While data protection laws have been in place for decades, the GDPR introduces a number of significant changes that will affect clubs and GolfNow:
- More obligations for clubs: GDPR builds on the existing data protection rules that apply to clubs (in their capacity as “data controller” of their golfers’ data) and creates a number of additional obligations. These include the need to: ensure a greater level of transparency around where data is stored and how it is used (e.g., through website privacy policies and pop-up notices); have appropriate policies and procedures in place to deal with security and data breach notification; and ensure that vendor contracts deal appropriately with data protection.
- More detailed privacy notices: GDPR requires clubs to provide golfers with more details about the clubs’ processing of their personal data. Privacy notices will need to be expanded to include details of the recipients of personal data (including service providers like GolfNow), the data retention period, the fact that the individuals have rights under data protection law, and their right to complain to a regulator.
- Broader rights for club members: GDPR enhances the existing data rights of individuals and also creates some new ones, with which clubs will need to be able to deal with in a timely manner.
- Data Storage Limitation: Clubs can only keep data in a form that allows individuals to be identified for a specified time period. This period must be set based on the purposes for which the data was collected (e.g., to manage club memberships of existing golfers), and must not be longer than necessary for those purposes.
- Sanctions for non-compliance: GDPR introduces significant sanctions for non-compliance: the maximum fine is the greater of 4% of the organisation’s annual turnover or €20m.