Everton FC’s databases are extensive, containing details on over 32,000 season ticket holders and over 600,000 registered fans, with details on around 360 employees, players, agents, suppliers, and individuals associated with the club’s Community charity and partner school. Much of this information is sensitive. This data and all of the processes associated with it were being manually managed and tracked in a series of Excel spreadsheets. With multiple requests and queries to respond to every day, the club’s Data Protection Officer was struggling to record and manage smaller adhoc queries, incidents, and tasks.
With GDPR due to place much tighter restrictions on how the club processed, managed and shared its data – as well as on the reporting of any incidents that did occur – the club needed a more comprehensive and reliable tool in place before 25th May 2018.
The club approached its long-standing IT support provider NCC to find a solution. NCC recommended the SureCloud GDPR Suite, delivered on the SureCloud platform. After SureCloud had successfully demonstrated the ability to provide full visibility for management and automation of GDPR processes across the organization, Everton FC selected its cloud-based suite of solutions.
Two dashboards were created according to Everton FC’s specific needs: one to show all data mapping and transfers, including where data is being held and who it is being shared with; and one showing incidents and requests, including a subject request register and incident tracker path. This gives an immediate overview of which requests are still outstanding, such as a request for an individual’s personal information to be erased from the database.
The five applications Everton FC chose to deploy from the SureCloud GDPR Suite were:
Ian Garratt, Data Protection Officer at Everton FC said: “The penalties for not achieving GDPR compliance are severe – up to 4% of our revenues, or €20 million. It was imperative that we got a solution in place that could not only help us achieve GDPR compliance, but would also make it quick and easy for us to demonstrate that compliance at any point, on request. SureCloud’s GDPR Suite fit the bill.
“We are now tracking and recording every single data request in a centralized way. With NCC’s support, SureCloud’s solution has brought a comprehensive clarity to our data processing that was impossible to achieve with manual spreadsheets. The system is so intuitive; it has helped us streamline multiple processes and undertake impact assessments that we couldn’t handle before.”
Now, all of Everton FC’s disparate data are mapped, risk-assessed and tracked in a single centralized system. All changes and requests are automatically tracked so that activity records and data audits can be produced at the click of a button. Should an incident like a suspected data breach occur, it is identified and reported immediately and automatically. The club’s data protection team can select which asset has been affected and immediately determine the severity of the incident and whether it needs to be reported to the ICO. Should it need to be escalated, the report is available instantly.
Ian Garratt added: “The SureCloud GDPR Suite isn’t just a compliance tool; it’s a comprehensive management tool. We now have a continuous, real-time status of where we are and what we need to be doing in terms of data processing, documentation and risk management. It would have simply been impossible to achieve this manually. SureCloud has not only helped us to work towards GDPR compliance they have optimized our internal processes and positioned us strategically for the future.”
In addition to deploying five applications within the GDPR suite, SureCloud is currently adapting its Incident Assessment tool to meet Everton FC’s specific requirements.