Do esports websites have to be GDPR compliant?
To put it simply, yes.
The data protection authority in the UK, including Scotland, is the Information Commissioner’s Office (ICO) at https://www.ico.org.uk they issue licenses to authorize you to collect and store personal data, and all breaches must be reported to the regulator within 72 hours.
Data Protection Act 2018
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- biometrics (where used for identification)
- sex life or orientation
There are separate safeguards for personal data relating to criminal convictions and offences.
In relation to most of your typical esports website users, only the top portion should apply in your privacy notice, as the more sensitive information would be considered excessive information for an esports org to handle, with perhaps the exception being data relating to criminal convictions and offences.
Security at esports events is in ever-increasing demand, and as such, so might the requirement for disclosure checks, but we shall leave that for another post.
What is Personal data?
Under GDPR the scope of Personal data has widened significantly, and personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. This includes posts on forums and clan or guild websites as an example.
Are you a Data controller, or data processor?
This is the first thing you should do, decide whether you are a data controller or data processor. An important and often overlooked part of esports is data control responsibilities. The governing body in the UK is the Information Commissioners Office. Full UK government guidance of the definitions and implications can be found on the ICO PDF. (note: not yet updated in line with DPA 2018)
While not yet updated, it still shows how to determine data protection responsibility, and who is the data controller and data processor.
According to the GDPR:
- Data Controller: an organisation that collects data from EU residents
- Data Processor: an organisation that processes data on behalf of a data controller like cloud service providers (hosts)
Controller and processor examples
If you have a website that allows (EU) members to register, or if you take payments from (EU) customers from an online store you are most definitely a Data Controller. Since users completing these actions will have to do so via a phone number, email address, bank payment, or some other submission of personal data, you are a Data Controller.
Users must now give “Informed consent” over all of their personal data, as well as a means to withdraw this consent at any time.
Perhaps you have a website that only processes data, for example, using the API data from a game publisher to show a killboard, leaderboard, or server maps you are a Data Processor. The responsibility of data control is with the API providers.
However, as a Data Processor you, in reality, may also become a data controller by means of technical alteration of the data that you use from the Data Controller in choosing what to deliver to end users of your website or service.
One avoidable part is that an I.P. address is required to interact with any website, is also described under GDPR as personal data.
It must contain several important elements including the policy number issued to you/your org by the ICO (or your own local DPA) the name of your Data Protection Officer (DPO) their contact email address, and the physical address that receives postal mail.
What have you been doing wrong?
As web consultants we have observed many websites that are, for lack of more accurate words, operating illegally. The most common issue we have found is that many esports orgs/websites/communities are not even registered with a data protection authority, when they clearly handle personal data.
The ways in which some of this information is used or shared without consent is quite disturbing. In some cases we can put it down to ignorance, but for how much longer?
Some examples may include sharing a google docs form, with contact information of your staff, or a list of event confirmed attendees. Seems pretty harmless, but under GDPR it is illegal unless you have confirmed consent and can prove it.
How can I become GDPR compliant?