Leicester Tigers have built one of the biggest fan bases in Premiership Rugby but the club's popularity created a data protection problem as the GDPR implementation date approached.
The Tigers routinely process and hold data from ticket sales including names, addresses, phone numbers, email addresses, dates of birth and payment information on around 100,000 customers. The club also holds some highly sensitive data, including the medical records of players and information about the children who attend its rugby camps or receive support from the club's community work.
A data breach that exposed some of this sensitive information could result in a catastrophic fine under GDPR, but the damage to the club's reputation could be even more harmful.
To secure all the data about the players, supporters, and community in line with GDPR requirements, Leicester Tigers sought professional assistance from ThinkMarble, an information security firm that provides strategic advice on regulatory compliance.
"We started off with an exploratory contract with them which involved an online gap analysis," Phil Everitt, management information systems manager at Leicester Tigers, tells Computerworld UK.
"That was a questionnaire that I had to complete on all aspects of our data - where it was held, how it was held, who held it, what access we had, and what were the reasons for that access. It was quite in depth, and from that, they produced a report which highlighted all the different areas of data protection in a traffic light system. In green areas, we were fully compliant, in red we weren't compliant and in orange, we were halfway there.
"They produced a report from the gap analysis which I presented to our board of directors and from that we set up a contract with them to address all of the amber and red issues."
For the next few months, Everitt worked with ThinkMarble to turn the traffic lights green by resolving any issues and updating policies wherever they were required.
The issues that ThinkMarble identified mostly involved some of the new requirements introduced by GDPR that didn't exist under the 1998 Data Protection Act preceded it.
Consent for data collection now requires a positive opt-in for each individual processing operation conducted by the club or any of its partners, such as every sponsor that wants to send marketing materials.
GDPR also brings in stricter requirements on the storage of personal data, with an emphasis on minimising both the volume of information stored and the length of time it's retained.
Read next: How businesses have prepared for GDPR
The Tigers audited their database to remove anything they didn't need and to tidy up everything they would keep.
"We did a data audit across the company to measure where all our data was, because whilst our main database sits in our ticketing system, there are other people holding data on spreadsheets and on their individual computers," says Everitt. "So we did a complete audit of where all that was and why it was there and that produced a big clean up across the network."
ThinkMarble then arranged a GDPR training session for all Leicester Tigers staff to raise awareness of the regulation about the regulation and issues that had been discovered in the data audit.
The interactive training session put staff through a series of data protection scenarios in which they were put in the role of the customer and then asked how their current practices could be improved.
Leicester Tigers will conduct further GDPR training on at least an annual basis.
Recruiting ThinkMarble to the team
Everitt turned to ThinkMarble after he read through the GDPR requirement and realised he needed expert assistance to navigate the complex rules.
ThinkMarble had been recommended to Everitt by colleagues from a number of others sports clubs including one Premier League team, who he regularly meets on a forum for IT managers in sports.
The company's track record in data protection helped it stand out from its competitors.
"The biggest thing in their favour was that data protection was something they'd been doing for a long time," says Everitt. "There are quite a few companies who just jumped on the bandwagon with GDPR and added it as another something else they could sell but didn't necessarily have any historical expertise in that area.
"We liked the fact that they were a data protection company and had been for a while, and the biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the regulation."
Read next: GDPR tips
More than six months since GDPR came into force and Everitt remains comfortable about his company's data protection practices, but acknowledges that compliance is an ongoing process.
"We're very happy that our customers' data is safe and secure with us and that we won't use it in a manner that they wouldn't want us to," he says.
"Moving forward, the aim is to stay up to date with that. You can't just tick all the boxes and then shove it in a filing cabinet. We need to stay on top of this on an annual basis with training and monitoring and data audits on a regular basis to make sure that we're maintaining the standard we've set for ourselves."