The most common question is whether RacingRulesOfSailing.org complies with the EU General Data Protection Regulation (GDPR) which comes into effect in May 2018. The GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

RRS.org is probably not subject to the GDPR because it has fewer than 250 employees, collects only basic identity information such as name, address and ID numbers (no sensitive personal data), and does so only very occasionally. However, even if we are, we meet all the GDPR requirements. RRS.org uses Amazon Cloud services in a Software as a Service model (SaaS). All data is stored in a secure environment and passwords are stored in 256 bit security. The site transmits information via SSL (https) which is the highest security for personal data. As long as the OA of an event indicates that the data will be used for purposes of running the regatta and/or that data might be shared with a third party service provider, we meet the disclosure requirements (the standard language in most entry forms meet this requirement).

The other common question we hear is; does RRS.org sell competitor data? Be assured, RRS.org doesn't share any data with any other organization in any way. The data we collect during an event is used only for the services provided to the event.

RRS.org provides individual judges with the tools for rules research, writing protest decisions and provides common language so as to make the decisions more uniform across protests, across events and around the world. RRS.org currently sets the standard for best practices in writing decisions, and is widely used by judges around the world while composing a decision during a protest hearing. The decision tool allows for capturing information about the competitor, like telephone number and email, just like most paper protest forms. Most competitors have without a doubt encountered judges using this tool at many events they have attended.

Secondly, the application provides communication from race officials to the competitors. It provides both automated and manual email and text communications based on the information provided by the competitor or provided from registration. It also provides electronic displays of competitor information for the event. Displays can show the hearing schedule, rule 42 penalties, jury questions and answers, protest decisions and scoring inquiries. These communications contain the only the same information otherwise available on the official notice board.

So the application only captures information about competitors that the protest form normally acquires during an event – name, telephone number and email. And that information either comes from the competitor themselves or from their registration. But only the same information available on the official notice board is available to the public on RRS.org.

RRS.org meets all the requirements of COPPA and GDPR. You can read the Privacy Policy. It has encrypted security, user authentication, confirmation of official certifications and, finally, only those persons appointed by the the PRO and/or Chief Judge can see the personal information for an event. The data is stored in the cloud provided by AWS in databases accessible only by a connection to this application, and each query of that database requires authorization. RRS.org is generally more secure than most registration programs and/or paper processes that contain much more information about the competitors.

Everyone should of course be concerned with personal data being collected during events, especially data provided by children. But, to the extent an event and its registration process is compliant with COPPA (and soon the requirements of GDPR), RRS.org exceeds all data security and disclosure requirements.