Enabling business growth through technology and people transformation in the sports & entertainment industry

The PTI Q&A | Data breach, GDPR and what this means for clubs and venues

With Michelle Owen (Sky Sports Presenter), Adrian Jolly (Lead DPO Consultant) and Daniel Brown (Lead Data Monetization Consultant)

Michelle
Let’s take a look at the recent high-profile cases of data breaches and what it could mean for football clubs in the UK.

We’ve seen British Airways receive a record fine of a £183m due to a third-party breach where 500k customer personal data was stolen. We have also seen a data breach at the international hotel chain Marriott, which has resulted in a fine of £88m by the Information Commissioners Office (ICO), because records of 339m guests were stolen.  Moving into the sporting world, we have seen La Liga in Spain being fined €250k because it’s official app activated user’s smartphone microphone and user location to a monitor usage in an attempt to try and protect against piracy.

So, some real-world examples of GDPR (General Data Protection Regulation) coming into effect…what could this mean for UK clubs and venue owners?

Adrian
The ICO has now stood up and said as a data controller (which these organisations are in those cases) that they own the data and even if they give this out to a third party they still own the responsibility as the data owner. So, if you are a club you have an obligation to understand how your data is managed, and if you have outsourced some of this to a third party (ticketing provider or CRM solution) you need to understand and be fully comfortable with how this data is being managed by this outside organisations.

Michelle
Dan, can you shed some light on how this came about? Especially around the British Airways breach, as this wasn’t as clear cut as initially thought on first view?

Dan
The BA example is incredibly interesting as it was a breach via a third party. The BA app developed and managed by a 3rd party had been hacked and the hacker had installed a fake page which had then been able to glean off the credit card details of the users and continued for many weeks without being detected. So, what this means is that you can feel like you have all the GDPR process in place, but you then have to look at all your suppliers and partners to ensure that they have also been as diligent with their own processes.

Michelle
This must be a huge wake up call for all organisations with huge customer contact databases?

Adrian
The fan base for most of the top clubs in the UK will go into the hundreds of thousands, possibly millions, who may be on the system at some form of level. So, clubs need to wake up and think about how secure is this data and the BA example teaches us that we need to think about the partners they are working with and are they following the right process. The size of the BA fine is certainly around the fact the hackers were harvesting data for weeks, undetected, so you need to know what is your IT capability to identify when you have been hacked and what action are you taking to protect against these issues early as possible.

Michelle
So, what can clubs do to make the most of their data, without worrying about being hacked and fined further down the line?

Dan
So, whilst these fines are huge and quite scary, as long as you are confident that you are clear, up front and honest about how you are capturing data and why, this will ensure that your customers will know the rationale on why their data is being used. Not all your customers will be lawyers, so just be clear and simple with your data policy and the language you use for this.

Michelle
How do clubs and venues ensure that they are completely compliant with GDPR guidelines?

Adrian
I’d always start with performing a holistic review on where you are. If you have made processes and policies that are now some years old, you need to take a fresh look at how these are working today. So, you need to understand where your data is and how you control it, and you back that up with defined procedures. Clearly there is always a need for an independent view on things, and as such the role of the DPO (data protection officer) is to oversee the whole area and then sometimes ask those difficult questions that senior management might not always want to hear.

Michelle
Do you have any interesting or shocking stories from clubs or venues that you can share?

Adrian
Plenty. On the run up to GDPR there were a lot of consultants out there who were simply selling stories about what is going to happen, some were just copying policies from one organisations to pass across to another one. Some clubs had policies that still had sections in the privacy policy that had ‘Insert Here’ where the consultant had not even bothered to update the name of the club into the policy. There were cases of data breach policy communication being an optional extra, which is totally wrong…the fact is you have 72 hours to tell the regulator.

Michelle
So, it could be viewed as one big scary area, but this can be viewed in a really positive opportunity if clubs get this right?

Dan
Yes, exactly that. It comes down to transparency and ensuring you have all the departments of the club engaged who play a part in delivering fan experience and engagement working together in a unified voice.

Michelle
Should fans be worried that their personal data is safe?

Adrian
No. I wouldn’t necessarily be concerned as a fan, the clubs have got the obligation to look after that data and they are tasked with ensuring that they protect the individuals data. The club needs to be transparent, but it doesn’t need to be afraid of GDPR. It’s not just there to stop clubs marketing or engaging with fans, it’s there to ensure data is controlled and enable everyone to move positively forward.

Michelle
Do clubs have everything in line to fully protect against this type of thing in the future?

Adrian
I think we are all on a journey. So, 100% compliance is a bit of a nonsense, as it talks around appropriate proportional controls, but it will shake some clubs who have been not been working to the spirit of the guidelines. If you’re reading this and you think you might be one of those clubs or venues you might want to take a fresh look at your data management process.

 

You can read more about how PTI Consulting are helping clubs overcome these challenges by reading the Premier League Club GDPR Case Study HERE

Share this