Data Protection Commission Reveals Findings from Irish Sports Clubs Survey

The Data Protection Commission recently issued a survey seeking responses from Irish sports clubs to understand the level of awareness of data privacy issues in the sports sector. Our Sports Law team reviews the results and sets out key steps for sports clubs to take to ensure compliance with their obligations under the GDPR.

The majority of sports clubs in Ireland now rely on, and use, technology for things like membership renewal, club lottos, player and management communications and in some cases, player performance data. At the beginning of 2024, the Data Protection Commission (DPC) issued a survey to over 100 sports clubs in Ireland. Clubs which came within the scope of the survey included those affiliated with rugby, the Ladies Gaelic Football Association (LGFA), the Gaelic Athletic Association (GAA), and football to assess data protection practices among those organisations.

Key findings

The key findings of the survey were as follows:

Use of personal devices

One-third of sports clubs reported that staff and volunteers use personal devices to manage and access club data. This trend raises concerns about compliance with the GDPR’s security and integrity obligations.

Inadequate procedures for data subject rights

More than half of the clubs lack procedures to handle subject access requests and other data subject rights under the GDPR, such as erasure or rectification.

Lack of data retention schedules

56% of clubs do not have a data retention schedule, leading to concerns about storing personal data longer than necessary.

Limited use of data protection impact assessments

Only 9% of clubs have conducted a data protection impact assessment (DPIA), despite the increasing use of performance analysis tools and wearable devices that collect player data.

Misclassification of performance data

While 56% of clubs claim not to collect special category health data, 39% collect performance data. Over time, performance data can qualify as health data related to athletes physical and mental well-being.

Absence of data protection policies

41% of clubs lack data protection policies which are essential for compliance with the GDPR.

The processing of player data has been the subject of debate, particularly in the United Kingdom. A large number of professional soccer players threatened legal action over the use of their data by gambling, gaming, and sports data companies. The DPC has recommended that sports clubs carry out a DPIA when introducing new technologies that process personal data e.g. wearable devices.

The DPC has also highlighted the need for sports clubs to:

• Recognise that performance data may be considered health data when collected over time as it relates to the physical and mental health of athletes

• Develop 'bring your own device' policies to ensure appropriate safeguards when personal devices are used for club activities

What steps can sports clubs take?

Sports clubs in Ireland must have a lawful basis for collecting and using personal data. They must provide players and members of the club with information regarding the processing of their personal data in a format that is:

• Concise
• Easily accessible
• Easy to understand, and
• In clear and plain language

There are a number of steps which sports clubs, whether voluntary or professional, can take to avoid falling foul of data protection laws. These include:

• Ensuring that the sports club’s privacy policy includes all the required information under the GDPR and that the information provided is clear and simple enough for players and members of different age groups to easily understand.
• Ensuring that the sports club has an appropriate lawful basis for collecting and processing special category health data.
• Documenting clear procedures for responding to subject access requests and other related requests and to facilitate the management of personal data breaches.
• Documenting standard retention periods for different categories of personal data and having a system in place to ensure the sports club keeps to these retention periods in practice.
• Ensuring that appropriate security measures are in place to protect against unlawful or unauthorised access to personal data.

Looking ahead, the DPC plans to collaborate with governing bodies and organisations promoting sports across Ireland to raise awareness and enhance understanding of data protection. The goal is to ensure that sports clubs are better equipped to protect personal data.

For more information and expert advice on ensuring your club is fully compliant with its obligations under the GDPR, please reach out to a member of our Sports Law team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.