Currently sitting last in the Premier League table with no points to their name, West Ham have had a tough start to the season.

Their struggles have been just as obvious off the pitch as the club continues its legal dispute with the landlord of their home ground, the London Stadium. London Legacy Development Corporation has refused to reinstate the club’s honours board due to unpaid bills. Further, the club is in dispute with the landlord over the colour of the track around the pitch. A disagreement between whether the track should be blue or claret (or in Karren Brady’s open letter, both blue and claret), may now seem trivial given the club’s recent data breach.

Last week West Ham accidentally shared hundreds of supporters’ personal email addresses when confirming successful applications for their upcoming Carabao Cup fixture. The club has apologised to fans and has reported the breach to the Information Commissioners Office (ICO), the data protection supervisory authority for the UK.

Under the General Data Protection Regulation (GDPR), personal data is defined as “information that relates to an identified or identifiable individual.” An email address alone is often enough to identify the owner of the account, given many people now include their name within their address. Even in relation to those email addresses that did not contain names, as they were shared by the club as email addresses of their fans, it is likely that owners of the accounts would be identifiable.

By sharing hundreds of fans’ email addresses, the club is one of the first big names in sport to encounter a personal data breach under the GDPR, which took effect on 25th May 2018. Under the GDPR a personal data breach is defined as “the accidental or unauthorised destruction, loss, alteration, or the unauthorised disclosure of, or access to, personal data”.

Article 33 of the GDPR imposes a duty on all organisations to report to their data protection supervisory authority (the ICO in the UK) any personal data breach that is likely to result in a risk to the rights and freedoms of the individuals involved. Such notifications must be made within 72 hours of the organisation becoming aware of the breach; perhaps one of the most stringent requirements under the GDPR.

Different data protection supervisory authorities across Europe have adopted varying notification processes. For the ICO, West Ham will have had to provide the ICO with information as to the likely causes of the breach, the categories of data invoked and the number of individuals affected, the potential consequences and other facts such as whether the staff involved had received data protection training in in the last two years.

West Ham will have determined whether the affected individuals were all residents of the UK, as if this is not the case, notification to other EU data protection supervisory authorities may be required, with other regulators known to take a stricter approach than the ICO.

The GDPR introduced significantly higher fines than those faced before 25th May 2018. The maximum fine for a personal data breach is €20 million or 4% of global annual turnover, whichever is higher.  Whilst the ICO has received a record number of breach notifications, with figures increasing by 27% since the GDPR and the UK Data Protection Act 2018 took effect, the number of email addresses involved and the high profile nature of the club is likely to attract significant attention.

This accident was an own goal by West Ham, and one potentially more expensive than Diop’s against Arsenal last weekend.