{"id":37053,"date":"2018-11-30T01:03:33","date_gmt":"2018-11-30T01:03:33","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=803e973b300ec5aca3a8d1872a6d3898"},"modified":"2018-11-30T01:03:33","modified_gmt":"2018-11-30T01:03:33","slug":"everton-fc-lucky-to-have-sureclouds-data-protection-suite-in-place-for-gdpr-kickoff","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/everton-fc-lucky-to-have-sureclouds-data-protection-suite-in-place-for-gdpr-kickoff\/","title":{"rendered":"Everton FC \u2018lucky\u2019 to have SureCloud\u2019s data protection suite in place for GDPR kickoff"},"content":{"rendered":"


\n Keumars Afifi-Sabet<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
29 Nov, 2018<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

With each passing season, the footballing industry seems increasingly detached from the realities most businesses face. This is underlined by extortionate sums exchanged between clubs, players, and supporters on a daily basis; not to mention a counterintuitive penchant for amassing mountains of debt to drive footballing success.<\/p>\n

But the General Data Protection Regulation (GDPR) has affected every organisation large and small in the same way, with the sporting world no exception. Just as with startups, massive football clubs must comply with demands to bring data practices in line with modern standards – from appointing a Data Protection Officer (DPO), to training staff.<\/p>\n

For Everton FC, this process entailed leaving it to as late as January to get things started; putting faith into the all-in-one, modular GDPR suite developed by SureCloud. Maintaining a database of 32,000 season ticket holders, 60,000 registered fans, 360 employees, players and agents as well as third-party suppliers, through Excel spreadsheets, is a laborious task, with or without GDPR. But a changing landscape spurred the Premier League stalwart into re-examining how it managed data and processed GDPR\u2019s additional demands.<\/p>\n

Everton was still using a series of spreadsheets to manage its data within the football club, community outreach programme, and pre-school, as soon as January 2018. This is when the club hired Ian Garratt as its DPO to single-handedly oversee the transition to SureCloud. But the platform wasn\u2019t initially up to the standards expected, Garratt tells IT Pro, and needed a significant amount of custom tailoring to suit the club\u2019s data protection needs.<\/p>\n

\u201cI hadn\u2019t worked with a full management system before. I\u2019d looked at OneTrust which is an equivalent, very template-based, and then what I\u2019d worked on was spreadsheets, Excel and ones that we\u2019d built in-house, at my old employer.<\/p>\n

\u201cSo I went into SureCloud with a long list of tailoring. Most of them were only quite minor but there was quite a few.\u201d<\/p>\n

Although compliant by 25 May, implementation took so long that Everton considered hanging onto its spreadsheet-based system as the deadline fast-approached. It would\u2019ve posed a massive headache given how slow searching through spreadsheets would have been, not to mention handling internal and external queries taking a great deal longer compared with SureCloud\u2019s touted greater functionality.<\/p>\n

\u201cBy the time we started the discussions it was probably late January, early February,\u201d Garratt continues. \u201cKnowing we had to get all of the data mapping done, and in place before May, we were considering whether or not we had to do that spreadsheet-based, and import it into SureCloud afterwards, just because of the timing.<\/p>\n

\u201cBut we were lucky in that they got it all done for us.\u201d<\/p>\n

Bringing the human touch for higher-quality data<\/strong><\/p>\n

Before joining Everton Garratt was information governance manager with the Southport and Ormskirk Hospital NHS Trust in Wales. Using spreadsheets in this post meant he could slot straight into the role with Everton, but would have to quickly adapt to the platform.<\/p>\n

Fresh to the club, and sole member of the data management team, he had to gain a wider understanding of what data each department held, and their internal processes. He devised an approach to overcome these challenges all at once, sending questionnaires to each department, and inputting the answers into SureCloud himself. But the key, Garratt says, lied in working through them with people one-on-one, to personally guide them through what needed to be sent back.<\/p>\n

Instead of giving everybody within the organisation their own SureCloud login,\u00a0Garratt decided to limit access to the club\u2019s data to three individuals: himself, the director of risk, and head of IT. They also decided against setting up email reminders and alerts, despite the fact this approach takes longer. But, why?\u00a0<\/p>\n

\u201cI think just from my experience you get better quality input if you actually sit down with people and do it with them, rather than sending an email alert and asking them to update something themselves when they\u2019re not specialists in the area,” he said.\u00a0<\/p>\n

A matter of when, not if<\/strong><\/p>\n

During implementation, Garratt oversaw the migration of data from on-prem infrastructure to the cloud. But assurances over security and the decision to go with SureCloud in the first place rested with the club and were a matter for before he joined.<\/p>\n

\u201cFootball clubs are getting targeted more and more often. Certainly, from a backup point of view, I feel happier with it being hosted rather than living on a server,\u201d Garratt says.<\/p>\n

\u201cThe risk is always there. Cyber security is now on our risk register, and I think always will be. I\u2019d expect it to be on every company\u2019s register nowadays. The other threat I suppose is malicious staff.\u201d<\/p>\n

\u201cIf we did have an incident,\u201d he explains: \u201cWe should straight away be able to see what the data types are, what the fields are, the volume, what systems there are, and what associated systems. So we\u2019d be able to get a really good idea of the scale of the incident, and we\u2019d be able to get that very quickly.\u201d<\/p>\n

And what about minor incidents, such as supporters\u2019 email addresses inadvertently leaking due to a lapse in staff concentration, as struck West Ham FC in August?<\/p>\n

\u201cIf that happened with us, any mass marketing should go up to our marketing department, and they\u2019ve got a system that sends them all as individual emails – all personalised – so you don\u2019t need to do it as BCC.<\/p>\n

\u201cIf we had a lot of emails like that going out – and it\u2019s largely to Hotmail or Gmail sort-of accounts, we\u2019ve got systems that would flag them, quarantine them, then either myself or someone from the IT department would be able to review them… I imagine West Ham has probably got the same sort of system, and it just, for whatever reason, didn\u2019t go through that system.\u201d<\/p>\n

Revisiting supplier contracts proves the biggest GDPR hurdle<\/strong><\/p>\n

The most difficult part of Everton\u2019s wider compliance journey involved re-examining the several existing contracts with the club\u2019s many suppliers. Although just a handful of suppliers have access to personal data held by the club, reaching out to renegotiate a GDPR-compliant addendum proved the toughest aspect for Garratt.<\/p>\n

\u201cThe data mapping is what took the most time, but that\u2019s because there was a lot of it. But getting contracts in place with suppliers with the GDPR-standard terms has been the hardest bit of the gameplay.<\/p>\n

\u201cThey would\u2019ve had general data protection and confidentiality terms, but GDPR stipulated a wider scope for what the contracts had to include – even things like assistance with impact assessments, acceptance of audits by us and by the ICO, and breach reporting.\u201d<\/p>\n

By using SureCloud, Garratt says, the club was able to list all their third parties, and a subsection of those who were charged with handling the club\u2019s data, as well as whether they were based in an EU country, or a non-EU country with or without data adequacy.<\/p>\n

But it was no substitute for the hard graft the club\u2019s had to put in to ensure GDPR-compliant terms were included in each contract individually, with each supplier providing their own template, and seeking to consult with their own legal teams respectively.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Keumars Afifi-Sabet<\/p>\n

29 Nov, 2018 <\/p>\n

With each passing season, the footballing industry seems increasingly detached from the realities most businesses face. This is underlined by extortionate sums exchanged between clubs, pl…<\/p>\n","protected":false},"author":433,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-37053","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/37053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/433"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=37053"}],"version-history":[{"count":4,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/37053\/revisions"}],"predecessor-version":[{"id":37106,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/37053\/revisions\/37106"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=37053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=37053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=37053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}