GET HCM
magazine
Sign up for the FREE digital edition of HCM magazine and also get the HCM ezine and breaking news email alerts.
Not right now, thanksclose this window I've already subscribed!
Follow Health Club Management on Twitter Like Health Club Management on Facebook Join the discussion with Health Club Management on LinkedIn
FITNESS, HEALTH, WELLNESS

features

Sponsored briefing: Legend - Data Matters

With the new General Data Protection Regulation (GDPR) on the horizon, Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital operators take action on how they store and secure all member data

Published in Health Club Management 2017 issue 11
New laws about how you hold your data come into effect in 2018 and demand attention now to avoid regulatory fines / PHOTO: SHUTTERSTOCK.COM
New laws about how you hold your data come into effect in 2018 and demand attention now to avoid regulatory fines / PHOTO: SHUTTERSTOCK.COM
Leisure and gym operators are custodians of a huge volume of detailed personal information on members, making our industry not only a soft target, but also an attractive one - Paul Simpson

Rarely a week goes by without news of a data security breach hitting the headlines, with issues such as the global WannaCry ransomware attack – which crippled parts of the NHS – and our own industry-specific PayAsUGym attack in December 2016 heightening fears for the wider industry.

Unfortunately, this increased awareness isn’t leading to action to improve matters. Furthermore, ignorance about basic data security principles and obligations is placing the industry at significant risk of everything from accidental misadventure to financial fraud, with the repercussions ranging from regulatory fines and brand damage to business failure.

Data vulnerability
Leisure and gym operators are custodians of a huge volume of detailed personal information about members and customers, making our industry not only a soft target, but also an attractive one.
To safeguard valuable information, think about your data assets. What information do you hold on your customers? Where is it stored? Is it up to date? Is it still required? Is it digital, or are paper records still in use? Are your employees accessing information via their own mobile devices?

Data breaches occur in many forms, including password theft, physical attacks and the biggest threat of all – user error.

Common user error breaches include obvious examples, such as incorrect handling of credit card data, and less obvious examples, such as paper-based customer information being stored in unlocked filing cabinets.

Routine tasks undertaken by front of house staff are often conducted without data safeguards in place and in many cases, too little staff training is provided on data security protocols and their importance, leaving operators vulnerable.

This situation is complicated by the nature of the industry. For example, staff turnover makes it challenging to ensure training is given to all staff who are handling customer data. The result is inadequate security, which jeopardises both the customer and the operator.

Better Guidance
In our unregulated industry there has historically been little or no guidance provided to staff regarding the safeguarding of information.

In addition, although existing legislation – such as the Data Protection Act (DPA), and the Payment Card Industry Data Security Standards (PCI DSS) – requires adherence to very specific data security processes and policies, many in the industry would be hard pressed to demonstrate compliance, leaving them in a highly vulnerable position.

The situation will become even more challenging in May 2018, when the EU’s new General Data Protection Regulation (GDPR) comes into effect, bringing with it higher penalties and even more stringent requirements regarding information security, as well as the need to inform any individual affected by a data breach within 72 hours.

In short, GDPR demands the attention of all businesses and operators who hold customer data of any kind.

Business Implications
The UK Payment Card Industry Security Standards Council (PCI SSC) has warned that UK businesses could face up to £122bn in penalties for data breaches when the GDPR comes into effect. It has also stated that fines are likely to be dwarfed by the reputational damage incurred by data breaches.

If customers lose confidence in an establishment’s ability to safeguard personal data, then the online portals and payment processes that have streamlined our businesses so effectively over recent years will be put at risk.

Creating a New Ethos: Confidentiality, Availability & Integrity
So now is the time to take action. Only by considering every piece of information in line with three guiding principles – confidentiality, availability and integrity – can you begin to protect your data.

• Confidentiality
Assurance of data privacy is achieved by ensuring it’s only accessed by authorised individuals and that excellent access controls and good internal processes are in place for the use of paper-based documentation.

• Availability
This demands that data is available whenever it’s needed – a ransomware attack, for example, denies this.

• Integrity
Achieving data integrity is all about ensuring it’s accurate and up to date.

There are two areas of GDPR where focus is needed. One is consent, which imposes robust criteria on you to obtain permission from individuals for the processing of their data. The second is data retention, and the individual’s ‘right to be forgotten’.

These two areas need careful assessment to ensure there’s a clear case for holding data for specific time periods and that consent has been given to do so.

Next steps
The coming of the GDPR is a real opportunity for leisure and health and fitness businesses to embrace the chance to make huge improvements to the way their extremely valuable data is stored and handled.

It's also the time to expand the current view of information beyond that which is held electronically to include all information assets in the business, both digital and paper-based. Finally, it's time to embed best practice into all daily operations. This includes improving physical infrastructure and creating a robust, ethical security culture, that protects customer data, for the long-term.

To learn more about how Legend has helped its customers get ready for the arrival of the fast-approaching GDPR legislation, please visit our website at: www.legendware.co.uk/accreditations

Paul Simpson
Paul Simpson

Paul Simpson, Legend’s chief operating officer, is responsible for Legend’s ISO27001 Information Security Management accreditation.

Simpson makes his expertise available to those who have industry GDPR/ information security concerns. He can be contacted at: [email protected]

Sign up here to get HCM's weekly ezine and every issue of HCM magazine free on digital.
https://www.leisureopportunities.co.uk/images/299762_993010.jpg
Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital for operators to take action on how they store and secure all member data
Paul Simpson, chief operating officer, Legend Club Management Systems,Legend Club Management Systems, Paul Simpson, member data,
HCM magazine
We’ve reduced the level of council investment over the last three years by 40 per cent and increased our turnover by 9 per cent
HCM magazine
Fuel the debate about issues and opportunities across the industry. We’d love to hear from you. Write to [email protected]
HCM magazine
Lisa Starr tries the Ammortal Chamber to see whether layering 10 modalities into one experience really delivers more
HCM magazine
HCM People

Shaun Grove

Owner, Stride Fitness
My goal was to invest in where fitness is going, not where it’s already been
HCM magazine
The new CEO of UK Active talks to HCM about the gym-curious and why he believes the sector can double in size by the end of the next decade
HCM promotional features
Sponsored
Social fitness the missing link to member engagement, according to a new Myzone report
HCM promotional features
Sponsored
David Lloyd is stepping up its commitment to women’s health as it continues to explore what fit-for-purpose looks like for the female population
HCM promotional features
Sponsored
Find out how your gym can tap into the corporate wellness boom
HCM promotional features
Sponsored
Third Space partnered with IndigoFitness to deliver a bespoke training space for its new club at The Whiteley
HCM promotional features
Sponsored
SnowDome Fitness has added 50 per cent more space with cutting-edge Technogym solutions
HCM promotional features
Sponsored
Starpool supports Olympic champion Marcell Jacobs, says Riccardo Turri
HCM promotional features
Sponsored
Greg Bradley looks at the shift towards strength training in gyms and advises on how operators can create the ultimate training environment
HCM promotional features
Sponsored
EGYM has opened a new HQ in Paternoster Square, London and revealed a range of new launches
HCM promotional features
Latest News
The £33.9 million Leighton Leisure and Community Centre has opened in Leighton Buzzard, UK, creating ...
Latest News
YogaSix, the yoga brand owned by Xponential Fitness, has launched a heated, Pilates-inspired class called ...
Latest News
Walnuts Leisure Centre in Orpington, in the London Borough of Bromley, has reopened following a ...
Latest News
The Gym Group, has announced that it's sustained positive trading momentum has continued through the ...
Latest News
Hyrox has announced it will be working with a second charity in the upcoming season ...
Latest News
US low-cost operator, Amped Fitness, has launched a flagship location in Texas, debuting its multi-sensory ...
Latest News
Luxury boutique Pilates and wellness studio, X-Club, officially launches a 4,000sq ft flagship at Marylebone ...
Latest News
The LifeFit Group continues its buy and build strategy with the acquisition of the Fitness ...
Opinion
promotion
Strength training has moved from the margins to the mainstream.
Opinion: Building smarter strength spaces for today’s operators
Featured supplier news
Featured supplier news: Cornerstone Connect helps Active Blackpool tackle health inequalities
Active Blackpool is deploying Cornerstone Connect, a new digital interface allowing disparate information from multiple systems to be aggregated into one dataset, to support its focus on reducing health inequalities and improving healthy life expectancy.
Featured supplier news
Featured supplier news: CoverMe extends matching service to personal training, rewriting how members and personal trainers connect
CoverMe, the global leader in fitness workforce management, today launches CoverMe PT, an on-demand personal training platform that connects the right personal trainer to the right client in under 10 seconds.
Company profiles
Company profile: Sprung Gym Flooring
Sprung Gym Flooring a trusted brand who specialise in high-performance, durable, non-slip rubber gym flooring, ...
Company profiles
Company profile: Brass Monkey
Brass Monkey designs and builds the world’s finest commercial-grade ice baths, working with leading gyms ...
Supplier Showcases
Supplier Showcase - From nightclub to health club
Supplier Showcases
Supplier Showcase - Future-proofing
Catalogue Gallery
Click on a catalogue to view it online
Featured press releases
BLK BOX press release: Inside the build: Move360
Move360 was created with one clear goal: to provide an intelligent training environment where members can build strength, improve movement quality and train with confidence. To help bring their vision to life, Move360 partnered with BLK BOX to design, manufacture and install a facility that reflects the quality of coaching delivered every day.
Featured press releases
Elevate Arena press release: Elevate 2026 celebrates record attendance
Elevate’s 10th anniversary event has officially concluded after two lively days at Excel London, 17–18 June.
Directory
Hot tubs
MSpa International Ltd: Hot tubs
Water experiences and hydrotherapy solutions
Aquaform s.r.l.: Water experiences and hydrotherapy solutions
Lockers
Crown Sports Lockers: Lockers
Spa and beauty equipment
Living Earth Crafts: Spa and beauty equipment
Fitness tracking platform
SpiviTech: Fitness tracking platform
Industrial washing machines
Miele Company Limited: Industrial washing machines
Property & Tenders
Stratford, East London.
Lee Valley Regional Park Authority
Property & Tenders
Y Felinheli, LL56 4QN
Newmark
Property & Tenders
Diary dates
21-24 Sep 2026
The Langham Huntington Pasadena , Pasadena, United States
Diary dates
06-08 Oct 2026
Messe Stuttgart, Stuttgart, Germany
Diary dates
22-22 Oct 2026
QEII Conference Centre, London,
Diary dates
26-29 Oct 2027
Koelnmesse Exhibition Centre, Cologne, Germany
Diary dates

features

Sponsored briefing: Legend - Data Matters

With the new General Data Protection Regulation (GDPR) on the horizon, Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital operators take action on how they store and secure all member data

Published in Health Club Management 2017 issue 11
New laws about how you hold your data come into effect in 2018 and demand attention now to avoid regulatory fines / PHOTO: SHUTTERSTOCK.COM
New laws about how you hold your data come into effect in 2018 and demand attention now to avoid regulatory fines / PHOTO: SHUTTERSTOCK.COM
Leisure and gym operators are custodians of a huge volume of detailed personal information on members, making our industry not only a soft target, but also an attractive one - Paul Simpson

Rarely a week goes by without news of a data security breach hitting the headlines, with issues such as the global WannaCry ransomware attack – which crippled parts of the NHS – and our own industry-specific PayAsUGym attack in December 2016 heightening fears for the wider industry.

Unfortunately, this increased awareness isn’t leading to action to improve matters. Furthermore, ignorance about basic data security principles and obligations is placing the industry at significant risk of everything from accidental misadventure to financial fraud, with the repercussions ranging from regulatory fines and brand damage to business failure.

Data vulnerability
Leisure and gym operators are custodians of a huge volume of detailed personal information about members and customers, making our industry not only a soft target, but also an attractive one.
To safeguard valuable information, think about your data assets. What information do you hold on your customers? Where is it stored? Is it up to date? Is it still required? Is it digital, or are paper records still in use? Are your employees accessing information via their own mobile devices?

Data breaches occur in many forms, including password theft, physical attacks and the biggest threat of all – user error.

Common user error breaches include obvious examples, such as incorrect handling of credit card data, and less obvious examples, such as paper-based customer information being stored in unlocked filing cabinets.

Routine tasks undertaken by front of house staff are often conducted without data safeguards in place and in many cases, too little staff training is provided on data security protocols and their importance, leaving operators vulnerable.

This situation is complicated by the nature of the industry. For example, staff turnover makes it challenging to ensure training is given to all staff who are handling customer data. The result is inadequate security, which jeopardises both the customer and the operator.

Better Guidance
In our unregulated industry there has historically been little or no guidance provided to staff regarding the safeguarding of information.

In addition, although existing legislation – such as the Data Protection Act (DPA), and the Payment Card Industry Data Security Standards (PCI DSS) – requires adherence to very specific data security processes and policies, many in the industry would be hard pressed to demonstrate compliance, leaving them in a highly vulnerable position.

The situation will become even more challenging in May 2018, when the EU’s new General Data Protection Regulation (GDPR) comes into effect, bringing with it higher penalties and even more stringent requirements regarding information security, as well as the need to inform any individual affected by a data breach within 72 hours.

In short, GDPR demands the attention of all businesses and operators who hold customer data of any kind.

Business Implications
The UK Payment Card Industry Security Standards Council (PCI SSC) has warned that UK businesses could face up to £122bn in penalties for data breaches when the GDPR comes into effect. It has also stated that fines are likely to be dwarfed by the reputational damage incurred by data breaches.

If customers lose confidence in an establishment’s ability to safeguard personal data, then the online portals and payment processes that have streamlined our businesses so effectively over recent years will be put at risk.

Creating a New Ethos: Confidentiality, Availability & Integrity
So now is the time to take action. Only by considering every piece of information in line with three guiding principles – confidentiality, availability and integrity – can you begin to protect your data.

• Confidentiality
Assurance of data privacy is achieved by ensuring it’s only accessed by authorised individuals and that excellent access controls and good internal processes are in place for the use of paper-based documentation.

• Availability
This demands that data is available whenever it’s needed – a ransomware attack, for example, denies this.

• Integrity
Achieving data integrity is all about ensuring it’s accurate and up to date.

There are two areas of GDPR where focus is needed. One is consent, which imposes robust criteria on you to obtain permission from individuals for the processing of their data. The second is data retention, and the individual’s ‘right to be forgotten’.

These two areas need careful assessment to ensure there’s a clear case for holding data for specific time periods and that consent has been given to do so.

Next steps
The coming of the GDPR is a real opportunity for leisure and health and fitness businesses to embrace the chance to make huge improvements to the way their extremely valuable data is stored and handled.

It's also the time to expand the current view of information beyond that which is held electronically to include all information assets in the business, both digital and paper-based. Finally, it's time to embed best practice into all daily operations. This includes improving physical infrastructure and creating a robust, ethical security culture, that protects customer data, for the long-term.

To learn more about how Legend has helped its customers get ready for the arrival of the fast-approaching GDPR legislation, please visit our website at: www.legendware.co.uk/accreditations

Paul Simpson
Paul Simpson

Paul Simpson, Legend’s chief operating officer, is responsible for Legend’s ISO27001 Information Security Management accreditation.

Simpson makes his expertise available to those who have industry GDPR/ information security concerns. He can be contacted at: [email protected]

Sign up here to get HCM's weekly ezine and every issue of HCM magazine free on digital.
https://www.leisureopportunities.co.uk/images/299762_993010.jpg
Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital for operators to take action on how they store and secure all member data
Paul Simpson, chief operating officer, Legend Club Management Systems,Legend Club Management Systems, Paul Simpson, member data,
Latest News
The £33.9 million Leighton Leisure and Community Centre has opened in Leighton Buzzard, UK, creating ...
Latest News
YogaSix, the yoga brand owned by Xponential Fitness, has launched a heated, Pilates-inspired class called ...
Latest News
Walnuts Leisure Centre in Orpington, in the London Borough of Bromley, has reopened following a ...
Latest News
The Gym Group, has announced that it's sustained positive trading momentum has continued through the ...
Latest News
Hyrox has announced it will be working with a second charity in the upcoming season ...
Latest News
US low-cost operator, Amped Fitness, has launched a flagship location in Texas, debuting its multi-sensory ...
Latest News
Luxury boutique Pilates and wellness studio, X-Club, officially launches a 4,000sq ft flagship at Marylebone ...
Latest News
The LifeFit Group continues its buy and build strategy with the acquisition of the Fitness ...
Latest News
An ambitious women’s only strength and lifting studio concept is set to launch in Dallas this ...
Latest News
Finnish outdoor fitness equipment specialist, Omnigym, has partnered with charity, Emmaüs Solidarité, to launch an ...
Latest News
Virgin Active has officially opened its redesigned Mayfair club, unveiling its latest Social Wellness Club ...
Opinion
promotion
Strength training has moved from the margins to the mainstream.
Opinion: Building smarter strength spaces for today’s operators
Featured supplier news
Featured supplier news: Cornerstone Connect helps Active Blackpool tackle health inequalities
Active Blackpool is deploying Cornerstone Connect, a new digital interface allowing disparate information from multiple systems to be aggregated into one dataset, to support its focus on reducing health inequalities and improving healthy life expectancy.
Featured supplier news
Featured supplier news: CoverMe extends matching service to personal training, rewriting how members and personal trainers connect
CoverMe, the global leader in fitness workforce management, today launches CoverMe PT, an on-demand personal training platform that connects the right personal trainer to the right client in under 10 seconds.
Company profiles
Company profile: Sprung Gym Flooring
Sprung Gym Flooring a trusted brand who specialise in high-performance, durable, non-slip rubber gym flooring, ...
Company profiles
Company profile: Brass Monkey
Brass Monkey designs and builds the world’s finest commercial-grade ice baths, working with leading gyms ...
Supplier Showcases
Supplier Showcase - From nightclub to health club
Supplier Showcases
Supplier Showcase - Future-proofing
Catalogue Gallery
Click on a catalogue to view it online
Featured press releases
BLK BOX press release: Inside the build: Move360
Move360 was created with one clear goal: to provide an intelligent training environment where members can build strength, improve movement quality and train with confidence. To help bring their vision to life, Move360 partnered with BLK BOX to design, manufacture and install a facility that reflects the quality of coaching delivered every day.
Featured press releases
Elevate Arena press release: Elevate 2026 celebrates record attendance
Elevate’s 10th anniversary event has officially concluded after two lively days at Excel London, 17–18 June.
Directory
Hot tubs
MSpa International Ltd: Hot tubs
Water experiences and hydrotherapy solutions
Aquaform s.r.l.: Water experiences and hydrotherapy solutions
Lockers
Crown Sports Lockers: Lockers
Spa and beauty equipment
Living Earth Crafts: Spa and beauty equipment
Fitness tracking platform
SpiviTech: Fitness tracking platform
Industrial washing machines
Miele Company Limited: Industrial washing machines
Property & Tenders
Stratford, East London.
Lee Valley Regional Park Authority
Property & Tenders
Y Felinheli, LL56 4QN
Newmark
Property & Tenders
Diary dates
21-24 Sep 2026
The Langham Huntington Pasadena , Pasadena, United States
Diary dates
06-08 Oct 2026
Messe Stuttgart, Stuttgart, Germany
Diary dates
22-22 Oct 2026
QEII Conference Centre, London,
Diary dates
26-29 Oct 2027
Koelnmesse Exhibition Centre, Cologne, Germany
Diary dates
Search news, features & products:
Find a supplier:
Partner sites