Data exported from FA systems such as the Competition Portal, Club Portal and Full-Time is categorised as Personally Identifiable Information (PII) and is protected by UK legislation, UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The law requires data to be handled in a way that ensures appropriate security, including protection against unauthorised processing, access, loss, destruction, or damage.
The NCSS advises that you, as a data controller must:
Ensure you know what data you have, where it is stored, and apply protection based upon the risks you have identified.
Avoid storing data that you do not need
Ensure protection of all copies of data held
Ensure protection of data when in movement, encrypt data when it is being moved
Ensure data is protected at rest though disk encryption, and not accessible to unauthorised users
Use current standard cryptographic algorithms to protect data
Log access to data and monitor for unusual queries and bulk exports
Consider where you rely on third parties such as staff processing data on personal devices and understand what measures should be taken to protect the data
Understand your legal responsibilities and applicable regulation, you are required to demonstrate that your processing is done in compliance with GDPR.
The National Cyber Security Centre (NCSC) provides comprehensive guidance for organisations in the UK to assist with the protection of IT systems and assets. www.ncsc.gov.uk