GDPR

Disclaimer

The information on this website is not legal advice. It is presented as useful information for teams, clubs, leagues, counties and organisations involved in sport, and does not replace professional advice tailored to your organisation by a solicitor / attorney working on your behalf.

Pitch Hero Limited accepts no responsibility or liability for the accuracy of the information presented. Please seek your own legal advice.

What is the GDPR?

The General Data Protection Regulation intends to unify data protection for all individuals within the European Union.

Why does it exist?

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.

https://www.eugdpr.org/the-regulation.html

Does the GDPR apply to my organisation?

The GDPR applies to any organisation (not just businesses) who hold, use or share information relating to an individual. This includes organisations who monitor or track the behaviour of EU individuals, store data on them or sell to individuals within the EU. This means that most sports organisations who maintain a membership list or database need to comply but also that organisations who are based outside of the EU who sell to or store data on EU individuals also have to be compliant as well.

Which data is GDPR concerned with?

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/

What does my organisation need to do to become compliant?

  • Where you collect and/or share personal data relating to an individual, you need to provide them with certain information (including but not limited to) how you will use their data, if you will share their data and the individual’s rights in relation to their information (see our GDPR Toolkit for further information).
  • Store personal data exclusively in GDPR compliant systems such as Pitchero
  • Stop sending and storing PII via non GDPR compliant systems (unaudited spreadsheets, pieces of paper)
  • Where necessary, have processes in place to gain consent for the data you hold(see the consent form contained within our GDPR Toolkit)
  • Decide on appropriate retention policies for each type of data stored
  • Put in place appropriate organisational and technical measures to protect personal data
  • Where required, record your data processing activities and appoint a data protection officer
  • Undertake data protection impact assessments where necessary;
  • Have processes in place to respond to data subject requests in a timely manner
  • The above is not a definitive list of steps you should take. For further comprehensive information regarding the steps you should be taking to ensure compliance with GDPR, please see the ICO guidance: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

How can Pitchero help?

  • Provide you with a GDPR Toolkit to assist with GDPR compliance
  • Ensure our system is compliant ahead of the May 25th deadline
  • Provide a facility for you to gain consent from users of your Pitchero website
  • Provide tools to help access data needed for subject requests
  • Improve data security
  • Provide audit information for membership database exports - so you can see who has exported what and when
  • Clearly display who has access to data and provide tools to add or remove access where appropriate

Data security

Pitchero is committed to the secure storage of all user data, whether that be personal information or data important to your organisation.

The Pitchero production system runs exclusively in Amazon Web Services data centres. AWS maintains the highest standards of security compliance and certification. AWS Cloud Security information

Where data is moved or stored outside of the EU, providers are vetted for compliance with the EU-US Privacy Shield. EU-U.S. Privacy Shield

Form submissions of personally identifiable information are transmitted over secure "https" connections only. This prevents the interception of data between your browser and the Pitchero system.

List of changes

  • Thursday 15th March 2018 - Original version published.
  • Friday 23rd March 2018 - Added links to external resources, added data security section.
  • Monday 9th April 2018 - Added links to Pitchero resources. Added in additional bullet points to the organisation compliance section.