Athlete monitoring strategies, advancements in technology, and breakthroughs in knowledge about the human body are more prevalent than ever before in the world of high performance and professional football.

As a result, we are living through a data boom that is creating new opportunities for teams to gain a competitive advantage. Today, there are a multitude of devices (point solutions) that are collecting myriad data points in singular fields of performance such as GPS, optical trackers, and game stats. The list goes on.

This explosive growth of data has far outpaced anyone’s expectations and it’s forecasted that teams will soon be lost in over 250 million data points, per athlete, per year.

On a positive note, when used correctly and with the right partner, data can be transformed into insights that create new opportunities to drastically improve athlete and club performance. However, there are risks that need to be considered when monitoring personal data so closely, namely data and privacy protection.Privacy Concerns in Sport

The General Data Protection Regulation (GDPR) gives EU athletes more control over their personal information with a particular focus on why and how their information is collected, processed, stored, and most importantly, protected. While GDPR gives athletes greater control over their personal information, it puts a heavy burden of proof on clubs to ensure they have the correct systems in place to manage how athlete information is managed. And with fines of up to €20M or 4% of global revenue – whichever is greater –  failure to comply with these regulations presents a significant financial and reputational risk to sport teams.

How can clubs manage the deluge of data while complying with GDPR guidelines?

A single platform that consolidates data from disparate sources, creates a shared level of understanding in real-time among everyone in the organisation, and turns athlete data into actionable insights that create a competitive advantage. More importantly, it should be a system that was designed from the ground up for privacy, security, and compliance purposes.

Point Solutions Increase GDPR Compliance Risk

Many clubs use free or porous point solutions in combination with paid-for solutions (e.g., Excel/Tableau)—which are not always GDPR compliant—to input, store, and share personal data. These clubs may also employ ad hoc processes that aren’t designed for data privacy and security for using or transferring this information. In addition, athlete data is often accessible or stored in email/messaging services on personal devices that result in information being easily shared and accessed by unauthorised people.

Understand Your Level of Risk

GDPR is manageable and the right technology partner should take care of this for you. However, it’s important to examine your platforms and processes to understand your level of exposure. Fines for GDPR non-compliance are running into the billions of euros with tech firms receiving the largest penalties.  Sport clubs have been subject to smaller fines, but these still represent a significant penalty—an unnamed football club was fined €300,000 for not properly protecting member and employee personal data, the Norwegian Confederation of Sport was fined €125,000 for a lack of security measures, and LaLiga was fined €250,00 shortly after GDPR was put in place.

Ask yourself:

1. Whose data do you have and what data do you have on them? You must be able to document the personal data you have, where it came from, and who you share it with.
2. Is the data being stored/transferred/used safely? Make sure the “processing” of personal data, which includes its collection, storage, transfer, or use, is done legally.
3. Are management and systems aligned with GDPR guidance? Confirm that everyone understands what’s at stake and the impact it will have on operations and liabilities.
4. Who has access to personal data and can you prove it? Be able to show that a person’s personal data is limited to only what is necessary in relation to its purpose.
5. Can you access the rights of the individual in a timely manner? Check your procedures to make sure you can respond to an athlete’s request within 72 hours.
6. Are you prepared in the event of a data breach? There are rules and timeframes within which you must detect, report, and investigate personal data breaches.

If your answers are inadequate to any of the above, you may want to consider a platform that can help improve athlete performance and health while also ensuring GDPR compliance.

Evaluating Technology Platforms for Performance and Security

There are many elements to consider when choosing a data management platform. With GDPR holding companies accountable for the personal data they manage, it’s important to ask:

1. Can the solution provider facilitate cross-functional collaboration in a complaint manner?
2. Has the solution been built with data protection in mind as opposed to being an afterthought?
3. Is the solution provider accredited and well established in this space?

Kitman Labs and the Intelligence Platform (iP)

The intelligence Platform (iP) a GDPR ISO 27001 / FIFPRO compliant data platform that can bring data together and deliver a complete picture of an organisation’s athletes, all in one place, where all the information can be queried and investigated by everyone at the same time.

From our earliest beginnings, we have treated athlete privacy as sacred. You cannot protect athletes without protecting their data. We chose to invest in world-class security by achieving ISO 27001 Certification to significantly enhance the security of athlete information we’re trusted to protect. The problem is not everyone in the industry does this – in fact, far too few.

Stephen Smith, CEO, Kitman Labs

Security and privacy benefits of iP include:

• Transforms data into shared intelligence that fuels competitive advantage for athlete management, talent development, injury prevention and insights through analytics
• GDPR-compliant for data storage, access & sharing
• Greater control, risk mitigation, time efficiencies, and “single source of truth” throughout club and/or league for data management, input, processing, and accessibility

Conclusion

GDPR is a positive step towards protecting individuals’ privacy rights and providing companies guidance on how they organise and secure the personal data they manage. Yet with penalties of up to 4% of a club’s worldwide turnover for the preceding year, that amount could devastate a club. It is therefore critically important to understand and remain in full compliance with GDPR from both a privacy rights and bottom line impact perspective.