Disclaimer: The following is for information purposes only, and is not to be considered legal advice. We have provided various links to external orgs and government websites that you may find helpful and useful. You may contact us for more information regarding your own esports privacy policy.

To put it simply, yes.

General Data Protection Regulation (GDPR) affects us all, regardless of company size, but today we will be viewing its implementation in the United Kingdom, and how your websites privacy policy should reflect your compliance. The contents of your website or organizations privacy policy must be up to date with the laws around data protection and the GDPR.

The data protection authority in the UK, including Scotland, is the Information Commissioner’s Office (ICO) at https://www.ico.org.uk they issue licenses to authorize you to collect and store personal data, and all breaches must be reported to the regulator within 72 hours.

Data Protection Act 2018

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

In relation to most of your typical esports website users, only the top portion should apply in your privacy notice, as the more sensitive information would be considered excessive information for an esports org to handle, with perhaps the exception being data relating to criminal convictions and offences.

Security at esports events is in ever-increasing demand, and as such, so might the requirement for disclosure checks, but we shall leave that for another post.

What is Personal data?

Under GDPR the scope of Personal data has widened significantly, and personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. This includes posts on forums and clan or guild websites as an example.

Are you a Data controller, or data processor?

This is the first thing you should do, decide whether you are a data controller or data processor. An important and often overlooked part of esports is data control responsibilities. The governing body in the UK is the Information Commissioners Office. Full UK government guidance of the definitions and implications can be found on the ICO PDF. (note: not yet updated in line with DPA 2018)

While not yet updated, it still shows how to determine data protection responsibility, and who is the data controller and data processor.

According to the GDPR:

  • Data Controller: an organisation that collects data from EU residents
  • Data Processor: an organisation that processes data on behalf of a data controller like cloud service providers (hosts)
Controller and processor examples

If you have a website that allows (EU) members to register, or if you take payments from (EU) customers from an online store you are most definitely a Data Controller. Since users completing these actions will have to do so via a phone number, email address, bank payment, or some other submission of personal data, you are a Data Controller.

Users must now give “Informed consent” over all of their personal data, as well as a means to withdraw this consent at any time.

Perhaps you have a website that only processes data, for example, using the API data from a game publisher to show a killboard, leaderboard, or server maps you are a Data Processor. The responsibility of data control is with the API providers.

However, as a Data Processor you, in reality, may also become a data controller by means of technical alteration of the data that you use from the Data Controller in choosing what to deliver to end users of your website or service.

One avoidable part is that an I.P. address is required to interact with any website, is also described under GDPR as personal data.

Show your compliance – Privacy Policy

You must notify users and make available your full privacy policy, detailing how you handle personal data. This is where you affirm what data you collect, for what purposes, and who, if anyone, what information may be shared with third parties.

The cornerstone of your website under GDPR will be the contents of your privacy policy as it fulfills a legal requirement of how you also protect that information, as well basis for collecting it in the first place.

It must contain several important elements including the policy number issued to you/your org by the ICO (or your own local DPA) the name of your Data Protection Officer (DPO) their contact email address, and the physical address that receives postal mail.

What have you been doing wrong?

As web consultants we have observed many websites that are, for lack of more accurate words, operating illegally. The most common issue we have found is that many esports orgs/websites/communities are not even registered with a data protection authority, when they clearly handle personal data.

The ways in which some of this information is used or shared without consent is quite disturbing. In some cases we can put it down to ignorance, but for how much longer?

Some examples may include sharing a google docs form, with contact information of your staff, or a list of event confirmed attendees. Seems pretty harmless, but under GDPR it is illegal unless you have confirmed consent and can prove it.

Many esports orgs have a large presence on social media, over several channels. It’s natural for these to be used to promote upcoming events, inform followers of changes or as a marketing tool, yet some also fail to mention this in their privacy policy.

How can I become GDPR compliant?

If your website has a registration form, you definitely need a privacy policy. You must include everywhere that you may share users personal data. You must register with the ICO (in the UK – which only costs about £35 per year) and show your policy number. (This is not your companies house number – they are 2 different things)

We are available for consultation, to help you draft and form your esports privacy policy. Contact us today.