It is recommended that you should inform and train your teams and organisations, as well as employees who handle sensitive data, about GDPR and the new regulations and what they mean for your operation.
Take time to review all your data processes, including the legal basis for using the data. You will also need to check and see if any of the data you have is inaccurate or outdated on members who have transferred to other clubs, coaches and/or similar situations.
When working with children, it is vital that your current policies are up to the GDPR standards which are created to protect the data of those most vulnerable. If you are unsure on these policies, review the 12-step guidance checklist.
Tennis venues and coaches hold and use personal data of individuals, mainly details of their members and employees e.g. names, addresses, phone number, email address, date of birth. Organisations that hold personal data and use and determine how this data is used are known as ‘data controllers’.
At ClubSpark, we are answering the questions you need to prepare for the General Data Protection Regulation.
Do I need to register as a data controller?
It is important that your venue is compliant with the new GDPR policies. Under current data protection, some organisations were required to register with a body that administers data protection however under GDPR this will no longer exist, although some organisations will still have to pay a fee. If you are unsure about your venue, please refer to the ICO website for updates.
As a venue, what do I need to be aware of?
Venues will need to provide more information when they first collect personal data from individuals or other sources. For example, the venue will need to be transparent with the individuals about their data subject rights, their right to withdraw consent; and provide information about data retention. Privacy policies will also need to be upgraded and brought to the attention of existing players and other players whose data is processed.
Do I have a Data Protection Lead (DPO) for my venue?
Certain types of venues/organisations will need to appoint a DPO. Although this is unlikely, you should make your management team aware of the venue’s data protection obligations and ensure you are compliant.
Have you audited your venues personal data usage?
It is recommended that you perform a mini-audit of your venues personal data.
You will be expected to know the answers to the following questions.
- What types of individuals do you hold and process information? E.g. staff, members, players?
- What nature of information do you hold and where does it come from and what do you use it for?
- Do you share your information with any third parties? If so, what do they use it for?
Have you read the 12 step guidance steps?
The 12 step guidance and self-assessment checklist provided by the Information Commissioners office is very helpful and sets out what you are required to do be compliant.
What does ClubSpark do with the data?
We only use the data ourselves to manage the platform. Our role is to act as a Data Processor on behalf of you, the Data Controller.
What is ClubSpark doing to support me as a venue?
In order to support venues in being compliant the following updates have been made to the system:
- Consents when registering for a ClubSpark account changed to opt-in
- Venue consents changed to opt-in
- The ability for users to update their consents from their account area
- Ability to delete records if requested by any user
- Preventing any user creating an account if they are under the age of 13
- Making it easier to identify junior records within the system
- Ensuring that any junior product being purchased on the system is only done so by the player’s parent or guardian
What does ClubSpark do to keep my data secure?
The security of your data is of the utmost importance to us. Our platform is hosted on Microsoft Azure, which runs in geographically dispersed data centres that comply with key industry standards, such as ISO/IEC 27001:2005, for security and reliability. They are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24 x 7 continuity.
In addition to the data centre, network, and personnel security practices, Microsoft Azure incorporates security practises at the application and platform layers to enhance security for application developers and service administrators.
Security for the Hosting Environment
The Microsoft Azure platform environment is composed of computers, operating systems, applications and services, networks, operations and monitoring equipment, and specialised hardware, along with the administrative and operations staff required to run and maintain the services. The environment also includes the physical operations centres that house the services and which themselves must be secured against malicious and accidental damage.
Key Architecture Design Points
The Microsoft Azure platform is designed to provide “Defense in Depth,” reducing the risk that failure of any one security mechanism will compromise the security of the entire environment. The Defense in Depth layers include:
- Filtering Routers: Filtering routers reject attempts to communicate between addresses and ports not configured as allowed. This helps to prevent common attacks that use “drones” or “zombies” searching for vulnerable servers. Although relatively easy to block, these types of attacks remain a favourite method of malicious attackers in search of vulnerabilities. Filtering routers also support configuring back end services to be accessible only from their corresponding front ends.
- Firewalls: Firewalls restrict data communication to (and from) known and authorized ports, protocols, and destination (and source) IP addresses.
- Cryptographic Protection of Messages: TLS with at least 128-bit cryptographic keys is used to protect control messages sent between Microsoft Azure datacenters and between clusters within a given datacenter. Customers have the option to enable encryption for traffic between end-users and customer VMs.
- Software Security Patch Management: Security patch management is an integral part of operations to help protect systems from known vulnerabilities. The Microsoft Azure platform utilises integrated deployment systems to manage the distribution and installation of security patches for Microsoft software.
- Monitoring: Security is monitored with the aid of centralised monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment, providing pertinent and timely monitoring and alerts.
- Network Segmentation: Microsoft uses a variety of technologies to create barriers for unauthorised traffic at key junctions to and within the datacenters, including firewalls, Network Address Translation boxes (load balancers), and filtering routers. The back-end network is made up of partitioned Local Area Networks for Web and applications servers, data storage, and centralised administration. These servers are grouped into private address segments protected by filtering routers.
Checklist for GDPR:
Review the below checklist we have put together to help you as a venue:
- Build awareness amongst teams, colleagues and management
- Review and update your handling of data, including children documentation
- Review user permissions to the platform
- Review your privacy documents, are any updates needed?
- Review and update your data and current procedures
- Avoid duplicating documentation
- Is your data current, accurate and secure?
- Can you securely dispose of personal data that is no longer required?
- You have a nominated DPO or lead for your organisation