World Cup Surveillance And  How it Matters For Your Organisation

Written by Sinead Santos

As the 2026 World Cup shines a spotlight on emerging surveillance technologies, organisations have an opportunity to reflect on their own monitoring practices. From facial recognition in stadiums to employee monitoring in the workplace, this article explores the data protection considerations, GDPR requirements, and practical steps organisations should take to ensure surveillance remains lawful, transparent, and proportionate.

World Cup Surveillance And How it Matters For Your Organisation

World Cup Surveillance And How it Matters For Your Organisation

The World Cup started on 11 June, and for the next five weeks it will be almost impossible to avoid. What may be easier to miss, among the football, is the amount of watching going on: not just of players on the pitch, but of fans walking through the gates and, closer to home, staff turning up tired after a late kick-off. 

Two things are happening this summer that every organisation should pay attention to. One is in the stadiums. The other is in the office. 

In the Stadium 

Mark has a ticket to a group game. He gets to the gate and there is nothing to scan: no paper ticket, no phone, no barcode. He simply looks at a camera, it recognises his face, and he is through. Brilliant, thinks Mark. The future. 

Face-based entry is already in use across major US sports venues, and biometric screening is widely expected to be one of the defining features of the 2026 World Cup, with the United States, Canada and Mexico hosting millions of fans across 16 cities. Typically, it works much as it does for Mark: fans register through an app, a selfie is converted into a digital token linked to their ticket, and they walk straight through. To a fan, it feels like a glimpse of how every stadium may work one day. To anyone responsible for data protection, it raises a serious question, because facial recognition is not ordinary data processing. 

When a system uses someone’s face to identify them, it is processing biometric data. Under UK GDPR, biometric data used for identification is special category data. You cannot process it simply because it is convenient, or because people seem happy enough to accept its use. 

Doing it lawfully takes two things: a lawful basis under Article 6 UK GDPR, and a separate condition under Article 9. Consent may look like the obvious route, but it has to be freely given and comply with the rest of the rules for consent under the UK GDPR. It will also have to be “explicitly” provided in order to collect special category data. That is hard to argue when the alternative is being turned away from a match someone has already paid for.  

That last point is where organisations often come unstuck. Earlier this year, the Spanish data protection authority fined Barcelona €500,000, not simply for using biometric data, but for failing to carry out a proper Data Protection Impact Assessment before collecting facial and voice data from members during a digital sign-up process involving around 143,000 people. The club had produced a risk assessment; the regulator decided it was not, in substance, a proper DPIA at all. Members had complained that the biometric option felt compulsory and that the ordinary alternative was unclear. 

UK clubs are watching the World Cup closely, and some will be tempted to bring this technology home. Before they do, they need to understand that what looks like an upgrade to the fan experience is, in data protection terms, one of the highest-risk things they can do. 

In the Office 

Rachel runs HR, and she has started to notice a pattern. Two people are off sick on the same morning, the day after a late England game. A couple of others log in late and look as though they would rather be anywhere else. A run of “working from home” requests all seem to land on match days. She is tempted to keep a closer eye on a few people for the next month or so. 

She is not alone. Because the tournament is being played across North America, many matches fall in the UK evening or late at night, with kick-offs at 7pm, 10pm and well past midnight. The predictable result is a workforce running on less sleep, and managers tempted to check who is logging in late, review activity logs, and cross-check absences against the fixture list. 

Monitoring staff is not unlawful. But it is regulated, and the same principles that govern facial recognition apply here too. There has to be a lawful basis. In the workplace, consent rarely works because the imbalance between employer and employee means it cannot usually be freely given. Most employers rely instead on legitimate interests, which means carrying out a Legitimate Interests Assessment rather than simply deciding that the monitoring feels reasonable. 

It also has to be proportionate. Wanting to catch a few people who stayed up too late is not, by itself, a good enough reason to monitor an entire workforce. An employer has to ask whether there is a less intrusive way to achieve the same thing, and whether what is being collected is limited to what is genuinely needed. 

It also has to be transparent. Monitoring people without telling them is only lawful in genuinely exceptional cases, such as investigating suspected criminal activity. A football match does not come close. If Rachel’s organisation is going to monitor staff, it has to tell them what is being monitored, why, on what basis, and for how long. That should be set out clearly in a policy and privacy notice. Where the monitoring is systematic, it also needs a Data Protection Impact Assessment: the very same tool a football club needs before installing facial recognition.

The Same Lesson, Twice 

Mark and Rachel could not be in more different situations. One is a fan being watched at a match; the other is a manager thinking about doing the watching. But the underlying questions are the same. What is your lawful basis? Do you really need to do this? Is it proportionate? Have you told people? Have you carried out an Impact Assessment? 

The World Cup will be over by late July. The technology it showcases will not be. Facial recognition at the turnstile and monitoring software on the work laptop are both becoming more normal, and more tempting, every year. Too often, organisations reach for the technology first and consider the law later. 

Watching people is not automatically unlawful. It is not automatically acceptable either. The technology does not remove the need to ask the difficult questions; it makes asking them more important than ever. 

What Your Organisation Should Do 

If you are considering biometric or facial recognition technology, treat it as high-risk from the outset. Carry out the Impact Assessment first, identify both your Article 6 lawful basis and your Article 9 condition, and think carefully about whether consent can truly be freely given. If you monitor staff, or are tempted to do so over the coming weeks, make sure you have a documented lawful basis, that the monitoring is proportionate, that staff are properly informed, and that an Impact Assessment sits behind anything systematic. 

 Enjoy the football. Just make sure your organisation is not the one caught offside. 

Need Help Getting Surveillance and Monitoring Right? 

If your organisation is considering biometric technology, facial recognition, or employee monitoring, now is the time to get the data protection position right. Our team can help you understand the risks, complete robust DPIAs, identify the correct lawful basis, and put clear policies and safeguards in place before issues arise. Through our Data Protection Audits, Outsourced DPO services, and ongoing Data Protection Support, we work with football clubs and organisations across every sector to keep projects compliant and proportionate and make data protection easy for you and your teams.  

References & Guidance 

Contact Us