A group of footballers, led by former Cardiff City manager Russell Slade, are threatening data collection firms with legal action for breaches of the General Data Protection Regulation (GDPR). The claim is backed by 850 players and seeks compensation from 17 major gaming, betting and sports data companies for misusing and trading players’ data over the past six years.

The data comprises performance data, player statistics and physical information. ‘Project Red Card’, as the action is known, includes players from the Premier League, English Football League, National League and Scottish Premiership. The players are also seeking an annual fee for future use of their data.

Slade told the BBC “There are companies that are taking that data and processing that data without the individual consent of that player. A big part of our journey has been looking at that ecosystem and plotting out where that data starts, who are processing it, where it finishes and that’s a real global thing. It’s making football – and all sports – aware of the implications and what needs to change.”

Under Article 4 GDPR ‘personal data’ means any information relating to an identified or identifiable natural person. By attributing statistics, such as number of goals scored and passing accuracy, to individual players, the data collected does indeed constitute personal data. Whether the data collection is lawful depends on whether there is a legal basis under the GDPR for such processing, such as consent, legitimate interests, or public interest. Given that the processing took place without the players’ knowledge, it is unlikely that the data collection companies will be able to rely on consent.

Dyann Heward-Mills, CEO of HewardMills, said: “Sports players are increasingly recognising the value of their personal data and so we can expect them to assert their rights under the GDPR. Data collection firms need to risk assess their processing activities to ensure that they are lawful. It will be interesting to see how this story develops and the industry response to individuals’ growing awareness and expectations on data protection and privacy. I would encourage all companies and business involved to audit and understand their legal requirements and obligations. At HewardMills, we specialise in building compliant data protection programmes for our clients to help them establish trust amongst their customers and the public as a whole.”