This article provides information on what we're doing as a 'data processor' to comply with GDPR and how we've enhanced ClubSpark to support venues and coaches to comply with the GDPR.
What we're doing as a 'data' processor' to comply with GDPR:
Is ClubSpark a controller or a processor?
As we are processing and using personal information in accordance with the instructions of a third party, i.e. a venue or coach we are acting as a data processor (as defined by the GDPR). Venues and coaches are Data Controllers.
Can we search for personal data on your systems?
ClubSpark holds the data that Administrators have uploaded to the platform or users have entered when registering for a service at a venue or coaching organisation. Our users have full control and access to their data, including the ability to search, import, export, delete and modify the data as needed.
Are you maintaining data processing records?
All data uploaded with the platform is kept within the ClubSpark platform and clients have full control of the data within the platform, as outlined above.
Who has access to our data?
Venue and coach Administrators must maintain their own procedures as to who can access the ClubSpark platform and the data held there. The Administators module allows you to control who has access to what. ClubSpark staff have access to your account to provide support and assist in the provision of the services but only access data on instruction from yourself or a venue administrator.
For how long does ClubSpark store data?
ClubSpark holds data for as long as Administrators use the platform and keep data within their account.
Can we delete personal data from your systems?
How is data deleted?
When a contact is deleted the contact record is permanently deleted and any transactional records that contact may have had are anonymised, e.g. a court booking, or history of having a membership. When auto-deletion is enabled the contacts will sit in an archived state for 30 days until, after which point they will be permanently deleted.
What will ClubSpark do if a venue or coach receives a Subject
Access Request from one of their users?
If we receive a Subject Access Request we will provide the data requested within the timescales outline in the GDPR.
In 2018 we will be adding functionality to allow Administrators to process Subject Access Requests themselves. Until that time requests should be made via email to firstname.lastname@example.org
Does ClubSpark have a Data Processing Agreement?
Yes, ClubSpark has a Data Processing Agreement that is included within the T’s and C’s of using the ClubSpark system.
What will ClubSpark do in the event of a data breach?
In relation to the data our clients store with us (where we are a data processor), we will notify any affected client (data controller) of a personal data breach as soon as practically possible, and in any event, within 24 hours of discovering the breach.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, ClubSpark will also inform those individuals without undue delay.
Do any other organisations process any of the data provided by our
users on our behalf?
Yes, ClubSpark works with third party providers for providing the services we offer such as taking payments and sending emails. These 3rd parties are based in the EU and so no data is transferred outside of the EU in line with GDPR regulations with the exception of our clients outside the EU.
What steps do you take to safeguard the processing of our data by
third party organisations?
ClubSpark has entered into contracts with third party organisations to ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations under the GDPR.
ClubSpark development and testing platforms
ClubSpark is frequently updating our platform with feature enhancements and additions. We do this in development, testing and staging environments separate to the main platform No client data is stored in our testing or development environments.
Where is our data stored?
To safeguard the confidentiality, integrity and availability of data, the core ClubSpark platform is hosted on high-security Microsoft Azure data centres. Data for our European clients is held in the West Europe region, with data being backed up to the North Europe region. All Azure facilities meet a broad set of compliance standards.
What network security do you have in place?
Microsoft Azure hosting provides the following security features:
· Filtering Routers: Filtering routers reject attempts to communicate between addresses and ports not configured as allowed. This helps to prevent common attacks that use “drones” or “zombies” searching for vulnerable servers. Although relatively easy to block, these types of attacks remain a favourite method of malicious attackers in search of vulnerabilities. Filtering routers also support configuring back end services to be accessible only from their corresponding front ends.
· Firewalls: Firewalls restrict data communication to (and from) known and authorized ports, protocols, and destination (and source) IP addresses.
· Cryptographic Protection of Messages: TLS with at least 128 bit cryptographic keys is used to protect control messages sent between Microsoft Azure datacenters and between clusters within a given datacenter. Customers have the option to enable encryption for traffic between end users and customer VMs.
· Software Security Patch Management: Security patch management is an integral part of operations to help protect systems from known vulnerabilities. The Microsoft Azure platform utilises integrated deployment systems to manage the distribution and installation of security patches for Microsoft software.
· Monitoring: Security is monitored with the aid of centralised monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment, providing pertinent and timely monitoring and alerts.
· Network Segmentation: Microsoft uses a variety of technologies to create barriers for unauthorised traffic at key junctions to and within the datacenters, including firewalls, Network Address Translation boxes (load balancers), and filtering routers. The back-end network is made up of partitioned Local Area Networks for Web and applications servers, data storage, and centralised administration. These servers are grouped into private address segments protected by filtering routers.
What business continuity and disaster recovery policies and
systems does ClubSpark maintain?
The ClubSpark platform is built using redundancy and load balancing at every level; meaning a single component failure should not result in a service disruption.
Data is backed up to an external secondary location, yet still in the same region complying with data protection obligations. In the event of a catastrophic event at the primary facility, the service will be restored in the secondary location.
How we've enhanced ClubSpark to help clubs and coaches comply with the GDPR:
The following features have been added
to the system to support venues and coaches to comply with GDPR.
· All consents changed to be opt in
· Consent preferences can be updated via a user’s account pages
· Parental consent added where transactions relate to juniors
· Contact records can be permanently deleted
· Quick unsubscribe from emails without the need for a user to login
· Junior records are easier to identify
· Junior records cannot be emailed directly – only via a parent
· Under 13-year old’s cannot create a user account
· Auto-deletion of inactive contacts – coming soon
· Data request exports – coming soon
· Ability to add more consents - coming soon
Does ClubSpark have a DPO?
Yes, ClubSpark’s nominated Data Protection Officer is Andrew Poxon - COO. Any queries may be addressed to him via email: email@example.com
For further information, check out our GDPR support guides for venues and coaches.