What is GDPR and why should anyone in the thoroughbred industry care about it? Unfortunately, because GDPR non-compliance runs the risk of incurring absolutely crippling fines.

 

Overview

The General Data Protection Regulation is an EU regulation on data protection and privacy for all individuals within the European Union. On 25th May 2018, GDPR will be implemented with the aim of giving control to people in the EU over their personal data. However, this simplification of regulation has caused a lot of confusion for businesses on how GDPR will be implemented. Ireland’s data protection commissioner Helen Dixon explained that “no organisation can afford to take the risk of not implementing [GDPR rules]”. This is due to the fact that any organisation not following the rules can face fines of up to €20 million or 4% of annual global turnover.

 

What does GDPR mean for the Thoroughbred Industry?

 

So what will organisations in the thoroughbred industry need to change?

On racing yards and stud farms, all personal data will need to be collected and stored in accordance with the new guidelines. Therefore, all data must be:

  • Adequate, relevant and limited to the purpose it is being used for.
  • Accurate and up to date.
  • Kept for no longer than necessary.

And, most importantly,

  • Kept safe and secure.

At present, employers at racing yards and stud farms hold data on their employees.This includes data such as their bank details and National Insurance numbers. In addition to information held about employees, GDPR also covers any details held concerning customers, suppliers, business partners or any contractors. Whether you are a trainer with 200 horses in training or a restricted trainer with 4, all the data held on owners must be kept secure. Moreover, the data must be limited only to the data that is necessary for the operation of the yard. Encryption of personal data should be implemented whenever possible.

Already a huge undertaking for yards, securing the details of owners, staff, vets, farriers, suppliers and any other individual in contact with the yard will now be significantly more important.

 

Changes

 

So what are some simple changes that racing yards and stud farms can make to get ready?

  • Ensure all logins & passwords to are hidden, and not written down on post-its stuck to the computer screen
  • Passwords should be at least 8 characters in length, and comprise of a combination of letters (uppercase and lowercase), numbers, and symbols.
  • All staff devices should be password protected
  • Any paper records which contain information which can be used to identify an individual should be securely stored under lock and key.
  • Records containing personal data which are no longer necessary to keep under regulation should be disposed of in a secure manner

 

For all the racing yards and stud farms with websites, a Privacy Statement must be added. So what is it? The data protection commissioner says that a Privacy Statement is ‘a public declaration of how the organisation applies the data protection principles to data processed on its website’. These principles cover;

  1. How you use the data collected on your website,
  2. What you do to ensure it is kept safe and secure,
  3. How it is accurate while ensuring it is adequate and relevant.

Additionally, your privacy statement should also outline how a person can request their data to be deleted.

What will happen if a website doesn’t have a privacy statement? Of course, the answer is more fines with the possible penalty of up to €100,000 or deletion of all data collected via the site.

 

Moving Forward

 

There is no doubt it will be a lot harder for racing yards and stud farms to contact potential clients and grow their business. Preparing for GDPR will be a lot of work, especially for those bigger yards who have much more employee and customer data to process, store and protect. The panic that seems to have consumed some organisations over GDPR could possibly be a dramatization. It may be that May 25th will come and go without any major incident in the industry. With this in mind, establishing good practices regarding sensitive information can only be good for your yard. If you adhere to the principles outlined above you are well on your way to a safer and more secure operation.