Handling GDPR in the Sports and Hospitality Sectors

15 May 2018


With just days to go before the GDPR goes live, Ben Curtis, General Manager at Verteda, has put together a few thoughts on GDPR in the sports and hospitality sectors, what we’re hearing from customers and a bit about what Verteda has done to address GDPR within our own business.

Managing data in the sports and hospitality sector

One characteristic that unites stadiums, venues, restaurants, hotels and events is lots of attendees. And lots of attendees usually means lots of personal data.

In a sector that typically has a high turnover of staff, lots of temporary workers who are brought in to support events, the possibility of thousands of volunteers on event days and CCTV being the norm, GDPR is bound to impact on the sports and hospitality sectors in a big way.

However, because of the vagueness of the current GDPR legislation, there are still many unknowns causing confusion in the industry. We’re starting to receive documentation from clients relating to GDPR and there is still a lot of uncertainty over where responsibilities lie between the data controller and the data processor.

In the majority of cases, Verteda will act as a data processor and not a data controller in our client relationships, but being clear with your own supply chain about who is the data controller and who is the data processor is key at this time for understanding your own GDPR position.

However, in general, despite the importance of the GDPR and the focus on data collection and business analytics in the sector, we’re not seeing a huge amount of changes occurring yet – which could be down to organisations already having strong data protection policies in place.

For many, the move to the GDPR will be a small addition to their current data policies – for others, it will be a big change to how they operate their business and handle data.

Will GDPR curtail loyalty programs?

Unfortunately, current GDPR information suggests that the new legislation will slow down the big data revolution occurring in the sector. The complexity of data collection and analysis around building loyal communities in the sports and hospitality sectors will surely be impacted by some of the more stringent opt-in requirements of the GDPR.

Many credit card companies are now engaging with large venues to help better track payments and purchasing trends in order to make more accurate product recommendations to customers and present offers. These partnerships between financial institutions, venues, caterers and suppliers have many touchpoints with event attendees, all collecting and handling data. It will be a fine balance between enabling more active opt-in practices and seamlessly integrating data to deliver better business insights.

What is Verteda doing to be GDPR compliant?

As we operate in an industry built on harnessing data analytics for large venues, Verteda has undertaken professional advice regarding the GDPR. We’ve contracted external specialists and auditors to review our documentation, data and processes, and we went through a lengthy exercise reviewing our product portfolio in light of the GDPR.  We looked at each product and the data it collected, and aligned this with the GDPR recommendations to see if there were any areas that overlapped with GDPR regulations. Where there were instances of GDPR impact, we captured every scenario and reviewed our responsibilities as a data controller or processor in those instances.

Thankfully, because of the data practices already in place across the business, we haven’t had to do anything too ground-breaking to become GDPR compliant – it has mostly been a documentation exercise with our suppliers, partners and customers – however, it was a necessary process to go through and one that we recommend all businesses in the sector to undertake to map their data and understand exactly what their GDPR position is.


We are just days away from the GDPR coming into force and here are a few recommendations I’ve picked up from conversations with customers.

  • Plan in advance for the financial impact that the GDPR could have on your business. At Verteda, there’s been an investment in external specialist support such as consultants and auditors, and we have one person working on GDPR-related activities one day a week – with the likelihood of this increasing over time. We’ve had to move internal resources around and make investments in order to ready ourselves for GDPR so it’s important for businesses to plan in advance so that they aren’t hit with a big financial outlay in one go.
  • Get clear on your definitions of data controllers and data processors – look at where you sit, and also where your suppliers, partners and customers fall within those categories. Read more here.
  • Keep an eye out for updates on the Data Protection Bill which will update some of the current Data Protection Act legislation and provide more details on how it will interact with the GDPR.
  • If you have data belonging to EU residents outside of the UK, be sure to look at how each country is handling the GDPR as there are some nuances in different countries across the EU that businesses need to be aware of.


Ben Curtis is the General Manager at Verteda, delivering innovative IT solutions for the sports, venues and hospitality sectors. Working with over 60% of the English Premier League and all major UK arenas, Verteda delivers business analytics, workforce management, and POS solutions across the world.