A GDPR Guide for Coaches

It is recommended that you should inform and train your teams and organisations, as well as employees who handle sensitive data, about GDPR and the regulations and what they mean for your operation.

Take time to review all your data processes, including the legal basis for using the data. You will also need to check and see if any of the data you have is inaccurate or outdated on members who have transferred to other clubs, coaches and/or similar situations.

When working with children, it is vital that your current policies are up to the GDPR standards which are created to protect the data of those most vulnerable.

If you are unsure about these policies, review the 12-step guidance checklist.

Do I need to register as a data controller/processer?

It is important that you are compliant with the GDPR policies. 

If you are unsure about your organisation, please refer to the ICO website for updates.

Have you audited your organisation's personal data usage?

It is recommended that you perform a mini-audit of your organisation's personal data.
You will be expected to know the answers to the following questions.

• What types of individuals do you hold and process information? E.g. staff, members, players?
• What nature of information do you hold and where does it come from and what do you use it for?
• Do you share your information with any third parties? If so, what do they use it for?

As a coach have you documented what personal data you hold, where it came from, who it's shared with and what they do with it?

Make sure you look over your data protection policies, and the language you use on documents to make sure they are compliant with the latest regulations.

What does ClubSpark do with the data?

We only use the data ourselves to manage the platform. Our role is to act as a Data Processor on behalf of you, the Data Controller. 

What is ClubSpark doing to support me as a coach?

In order to support coaches in being compliant ClubSpark provide the following:

• Opt-in consents for venues and coaches
• The ability for users to update their consents from their account area
• Ability to delete records if requested by any user
• Preventing any user from creating an account if they are under the age of 13
• Making it easier to identify junior records within the system
• Ensuring that any junior product being purchased on the system is only done so by the player’s parent or guardian

What does ClubSpark do to keep my data secure?

The security of your data is of the utmost importance to us. Our platform is hosted on Microsoft Azure, which runs in geographically dispersed data centres that comply with key industry standards, such as ISO/IEC 27001:2005, for security and reliability. They are managed, monitored, and administered by Microsoft operations staff that have years of experience in delivering the world’s largest online services with 24 x 7 continuity.

In addition to the data centre, network, and personnel security practices, Microsoft Azure incorporates security practises at the application and platform layers to enhance security for application developers and service administrators.

Security for the Hosting Environment

The Microsoft Azure platform environment is composed of computers, operating systems, applications and services, networks, operations and monitoring equipment, and specialised hardware, along with the administrative and operations staff required to run and maintain the services. The environment also includes the physical operations centres that house the services and which themselves must be secured against malicious and accidental damage.

Key Architecture Design Points

The Microsoft Azure platform is designed to provide “Defense in Depth,” reducing the risk that failure of any one security mechanism will compromise the security of the entire environment. The Defense in Depth layers include:

• Filtering Routers: Filtering routers reject attempts to communicate between addresses and ports not configured as allowed. This helps to prevent common attacks that use “drones” or “zombies” searching for vulnerable servers. Although relatively easy to block, these types of attacks remain a favourite method of malicious attackers in search of vulnerabilities. Filtering routers also support configuring back end services to be accessible only from their corresponding front ends.
• Firewalls: Firewalls restrict data communication to (and from) known and authorized ports, protocols, and destination (and source) IP addresses.
• Cryptographic Protection of Messages: TLS with at least 128-bit cryptographic keys is used to protect control messages sent between Microsoft Azure datacenters and between clusters within a given datacenter. Customers have the option to enable encryption for traffic between end-users and customer VMs.
• Software Security Patch Management: Security patch management is an integral part of operations to help protect systems from known vulnerabilities. The Microsoft Azure platform utilises integrated deployment systems to manage the distribution and installation of security patches for Microsoft software.
• Monitoring: Security is monitored with the aid of centralised monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment, providing pertinent and timely monitoring and alerts.
• Network Segmentation: Microsoft uses a variety of technologies to create barriers for unauthorised traffic at key junctions to and within the datacenters, including firewalls, Network Address Translation boxes (load balancers), and filtering routers. The back-end network is made up of partitioned Local Area Networks for Web and applications servers, data storage, and centralised administration. These servers are grouped into private address segments protected by filtering routers.

Checklist for GDPR:

Review the below checklist we have put together to help you as a venue:

• Review and update your handling of data, including children documentation
• Build awareness amongst teams, colleagues and management
• Review user permissions who have access to the platform
• Review your privacy documents, are any updates needed?
• Review and update your data and current procedures
• Avoid duplicating documentation
• Is your data current, accurate and secure?
• Can you securely dispose of personal data that is no longer required?
• You have a nominated DPO or lead for your organisation