Вы находитесь на странице: 1из 7

Marlborough House, Westminster Place

York Business Park, York, YO26 6RW


info@legendware.co.uk
www.legendware.co.uk
(T) 01904 529 575

Information Security Management System

Legend GDPR Information Document

Version 1.1
Date: 14/04/2018
Version History:

Version Date Summary of change Author

Draft 02/02/2018 Draft issued for review Paul Simpson

1.1 12/04/2018 Issued for internal review Paul Simpson

Approvals:
This document must be approved by the following:

Name Signature Title / Responsibility Date Version

Sean Maguire Managing Director

Paul Simpson Chief Operating Officer

Related Documents:
These documents will provide additional information.

Title Version

Version 1.1 Legend GDPR Information Document


Page 2
CONTROLLED
Contents

Overview ................................................................................................................................................. 4
Purpose ................................................................................................................................................... 4
Scope ....................................................................................................................................................... 4
GDPR Information for Legend ................................................................................................................. 5

Version 1.1 Legend GDPR Information Document


Page 3
CONTROLLED
Overview

This document provides the information required by Legend customers as part of their assessment of suppliers
in line with GDPR.
For the purpose of this document:
The Legend Customer is the Data Controller
Legend Club Management Systems is the Data Processor

Purpose

This document will be available to Legend customers wishing to validate Legends approach to GDPR and to
assist Legend customers in the development of their own GDPR documentation.

Scope

This statement applies to the Legend Club Management software system (Legend) and the services offered by
Legend Leisure Services (LLS) covering the processing of Direct Debit Payments and the provision of media
marketing services.

Version 1.1 Legend GDPR Information Document


Page 4
CONTROLLED
GDPR Information for Legend

Does Legend have an appointed Data Protection Officer?


Yes. Paul Simpson.
Legend Club Management Systems
Marlborough House
York Business Park
YORK
YO26 5RW
Paul.simpson@legendware.co.uk

Please detail any training that Legend employees have undertaken in respect to Data Protection
and Information Security in the last 12 months.
Legend Club Management Systems holds the ISO9001:2015 and ISO27001:2013 certifications which
are both externally assessed by BSi. As part of our Information Security Management System (ISMS)
we undertake regular briefings and training for staff and cover Information Security as part of our
induction processes. Training is in the form of presentations and questionnaires to all staff. As part
of our ISMS culture we encourage staff to take a keen interest in security matters.

How is customers data kept secure? How is it stored? Are there any security / encryption
measures in place?
Legend systems and data is stored at secure Tier III datacentres located in Leeds and Northampton.
Both datacentres hold ISO9001 and ISO27001 certifications. Each location has perimeter security
with CCTV coverage. Access is strictly controlled and only by prior appointment. Legend data is
stored on Legend owned co-located servers within our own secure cabinets in the datacentre. There
are a number of security measures in place to protect the data and we will be completing the option
to enable data encryption at rest for the database during 2018.

Describe who has access to the data.


Legend staff do not access customers data unless in the execution of specific duties for the support
or processing of the data with the specific approval of the customer. Roles that may access data
include:
Support: To investigate problems or provide support for specific queries. This would be limited to
the particular issue in hand at that time. Note that Legend has an out of UK hours support desk
running from its Canada office. If customers would rather that the Legend staff in Canada should not
see their data for providing support they should say so at the time of the call although his may limit
the advice that may be given.
Implementations & Training. To migrate data from or between systems at the express instruction of
the customer. To provide specific training using the customers own data.

Version 1.1 Legend GDPR Information Document


Page 5
CONTROLLED
Database Administrator. To conduct administration tasks in line with the maintenance of the
database.
Note that staff whose role might mean they access data frequently undergo background checks
before receiving such access.

How will Legend dispose of any paper or digital copies of our information?
Legend will rarely print any copies of personal data. Where this is required we operate a policy of
shredding any information which might contain personal data.
Digital data is only ever stored at our datacentres and we have a policy of not storing customer data
on any standalone devices. Should a customer move away from Legend the digital data will be
removed to an agreed process and timeline agreed with the customer. Any redundant disks will be
destroyed and certified destroyed by an appropriately approved data destruction company.
Where data is to be removed in line with the customer data retention policy, personal information is
redacted from the database. This is under the control of the customer by the setting of data
redaction rules. These can cater for redaction on an individual or club basis.

Is Legend data shared with any third parties?


Legend only shares data with third parties to provide services contracted with our customers and
with the approval of our customers. Examples of such third parties might be but not limited to:
Mailing companies
Retention companies
Gym equipment systems
Legend assesses all such parties and by default looks for those with the appropriate information
security systems in place. Where a customer requires a third party link outside of our vetting process
we will highlight the responsibilities of the customer to accept that risk.

Does Legend hold any ISO Accreditations that are relevant to data protection?
Yes. Legend holds the following ISO/IEC accreditations:
ISO9001:2015
ISO27001:2013

Does Legend hold any data outside of the United Kingdom or the European Economic Area (EEA)?
No. Legend data is stored within the datacentres in Wakefield and Northampton.
Note that we can only answer for data stored by Legend. Customers should validate this area with
third parties who they wish to use with links to Legend.

Version 1.1 Legend GDPR Information Document


Page 6
CONTROLLED
Has Legend had any data protection breaches in the last 12 months which have been reported to
the Information Commissioner?
No.

Has Legend performed any security tests on the IT infrastructure or software?


Yes. Legend undertakes annual software penetration tests where any vulnerabilities are assessed by
their CVSS score and actioned accordingly. Additionally Legend undertakes regular ASV scanning of
its networks.

Does Legend have any other provisions in place in relation to protection / compliance under the
General Data Protection Regulations that has not been covered above?
No.

Has Legend conducted a Data Protection Privacy Impact Assessment (PIA) on its system?
Yes. Legend has conducted a Privacy Impact Assessment is such a manner that its customers can
adapt it for their own use in relation to data stored in the Legend system.

Can data be exported from Legend in line with an information access request from an individual?
Yes. There is a standard report in the New Reports section that allows a single members personal
data to be extracted in printed form or electronic such as CSV or XLSX. Note that it is the customers’
responsibility to validate the authenticity of, and to put in place suitable approval processes for such
requests.
Legend will not initiate any such release of data unless at the express request of the Data Controller.

How is ‘consent’ managed in Legend?


There are eight standard consent items in the terms of communication preferences. Four for own
use and four for 3rd party use. These are split into email, text, phone and letter. There is also the
option to create extra consent items in the software if required.
Legend is not responsible for the gathering of consent from members for its customers.

Version 1.1 Legend GDPR Information Document


Page 7
CONTROLLED