This article provides information on what we're doing as a 'data processor' to comply with GDPR and how we've enhanced ClubSpark to support venues and coaches to comply with the GDPR.
What we're doing as a 'data' processor' to comply with GDPR:
Is ClubSpark a controller or a processor?
As we are processing and using personal
information in accordance with the instructions of a third party, i.e. a
venue or coach we are acting as a data
processor (as defined by the GDPR). Venues and coaches are
Data Controllers.
Can we search for personal data on your systems?
ClubSpark holds the data that
Administrators have uploaded to the platform or users have entered when
registering for a service at a venue or coaching organisation. Our users have
full control and access to their data, including the ability to search, import,
export, delete and modify the data as needed.
Are you maintaining data processing records?
All data uploaded with the platform is
kept within the ClubSpark platform and clients have full control of the data
within the platform, as outlined above.
Who has access to our data?
Venue and coach Administrators must
maintain their own procedures as to who can access the ClubSpark platform and
the data held there. The Administators module allows you to control who has
access to what. ClubSpark staff have access to your account to provide support
and assist in the provision of the services but only access data on instruction
from yourself or a venue administrator.
For how long does ClubSpark store data?
ClubSpark holds data for as long as Administrators
use the platform and keep data within their account.
Can we delete personal data from your systems?
Contacts can be deleted individually.
In 2018 we will be introducing the ability to automatically delete inactive
contacts after a set period of time, as defined by Administrators. If a user
would like to delete their data they can contact ClubSpark directly as outlined
in our privacy policy.
How is data deleted?
When a contact is deleted the contact
record is permanently deleted and any transactional records that contact may
have had are anonymised, e.g. a court booking, or history of having a
membership. When auto-deletion is enabled the contacts will sit in an archived
state for 30 days until, after which point they will be permanently deleted.
What will ClubSpark do if a venue or coach receives a Subject
Access Request from one of their users?
If we receive a Subject Access Request
we will provide the data requested within the timescales outline in the GDPR.
In 2018 we will be adding functionality to allow Administrators to process Subject Access Requests themselves. Until that time requests should be made via email to gdpr@clubspark.com
Does ClubSpark have a Data Processing Agreement?
Yes, ClubSpark has a Data Processing
Agreement that is included within the T’s and C’s of using the ClubSpark
system.
What will ClubSpark do in the event of a data breach?
In relation to the data our clients
store with us (where we are a data processor), we will notify any affected
client (data controller) of a personal data breach as soon as practically
possible, and in any event, within 24 hours of discovering the breach.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, ClubSpark will also inform those individuals without undue delay.
Do any other organisations process any of the data provided by our
users on our behalf?
Yes, ClubSpark works with third party
providers for providing the services we offer such as taking payments and
sending emails. These 3rd parties are based in the EU and so no data
is transferred outside of the EU in line with GDPR regulations with the
exception of our clients outside the EU.
What steps do you take to safeguard the processing of our data by
third party organisations?
ClubSpark has entered into contracts
with third party organisations to ensure the safeguarding of personal data,
including entering into Data Processing Agreements reflecting the obligations
under the GDPR.
ClubSpark development and testing platforms
ClubSpark is frequently updating our
platform with feature enhancements and additions. We do this in development,
testing and staging environments separate to the main platform No client data
is stored in our testing or development environments.
Where is our data stored?
To safeguard the confidentiality,
integrity and availability of data, the core ClubSpark platform is hosted on
high-security Microsoft Azure data centres. Data for our European clients
is held in the West Europe region, with data being backed up to the North
Europe region. All Azure facilities meet a broad set of compliance
standards.
What network security do you have in place?
Microsoft Azure hosting provides the
following security features:
· Filtering Routers: Filtering routers reject attempts to communicate between addresses and ports not configured as allowed. This helps to prevent common attacks that use “drones” or “zombies” searching for vulnerable servers. Although relatively easy to block, these types of attacks remain a favourite method of malicious attackers in search of vulnerabilities. Filtering routers also support configuring back end services to be accessible only from their corresponding front ends.
· Firewalls: Firewalls restrict data communication to (and from) known and authorized ports, protocols, and destination (and source) IP addresses.
· Cryptographic Protection of Messages: TLS with at least 128 bit cryptographic keys is used to protect control messages sent between Microsoft Azure datacenters and between clusters within a given datacenter. Customers have the option to enable encryption for traffic between end users and customer VMs.
· Software Security Patch Management: Security patch management is an integral part of operations to help protect systems from known vulnerabilities. The Microsoft Azure platform utilises integrated deployment systems to manage the distribution and installation of security patches for Microsoft software.
· Monitoring: Security is monitored with the aid of centralised monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment, providing pertinent and timely monitoring and alerts.
· Network Segmentation: Microsoft uses a variety of technologies to create barriers for unauthorised traffic at key junctions to and within the datacenters, including firewalls, Network Address Translation boxes (load balancers), and filtering routers. The back-end network is made up of partitioned Local Area Networks for Web and applications servers, data storage, and centralised administration. These servers are grouped into private address segments protected by filtering routers.
What business continuity and disaster recovery policies and
systems does ClubSpark maintain?
The ClubSpark platform is built using
redundancy and load balancing at every level; meaning a single component
failure should not result in a service disruption.
Data is backed up to an external secondary location, yet still in the same region complying with data protection obligations. In the event of a catastrophic event at the primary facility, the service will be restored in the secondary location.
Can we have a privacy policy as well as the ClubSpark policy?
Yes, the ClubSpark privacy policy covers Sportlabs in our role as a Data Processor. You can upload your own privacy policy to the platform covering your role as a Data Controller. We recommend you add the following to your privacy policy so your users are clear in how thier data is used. "We receive data from Sportlabs Technology Ltd (t/a ClubSpark). To see how they handle data, please view their privacy policy here.
How we've enhanced ClubSpark to help clubs and coaches comply with the GDPR:
The following features have been added
to the system to support venues and coaches to comply with GDPR.
· All consents changed to be opt in
· Consent preferences can be updated via a user’s account pages
· Parental consent added where transactions relate to juniors
· Contact records can be permanently deleted
· Quick unsubscribe from emails without the need for a user to login
· Junior records are easier to identify
· Junior records cannot be emailed directly – only via a parent
· Under 13-year old’s cannot create a user account
· Ability to upload a privacy policy for your venue / coaching organisation - coming soon
· Auto-deletion of inactive contacts – coming soon
· Data request exports – coming soon
· Ability to add more consents - coming soon
Does ClubSpark have a DPO?
Yes, ClubSpark’s nominated Data Protection Officer is Andrew Poxon - COO.
Any queries may be addressed to him via email: gdpr@clubspark.com
For further information, check out our GDPR support guides for venues and coaches.