Everton FC substituted spreadsheets for software mere months before the GDPR kickoff


With each passing season, the footballing industry seems increasingly detached from the realities most businesses face to remain profitable. Exorbitant sums of money are passed between clubs, players, and supporters on a daily basis; not to mention a counterintuitive penchant for amassing mountains of debt to drive footballing success.

However, even the sporting world has been unable to avoid the EU's General Data Protection Regulation (GDPR). Just as with every other business dealing with data belonging to European citizens, massive football clubs must comply with demands to bring data practices in line with modern standards from appointing a Data Protection Officer (DPO), to the training of staff.

Everton FC was forced to delay this process until January 2018, just months before the GDPR deadline, putting faith into the all-in-one, modular GDPR suite developed by SureCloud. Maintaining a database of 32,000 season ticket holders, 925,000 registered fans, 360 employees, players and agents as well as third-party suppliers, through Excel spreadsheets, is a laborious task, with or without GDPR. But a changing landscape spurred the Premier League stalwart into re-examining how it managed data and processed GDPR's additional demands.

Everton was still using a series of spreadsheets to manage its data within the football club, independent club charity, and partner academy. In January, the club hired Ian Garratt as its DPO to single-handedly oversee the transition to SureCloud. Discussions between SureCloud and the club were already well underway at this stage. But the platform wasn't initially up to the standards expected, Garratt tells IT Pro, and needed a significant amount of custom tailoring to suit the club's data protection needs.

"I hadn't worked with a full management system before. I'd looked at OneTrust which is an equivalent, very template-based, and then what I'd worked on was spreadsheets, Excel and ones that we'd built in-house, at my old employer. So I went into SureCloud with a long list of tailoring. Most of them were only quite minor but there was quite a few."

Although compliant by 25 May, implementation was touted to take so long that Everton considered hanging onto its spreadsheet-based system as the deadline approached. It would've posed a massive headache given how slow searching through spreadsheets would have been, not to mention handling internal and external queries taking a great deal longer compared with SureCloud's touted greater functionality.

"By the time we started the discussions it was probably late January, early February," Garratt continues. "Knowing we had to get all of the data mapping done, and in place before May, we were considering whether or not we had to do that spreadsheet-based, and import it into SureCloud afterwards, just because of the timing.

"But we were lucky in that they got it all done for us."

Bringing the human touch for higher-quality data

Before joining Everton, Garratt was information governance manager with the Southport and Ormskirk Hospital NHS Trust in Lancashire and Merseyside. Using spreadsheets in this post meant he could slot straight into the role with Everton, but would have to quickly adapt to the platform.

Fresh to the club, and sole member of the data protection team, he had to gain a wider understanding of what data each department held, and their internal processes. He devised an approach to overcome these challenges all at once, sending questionnaires to each department, and inputting the answers into SureCloud himself. But the key, Garratt says, lied in working through them with people one-on-one, to personally guide them through what needed to be sent back.

Instead of giving everyone within the organisation their own SureCloud login, Garratt decided to limit access to the club's data to three individuals: himself, the director of risk, and head of IT. They also decided against setting up email reminders and alerts, despite the fact this approach takes longer.

"I think just from my experience you get better quality input if you actually sit down with people and do it with them, rather than sending an email alert and asking them to update something themselves when they're not specialists in the area," he explains.

A matter of when, not if

During implementation, Garratt oversaw the migration of data from on-prem infrastructure to the cloud. But assurances over security and the decision to go with SureCloud in the first place rested with the club and were a matter for before he joined.

"Football clubs are getting targeted more and more often," says Garratt. "Certainly, from a backup point of view, I feel happier with it being hosted rather than living on a server. The risk is always there. Cyber security is now on our risk register, and I think always will be. I'd expect it to be on every company's register nowadays. The other threat I suppose is malicious staff."

"If we did have an incident," he explains: "We should straight away be able to see what the data types are, what the fields are, the volume, what systems there are, and what associated systems. So we'd be able to get a really good idea of the scale of the incident, and we'd be able to get that very quickly."

And what about minor incidents, such as supporters' email addresses inadvertently leaking due to a lapse in staff concentration, as struck West Ham FC in August?

"If that happened with us, any mass marketing should go up to our marketing department, and they've got a system that sends them all as individual emails - all personalised - so you don't need to do it as BCC.

"If we had a lot of emails like that going out - and it's largely to Hotmail or Gmail sort-of accounts, we've got systems that would flag them, quarantine them, then either myself or someone from the IT department would be able to review them... I imagine West Ham has probably got the same sort of system, and it just, for whatever reason, didn't go through that system."

Supplier contracts prove a major GDPR challenge

The most difficult part of Everton's wider compliance journey involved re-examining the several existing contracts with the club's many suppliers. Although just a handful of suppliers have access to personal data held by the club, reaching out to renegotiate a GDPR-compliant addendum proved the toughest aspect for Garratt.

"The data mapping is what took the most time, but that's because there was a lot of it. But getting contracts in place with suppliers with the GDPR-standard terms has been the hardest bit of the gameplay.

"They would've had general data protection and confidentiality terms, but GDPR stipulated a wider scope for what the contracts had to include even things like assistance with impact assessments, acceptance of audits by us and by the ICO, and breach reporting."

By using SureCloud, Garratt says, the club was able to list all their third parties, and a subsection of those who were charged with handling the club's data, as well as whether they were based in an EU country, or a non-EU country with or without data adequacy.

But it was no substitute for the hard graft the club's had to put in to ensure GDPR-compliant terms were included in each contract individually, with each supplier providing their own template, and seeking to consult with their own legal teams respectively.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.