Cybata, Sport Wales and DPOrganizer – ROPA Case Study


Sport is a thriving industry, but it is not without its risks. Threats are common, from phising attacks and data breaches to ransomware attacks.

Recently we’ve worked closely with Sport Wales to help ensure that their  data protection measures are up-to-scratch. This comprises of a number of activites, but one of the priority tasks was to help them migrate from a static excel spreadsheet based ROPA (Record of Processing Activites) to a modern SaaS tool, namely DPOrganizer.

Together, our knowledge of data within sport and DPOrganizer’s powerful data protection software was able to help Sport Wales get a grip upon the data they obtain, hold and use.

Below you will find an extract from Chris’s recent conversation with Phil Stevens, the Information Security Lead at Sport Wales, where they discuss the changes made, and the future impact they’ll have on Sport Wales going forward.


What is your biggest data protection challenge at Sports Wales?

Sport Wales, like many sports bodies in the UK deal with a complex privacy landscape. The sheer amount of data to deal with across the different sports organizations is definitely one of our biggest challenges. Data protection isn’t something many sports are able to prioritize, and also not something we’ve developed de-centralized expertise in. As the sole DPO in Wales I have to lend a lot of support to my colleagues around the organization, who haven’t done many of the everyday privacy tasks I deal with.

How did you manage your privacy program before DPOrganizer?

We were essentially using a spreadsheet for our record of processing activities. It allowed us to detect big risks, but it didn’t give the granularity to be able to target priority areas that surfaced nuanced. We recognized what our most pressing issues were, but we didn’t know how complex the interactions were as you went down through the data processes.

What’s changed since you implemented DPOrganizer?

DPOrganizer has brought those risks far more visibly into the organization so that we can detect patterns far easier. We can pick up where we are entering into a new arrangement where risk from an old arrangement resurfaces.

This allows us to reprioritize, making sure that we’re actually kind of getting a lot of the more invisible stuff under our previous ways of working right to the forefront. And it allows us working in data protection to build a more effective roadmap for security in a way that we probably didn’t expect it to. In short, DPOrganizer allows us to see the full story, not just the headlines.

The report format also allows us to engage people who don’t work with data protection across the organization, like our board of directors, and I can present information to them in a far more timely and accurate way than we could do previously.

You use the reporting for your board – what have they been expecting to see before? And what were you able to show them now that made things easier?

The reports are quite large and our board has many competing priorities. So for the first time, I can now headline risks and pull data out of those reports cycles and summarize them for the board. It provides far greater assurance of our data position as it allows them to see the primary evidence rather than summary.

There’s absolutely no way I could have shown the previous record of processing activities to them as a spreadsheet because it was incomprehensible – each tab was hundreds of entries long.

Are there any other features outside of mapping and reporting that you’ve been using?

Particularly relevant to us is the E-learning feature and the ability to reach out to partners, put content and check processes in place through things like the quizzes in the E-learning feature and the ready-made pre-vendor assessment.

For us, the ability to not just go to a sports body and say, “look, we want to help you understand your data risks”, but also provide these tools makes it a much more compelling offer. For the first time, we can help them understand their data through the E-learning training modules, as well as do vendor diligence – which is something they typically wouldn’t do.

That’s a force magnifier for me. I’m the only statutory appointed DPO in the sporting sector here in Wales, which means that I spend the majority of my time providing support to Sport Wales, my own organization, but on the side I’m helping out all the guys, because they don’t have access to expertise.

So for the first time ever, I can just say, look, we have a trusted tool that will walk you through these processes by just answer the question on this template and the process suddenly becomes a lot easier.

What’s been your experience when talking with DPOrganizer’s service team and resolving issues on a day-to-day basis?

You know, we have fantastic onboarding support from our account manager, Victoria. We don’t always need it though – so much of the tool is so easy to use that anyone can do it, whether they are data protection specialists or not. You just spend a morning running through a couple of coffees clicking around and you get it.

During our assessment of competing products, we found that though they were powerful in their own right, they didn’t offer the intuitive ease of use that DPOrganzier has.

I think there’s a natural learning curve attached to data protection work, because you deal with really complex information. You have to have an outlined process and resources to support them. But because DPOrganizer does all the heavy-lifting on making those processes and risks easy to understand, I can focus on that 10 percent of tasks that are complex.

Has DPOrganizer changed how you’re planning your privacy program or how you were thinking long term about data protection and privacy?

I think DPOrganizer has made our roadmap much wider, and made us more confident. Because now, we understand collective and individual risks much better – which we just simply could not do using the existing tools we had.