right away? Many organizations with mailing lists of potential athletes and teams are asking European users for permission to keep e-mailing them. Conducting a regular audit or review of your data and your procedures for storing and deleting it is also going to become necessary. This document (published in Britain) includes some helpful hints.
Should we hire a consultant or a lawyer? It’s generally a good idea to have data policies audited and reviewed periodically. Depending on your company, this review may already be something that is regularly conducted, either internally or externally.
And (as expected), plenty of experts are benefitting from it: According to Reuters, “the cottage industry that has developed around GDPR includes lawyers who advise on compliance, cyber security consultants, and software developers that help firms conduct painstaking inventories of vast amounts of data to identify and index information so it can be made available to Europeans at their request. New York legal services firm Axiom, for example, told Reuters it had more than 200 data privacy lawyers working on GDPR projects - about a sixth of all its lawyers. It said it would hire over 100 more staff this year to deal with GDPR and also create training programs so that more of its lawyers would be qualified to work on those types of projects.”
And that, according to Reuters, means people will have to be vigilant about checking the credentials of prospective consultants – since there may be many who simply jump on the bandwagon.
“Everyone is claiming now to be a GDPR expert because they can see that there is very strong demand and everyone is scrambling,” said Paul Lanois, an attorney with a large publicly traded international bank in Europe, adding that he checks consultants’ resumes for experience dealing with European regulators before bringing them on board. “You have to vet them otherwise you get any Tom, Dick or Harry saying they’re a GDPR expert,” Lanois said.
I just learned about this. How can I keep up? Lanois said there was an “overwhelming amount” of companies that were completely unprepared for the new regulations. “They’ve just noticed GDPR and are now freaking out,” he added. “Those who are already fully compliant, and there’s a few of them, those are the lucky few.”
SDM will continue to follow this developing issue.