Data Security Best Practices

Alex Finster-Rowen
  • Updated

DO's for Secure & Private Data Handling

 

Data Protection

  • Encrypt all personal and health data both at rest and in transit.
  • Use strong, unique passwords and enable multi-factor authentication (MFA) on all work-related accounts.
  • Store data only in approved systems that comply with GDPR and CNIL recommendations.

Access & Use

  • Access only the data you need to perform your job (principle of least privilege).
  • Use anonymized or pseudonymized data when full identity is not necessary.
  • Log out of systems when not in use, especially on shared or mobile devices.

Awareness & Training

  • Complete regular data protection training, especially GDPR and health data-specific handling.
  • Report security incidents or breaches immediately to your DPO (Data Protection Officer) or IT security team.
  • Ask for guidance when unsure about handling specific types of data.

Legal & Ethical Compliance

  • Ensure explicit consent is collected from athletes before gathering health data.
  • Inform individuals of their rights (e.g. access, rectification, erasure).
  • Use data only for legitimate, declared purposes (e.g. performance monitoring, not marketing).
     

DON'Ts for Secure & Private Data Handling

 

Unauthorized Access & Sharing

  • Don’t access health or personal data of athletes unless you are authorized and need it.
  • Don’t share sensitive data via unsecured channels like email, messaging apps, or personal drives.
  • Don’t copy or export data to USB sticks, external devices, or personal cloud storage.

Poor Practices

  • Don’t reuse passwords across work and personal accounts.
  • Don’t leave devices unlocked or unattended, especially with dashboards or spreadsheets visible.
  • Don’t disable or bypass security tools such as antivirus or VPNs.

Data Misuse

  • Don’t use player data for unauthorized purposes, such as public sharing, social media posts, or personal research.
  • Don’t ignore data subject requests (e.g. deletion or correction of their data).
  • Don’t store data longer than needed, unless retention is justified legally.
     

GDPR Context Reminders

  • Under GDPR Article 9, health data is a special category of sensitive personal data, requiring stronger safeguards.
  • CNIL requires that all data processing be documented, especially in systems tracking biometric or health information.
  • Your company must have a Record of Processing Activities (ROPA) and conduct a DPIA (Data Protection Impact Assessment) for health-related projects.

Related articles

Need help with troubleshooting or finding answers? I'm here to help. Let's get started!