As if GDPR weren’t complex enough, many sports organisations are wondering whether impending Brexit will further complicate their GDPR compliance efforts. The short answer appears to be yes. Brexit will certainly add another level of complexity.
What does this mean in reality? Failure to take action will mean sporting bodies could be be transfering data across borders illegally, risking large fines and criminal prosecution as well as reputional damage. This could also impact on future funding opportunites and cause job losses.
At present, sports organisations can freely transfer personal information such as names of athletes between Northern Ireland and their Irish counterparts as both countries are EU member states. At all times when personal data leaves the EU, the information is considered to have been sent to a ‘third country’. The EU has strict legal controls imposed to ensure the safety of the data when sent to a ‘third country. The UK will become a ‘third country’ after 29th March.
In a No-Deal Scenario the UK government has advised that there will be no change to any transfers of personal data from the UK to the EU post Brexit. However, the issue becomes complicated when personal data is been received by the UK from the EU.
For example, after 29th March the NI Sports Forum is able to freely send personal data to any affiliated club or organisation in the Republic of Ireland. However, issues will arise if those Irish affiliated clubs or organisations send personal data from the Republic of Ireland to NI Sports Forum without appropriate ‘safeguards’ in place.
The same safeguard requirement for transfer of personal data must be put in place regardless if a sports organisation is based in the Republic of Ireland and has affiliated clubs in Northern Ireland. For example, if a membership body has affiliated clubs in Ulster; Munster; Leinster and Connacht. they need to consider what safeguards are in place to lawfully transfer personal data post Brexit to Northern Ireland from the clubs in Munster; Leinster; Connacht and from their Ulster clubs in Cavan, Monaghan and Donegal.
What this means in practice is that in order to comply with GDPR rules, an Irish Sporting Organisation intending to transfer personal data to the UK will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing. This can be done in a number of different ways, depending on the circumstances in which the data is to be transferred. One such way is the use of “Standard Contractual Clauses” and this is likely to be relevant to most Irish organisations that transfer personal data to the UK. Another such safeguard that Irish sports organisations may seek to rely upon is that of explicit consent. There are alternative safeguards that can be relied upon and advice should be sought when considering what lawful basis an Irish sporting organisation has to transfer personal data to any NI Sports organisation. It is important to flag that the onus is on the Irish organisation seeking to transfer the personal data to Northern Ireland to ensure appropriate safeguards are in place.
As with most Brexit related topics the future is unclear but best practice advice is to start preparing and implementing measures for a No-Deal scenario to ensure the continuity of free flow of data post Brexit.
Alicia McCrory, Barrister
Grant funding is available for specialist GDPR advice from Briefed. Please feel free to get in touch at firstname.lastname@example.org or 02890 446780