Premier League football club Everton FC has deployed software to manage and monitor its data and GDPR compliance. It replaced the club’s manual data mapping and processing.
Everton’s databases detail over 32,000 season ticket holders and over 600,000 registered fans, besides around 360 employees, players, agents, suppliers, and others associated with the club’s Community charity and partner school. Much of this data is sensitive. This data and all of the processes associated with it were being manually managed and tracked in Excel spreadsheets. With multiple requests and queries to respond to daily, the club’s Data Protection Officer was struggling to record and manage smaller ad hoc queries and tasks.
With GDPR due to place much tighter restrictions on how the club processed, managed and shared its data – as well as on the reporting of any incidents that did occur – the club needed a more comprehensive and reliable tool in place before the new law came into force in May.
The club approached its long-standing IT support provider NCC. That firm recommended the SureCloud GDPR Suite, delivered on the SureCloud platform. Everton selected its cloud-based suite of solutions.
Two dashboards were created according to the club’s specific needs: one to show all data mapping and transfers, including where data is being held and who it is being shared with; and one showing incidents and requests, including a subject request register and incident tracker path. This gives an overview of which requests are still outstanding, such as a request for an individual’s personal information to be erased from the database.
The five applications Everton chose to deploy from the SureCloud GDPR Suite were:
GDPR Program Tracker – to enable the club to map all its disparate data and workflows using intelligent risk-based questions;
GDPR Management – to provide all mandatory GDPR business-as-usual processes;
Information Asset Management – to record and maintain the club’s data inventory;
Compliance Management for GDPR – to help Everton speed up their process of attaining compliance and on-going real-time risk remediation; and
Incident Management for GDPR – to meet the GDPR requirement to log, track and notify the ICO of any data breaches, should an incident arise.
Ian Garratt, Data Protection Officer at Everton FC said: “The penalties for not achieving GDPR compliance are severe – up to 4pc of our revenues, or 20 million euros. It was imperative that we got a solution in place that could not only help us achieve GDPR compliance, but would also make it quick and easy for us to demonstrate that compliance at any point, on request. SureCloud’s GDPR Suite fit the bill.
“We are now tracking and recording every single data request in a centralised way. With NCC’s support, SureCloud’s solution has brought a comprehensive clarity to our data processing that was impossible to achieve with manual spreadsheets. The system is so intuitive; it has helped us streamline multiple processes and undertake impact assessments that we couldn’t handle before.”
Now, all of Everton FC’s disparate data are mapped, risk-assessed and tracked in a single system. All changes and requests are automatically tracked so that activity records and data audits can be produced at the click of a button. Should an incident like a suspected data breach occur, it is identified and reported automatically.
Ian Garratt added: “The SureCloud GDPR Suite isn’t just a compliance tool; it’s a comprehensive management tool. We now have a continuous, real-time status of where we are and what we need to be doing in terms of data processing, documentation and risk management. It would have simply been impossible to achieve this manually. SureCloud has not only helped us to work towards GDPR compliance they have optimized our internal processes and positioned us strategically for the future.”
