1. What is GDPR and does it affect you?
The General Data Protection Regulation or “GDPR” is a new set of data protection laws that will apply to everyone doing business in the EU from May 25, 2018 (including the UK despite the UK’s decision to leave the EU in March 2019).
In relation to the provision of the TeamUnify software products and services to European clubs, TeamUnify is a “processor” and acts on instructions from the clubs, which are the “controllers”. Both clubs and TeamUnify will have their own obligations under the GDPR, but the main responsibility for the personal data collected and processed by controllers (including on their instructions by third parties) lies with them. Below we highlight the key changes in the new law for clubs, and also explain how TeamUnify can assist clubs with some of their controller GDPR obligations.
2. What are the key changes?
While data protection laws have been in place for decades, the GDPR introduces a number of significant changes that will affect our European swimming club customers and TeamUnify:
More obligations for clubs: GDPR builds on the existing data protection rules that apply to clubs and creates a number of additional obligations, including the need to ensure a greater level of transparency around where data is stored and how it is used (e.g., through website privacy policies), have appropriate policies and procedures in place to deal with security and data breach notification, and to ensure contracts deal appropriately with data protection.
More detailed privacy notices and explicit consents (for health data): GDPR requires clubs to provide swimmers and members (i.e., swimmers’ parents / guardians and coaches) with more details about the clubs’ processing of their personal data. Online and offline privacy notices will need to be expanded to include details of the recipients of personal data (including club service providers like TeamUnify), the data retention period, the fact that the individuals have rights under data protection law, and their right to complain to a regulator. Collection and processing of health and medical information (referred to as “special categories” of data under GDPR) will require explicit consent.
Broader rights for club members: GDPR enhances the existing rights of individuals in relation to their personal data and also creates some new ones, which clubs will need to be able to deal with promptly.
Data Storage Limitation: Clubs can only keep data in a form that allows individuals to be identified for a specified time period. This period must be set based on the purposes for which the data was collected (e.g., to manage club memberships, to organize specific swimming events, to meet Swim England requirements) and, generally, must not be longer than necessary for those purposes.
Sanctions for non-compliance: GDPR introduces significant sanctions for non-compliance: the greater of 4% annual turnover or €20m.
3. What is TeamUnify doing and how can it help you?
In recognition of the serious compliance challenges posed by GDPR, TeamUnify has been working hard to not only comply with GDPR requirements itself, but also to be in a position to assist its European customers to do so too:
Notice and Transparency
Under GDPR, European Swimming Clubs will have an obligation to explain to members, parents, coaches and any other individuals whose personal information they collect (through and outside of the TeamUnify platform) how they use and share that information. Clubs also must obtain explicit consent from parents / legal guardians in relation to any “special categories” of personal information of members they collect (e.g., information about swimmers’ allergies, medical conditions). TeamUnify has prepared a template privacy notice, which each Club can adapt and present to members, parents and coaches, as and where appropriate, to help them understand how the Club processes their personal data through the TeamUnify platform specifically. Each club will have the option to present its personalised privacy notice and obtain and track consents to the processing of personal information (including special categories of data) through the TeamUnify platform.
However, clubs should note that the TeamUnify template privacy notice must be supplemented with additional information to meet all of the GDPR’s increased transparency obligations. Clubs should, for example, also inform individuals—through the most appropriate online or offline communications channel—about any third parties with whom they share their data (of which TeamUnify is one); the data retention period; the fact that the individuals have rights under data protection law; and their right to complain to a regulator. We strongly encourage clubs to seek specialist legal help in relation to their broader website privacy policies. Clubs that host and operate their own websites (outside of the TeamUnify platform) will still need to review and update their website privacy policies to ensure that they meet the GDPR’s increased transparency obligations. See detailed guidance on this topic from the UK Information Commissioner’s Office (the ICO) here: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/.
GDPR-Compliant Contract Terms
Under the GDPR there is a mutual obligation on clubs and TeamUnify to ensure contracts contain a number of important mandatory terms around privacy and data protection. TeamUnify has updated its Subscription Agreement to include the data processing language mandated by GDPR.
GDPR grants individuals (e.g., members, parent, coaches) a broad range of rights over their personal data, including the right to access, rectify and delete personal data (in certain circumstances). Clubs will need to be able to recognize such requests and address them within 30 days of receiving them. TeamUnify has put in place appropriate policies and procedures to ensure it is well placed to assist. For example, clubs can easily download a swimmer’s profile data held in the TeamUnify system and provide a copy (in Excel format) to account holders / parents on request. Parents and club administrators with appropriate access privileges can also easily access and correct personal data fields (except for data fields required for Swim England identification purposes, which cannot be amended). We are also developing new technology solutions which we will be rolling out over the next few months to further assist our club customers with individual rights requests. In the meantime, if you receive a request for data that you cannot provide, please contact the TeamUnify support staff for assistance.
Just like you, we understand the importance of data security for your Club’s continued success. TeamUnify takes a number of organizational and technological measures to ensure that our Club customer data receives the protection it deserves. These include appropriate access controls, staff training, data encryption, and logs management and auditing. We also have a Cyber Security team that reviews the data security practices of any third parties to which we outsource the processing of personal data. For more information on our data security practices, please contact TeamUnify’s customer support staff.
Data Storage Limitation
In the future, we are considering sending regular prompts to European clubs reminding them to delete or anonymise personal data they no longer need. This will help clubs comply with their controller obligations around data retention, and also will significantly reduce the risk of personal data loss or misuse (e.g., by a club administrator inadvertently sending personal information to the wrong recipient, or through a malicious hacker attack or theft).
Cross-border Data Transfers
European privacy law restricts the transfer of personal information outside of Europe without an appropriate data transfer mechanism (e.g., Standard Contractual Clauses, Privacy Shield for US companies, consent, Binding Corporate Rules). In order for TeamUnify’s parent, SportsEngine, Inc (based in the United States), to help us and our Club customers comply with European cross-border data transfer rules, we have incorporated the European Commission’s Standard Contractual Clauses for processors into our updated subscription agreement. We may also at times engage non-European vendors to help us deliver services you have requested from us (e.g., to relay emails). Where this is the case, we will adopt an appropriate data transfer mechanism to ensure that the personal data with which our club customers entrust us remains protected irrespective of location. To further demonstrate our commitment to privacy, we are in the process of transitioning European Clubs from our data storage facility in the United States to Amazon’s Amazon Web Services data centre in Ireland.
TeamUnify has in place a robust GDPR governance program. Key features include:
Implementation of a personal data breach management process to ensure that if something goes wrong TeamUnify is prepared to respond and assist clubs.
Development and rollout of training for all personnel with access to personal data.
Implementation of more detailed accountability and compliance practices, including audit procedures and processes, to ensure TeamUnify’s compliance is monitored and adhered to on an ongoing basis and to offer further reassurance to clubs.
4. Will TeamUnify be appointing a Data Protection Officer (DPO)?
The GDPR only mandates the appointment of a DPO in specific circumstances. As TeamUnify works closely with the privacy team at NBCUniversal (the company that indirectly owns our parent, SportsEngine, Inc) and we are not strictly required to appoint a DPO under GDPR, we have decided not to do so at this time. We will continue monitoring the volume and types of personal data that we process for our European club customers and will revisit the need to appoint a DPO in future.
5. Where can you find more information?
As you work on your GDPR compliance after May 25, 2018, you may find the following guidance from the UK’s data protection regulator (the Information Commissioner’s Office) helpful:
GDPR Compliance Self-Assessment (please select the checklist for “controllers”)
If you have any further questions on TeamUnify’s GDPR compliance program or TeamUnify’s data processing and security practices, please do not hesitate to contact us at [email protected].
Please note that we have prepared these FAQs to help our European Club Customers understand what TeamUnify is doing to comply with GDPR and what TeamUnify can do to help them. It is not a substitute for legal advice. We strongly recommend that Clubs obtain their own legal advice on this important topic.