Optimum Nutrition
Optimum Nutrition
Optimum Nutrition
Health Club Management

Health Club Management

Follow Health Club Management on Twitter Like Health Club Management on Facebook Join the discussion with Health Club Management on LinkedIn Follow Health Club Management on Instagram
UNITING THE WORLD OF FITNESS
Get the latest news, jobs and features in your inbox
Health Club Management

Health Club Management

features

Sponsored briefing: Preparing for the GDPR – how to store and secure member data

With the new General Data Protection Regulation (GDPR) on the horizon, Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital operators take action on how they store and secure all member data

Published in Health Club Management 2017 issue 11
New laws about how you hold your data come into effect in 2018 and demand attention now to avoid regulatory fines / PHOTO: SHUTTERSTOCK.COM
New laws about how you hold your data come into effect in 2018 and demand attention now to avoid regulatory fines / PHOTO: SHUTTERSTOCK.COM
Leisure and gym operators are custodians of a huge volume of detailed personal information on members, making our industry not only a soft target, but also an attractive one - Paul Simpson

Rarely a week goes by without news of a data security breach hitting the headlines, with issues such as the global WannaCry ransomware attack – which crippled parts of the NHS – and our own industry-specific PayAsUGym attack in December 2016 heightening fears for the wider industry.

Unfortunately, this increased awareness isn’t leading to action to improve matters. Furthermore, ignorance about basic data security principles and obligations is placing the industry at significant risk of everything from accidental misadventure to financial fraud, with the repercussions ranging from regulatory fines and brand damage to business failure.

Data vulnerability
Leisure and gym operators are custodians of a huge volume of detailed personal information about members and customers, making our industry not only a soft target, but also an attractive one.
To safeguard valuable information, think about your data assets. What information do you hold on your customers? Where is it stored? Is it up to date? Is it still required? Is it digital, or are paper records still in use? Are your employees accessing information via their own mobile devices?

Data breaches occur in many forms, including password theft, physical attacks and the biggest threat of all – user error.

Common user error breaches include obvious examples, such as incorrect handling of credit card data, and less obvious examples, such as paper-based customer information being stored in unlocked filing cabinets.

Routine tasks undertaken by front of house staff are often conducted without data safeguards in place and in many cases, too little staff training is provided on data security protocols and their importance, leaving operators vulnerable.

This situation is complicated by the nature of the industry. For example, staff turnover makes it challenging to ensure training is given to all staff who are handling customer data. The result is inadequate security, which jeopardises both the customer and the operator.

Better Guidance
In our unregulated industry there has historically been little or no guidance provided to staff regarding the safeguarding of information.

In addition, although existing legislation – such as the Data Protection Act (DPA), and the Payment Card Industry Data Security Standards (PCI DSS) – requires adherence to very specific data security processes and policies, many in the industry would be hard pressed to demonstrate compliance, leaving them in a highly vulnerable position.

The situation will become even more challenging in May 2018, when the EU’s new General Data Protection Regulation (GDPR) comes into effect, bringing with it higher penalties and even more stringent requirements regarding information security, as well as the need to inform any individual affected by a data breach within 72 hours.

In short, GDPR demands the attention of all businesses and operators who hold customer data of any kind.

Business Implications
The UK Payment Card Industry Security Standards Council (PCI SSC) has warned that UK businesses could face up to £122bn in penalties for data breaches when the GDPR comes into effect. It has also stated that fines are likely to be dwarfed by the reputational damage incurred by data breaches.

If customers lose confidence in an establishment’s ability to safeguard personal data, then the online portals and payment processes that have streamlined our businesses so effectively over recent years will be put at risk.

Creating a New Ethos: Confidentiality, Availability & Integrity
So now is the time to take action. Only by considering every piece of information in line with three guiding principles – confidentiality, availability and integrity – can you begin to protect your data.

• Confidentiality
Assurance of data privacy is achieved by ensuring it’s only accessed by authorised individuals and that excellent access controls and good internal processes are in place for the use of paper-based documentation.

• Availability
This demands that data is available whenever it’s needed – a ransomware attack, for example, denies this.

• Integrity
Achieving data integrity is all about ensuring it’s accurate and up to date.

There are two areas of GDPR where focus is needed. One is consent, which imposes robust criteria on you to obtain permission from individuals for the processing of their data. The second is data retention, and the individual’s ‘right to be forgotten’.

These two areas need careful assessment to ensure there’s a clear case for holding data for specific time periods and that consent has been given to do so.

Next steps
The coming of the GDPR is a real opportunity for leisure and health and fitness businesses to embrace the chance to make huge improvements to the way their extremely valuable data is stored and handled.

It's also the time to expand the current view of information beyond that which is held electronically to include all information assets in the business, both digital and paper-based. Finally, it's time to embed best practice into all daily operations. This includes improving physical infrastructure and creating a robust, ethical security culture, that protects customer data, for the long-term.

To learn more about how Legend has helped its customers get ready for the arrival of the fast-approaching GDPR legislation, please visit our website at: www.legendware.co.uk/accreditations

Paul Simpson
Paul Simpson

Paul Simpson, Legend’s chief operating officer, is responsible for Legend’s ISO27001 Information Security Management accreditation.

Simpson makes his expertise available to those who have industry GDPR/ information security concerns. He can be contacted at: [email protected]

http://www.leisureopportunities.com/images/299762_993010.jpg
Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital for operators to take action on how they store and secure all member data
People
WE11 is a disruptive model and is going to cause mayhem in the industry: we’ve flipped the script and given the PTs a fair deal, instead of rinsing them
People
HCM people

Elodie Garamond

Le Tigre: founder
We now have eight sites and offer retreats, such as a retreat in a Moroccan palace and a French chateaux-based yin yoga and writing retreat
People
HCM people

Ben Gotting & Dave Thomas

The Foundry: co-founders
Because of our strong focus on community and inclusivity our members really do range from unemployed, and even homeless, to CEOs and board members of major institutions and celebrities
Features
Promotional feature
Matrix Fitness is launching MX4 Active to engage the ageing and deconditioned populations. We talk to Steve Barrett, director of global group education and training, to find out more
Features
fitness-kit.net
Lauren Heath-Jones rounds up the latest product launches in health and fitness
Features
Flooring
Thanks to the rise in popularity of functional zones, there’s been an increased call for turf. We take a look at some of the turf products being installed
Features
FIBO China
Jak Phillips went to FIBO China and filed this report
Features
Promotional feature
When setting up a new fitness offering, having a point of difference is key. Two businesses tell us how Electro Muscle Stimulation has been successful in helping them to stand out from the rest
Features
Promotional feature
Now in its eighth year, Myzone has established itself as a key player in the fitness industry. We chat to Myzone's global marketing director, Gemma Bonnett-Kolakowska, about how the brand continues to develop and evolve
Features
Gen Z
Gen Z has come of age, and is engaging with fitness in new ways. We look at how health clubs can appeal to this young, tech-savvy and value-conscious age group
Features
Latest News
Global boutique fitness giant Xponential Fitness has appointed Michael Abramson, president of D1 Sports Training, ...
Latest News
Physical fitness has been associated with better brain structure and brain functioning in adults. The ...
Latest News
The UK fitness industry should make a concerted effort to highlight the importance of strength ...
Latest News
Saudi Arabia-based Leejam Sports Company has appointed former Bannatyne Group chief executive Justin Musgrove as ...
Latest News
Disability organisation Purple has claimed that health club operators and gyms are losing "millions of ...
Latest News
New Barnet Leisure Centre in North London has become the second new facility to open ...
Latest News
Four Seasons has teamed up with fitness expert and Four Seasons Global Fitness Advisor Harley ...
Latest News
Self Esteem Brands, the parent company of Anytime Fitness, has purchased The Bar Method – ...
Job search
POST YOUR JOB
Featured supplier news
Featured supplier: The secrets to designing a stand-out fitness studio
The design and construction of a group fitness or exercise studio can have a big impact on the success of your gym.
Featured supplier news
Featured supplier: Dyaco grows UK business with new headquarters and key appointment
Following a year of strong growth, leading fitness equipment provider Dyaco has moved to a new UK headquarters in Milton Keynes, marking a significant milestone for the company.
Company profiles
Company profile: Myzone Group Ltd
At Myzone we reward Effort to solve the pervasive problem of ‘diminishing motivation within exercisers’ ...
Company profiles
Company profile: MoveGB
Move is the online fitness platform where consumers go to get active, and operators collaborate ...
Catalogue Gallery
Click on a catalogue to view it online
Directory
Fitness equipment
FunXtion International BV: Fitness equipment
Exercise equipment
EXF Fitness Equipment: Exercise equipment
Trade associations
International SPA Association - iSPA: Trade associations
Skincare
Comfort Zone - Davines S.p.A: Skincare
Member access schemes
Move GB: Member access schemes
Spa software
SpaBooker: Spa software
Audio visual
Hutchison Technologies: Audio visual
Governing body
EMD UK: Governing body
Lockers/interior design
Craftsman Quality Lockers Ltd: Lockers/interior design
Professional services
Deloitte UK: Professional services
Property & Tenders
Diary dates
21-22 Sep 2019
Locations worldwide,
Diary dates
23-26 Sep 2019
JW Marriott Turnberry Resort & Spa, Miami, United States
Diary dates

features

Sponsored briefing: Preparing for the GDPR – how to store and secure member data

With the new General Data Protection Regulation (GDPR) on the horizon, Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital operators take action on how they store and secure all member data

Published in Health Club Management 2017 issue 11
New laws about how you hold your data come into effect in 2018 and demand attention now to avoid regulatory fines / PHOTO: SHUTTERSTOCK.COM
New laws about how you hold your data come into effect in 2018 and demand attention now to avoid regulatory fines / PHOTO: SHUTTERSTOCK.COM
Leisure and gym operators are custodians of a huge volume of detailed personal information on members, making our industry not only a soft target, but also an attractive one - Paul Simpson

Rarely a week goes by without news of a data security breach hitting the headlines, with issues such as the global WannaCry ransomware attack – which crippled parts of the NHS – and our own industry-specific PayAsUGym attack in December 2016 heightening fears for the wider industry.

Unfortunately, this increased awareness isn’t leading to action to improve matters. Furthermore, ignorance about basic data security principles and obligations is placing the industry at significant risk of everything from accidental misadventure to financial fraud, with the repercussions ranging from regulatory fines and brand damage to business failure.

Data vulnerability
Leisure and gym operators are custodians of a huge volume of detailed personal information about members and customers, making our industry not only a soft target, but also an attractive one.
To safeguard valuable information, think about your data assets. What information do you hold on your customers? Where is it stored? Is it up to date? Is it still required? Is it digital, or are paper records still in use? Are your employees accessing information via their own mobile devices?

Data breaches occur in many forms, including password theft, physical attacks and the biggest threat of all – user error.

Common user error breaches include obvious examples, such as incorrect handling of credit card data, and less obvious examples, such as paper-based customer information being stored in unlocked filing cabinets.

Routine tasks undertaken by front of house staff are often conducted without data safeguards in place and in many cases, too little staff training is provided on data security protocols and their importance, leaving operators vulnerable.

This situation is complicated by the nature of the industry. For example, staff turnover makes it challenging to ensure training is given to all staff who are handling customer data. The result is inadequate security, which jeopardises both the customer and the operator.

Better Guidance
In our unregulated industry there has historically been little or no guidance provided to staff regarding the safeguarding of information.

In addition, although existing legislation – such as the Data Protection Act (DPA), and the Payment Card Industry Data Security Standards (PCI DSS) – requires adherence to very specific data security processes and policies, many in the industry would be hard pressed to demonstrate compliance, leaving them in a highly vulnerable position.

The situation will become even more challenging in May 2018, when the EU’s new General Data Protection Regulation (GDPR) comes into effect, bringing with it higher penalties and even more stringent requirements regarding information security, as well as the need to inform any individual affected by a data breach within 72 hours.

In short, GDPR demands the attention of all businesses and operators who hold customer data of any kind.

Business Implications
The UK Payment Card Industry Security Standards Council (PCI SSC) has warned that UK businesses could face up to £122bn in penalties for data breaches when the GDPR comes into effect. It has also stated that fines are likely to be dwarfed by the reputational damage incurred by data breaches.

If customers lose confidence in an establishment’s ability to safeguard personal data, then the online portals and payment processes that have streamlined our businesses so effectively over recent years will be put at risk.

Creating a New Ethos: Confidentiality, Availability & Integrity
So now is the time to take action. Only by considering every piece of information in line with three guiding principles – confidentiality, availability and integrity – can you begin to protect your data.

• Confidentiality
Assurance of data privacy is achieved by ensuring it’s only accessed by authorised individuals and that excellent access controls and good internal processes are in place for the use of paper-based documentation.

• Availability
This demands that data is available whenever it’s needed – a ransomware attack, for example, denies this.

• Integrity
Achieving data integrity is all about ensuring it’s accurate and up to date.

There are two areas of GDPR where focus is needed. One is consent, which imposes robust criteria on you to obtain permission from individuals for the processing of their data. The second is data retention, and the individual’s ‘right to be forgotten’.

These two areas need careful assessment to ensure there’s a clear case for holding data for specific time periods and that consent has been given to do so.

Next steps
The coming of the GDPR is a real opportunity for leisure and health and fitness businesses to embrace the chance to make huge improvements to the way their extremely valuable data is stored and handled.

It's also the time to expand the current view of information beyond that which is held electronically to include all information assets in the business, both digital and paper-based. Finally, it's time to embed best practice into all daily operations. This includes improving physical infrastructure and creating a robust, ethical security culture, that protects customer data, for the long-term.

To learn more about how Legend has helped its customers get ready for the arrival of the fast-approaching GDPR legislation, please visit our website at: www.legendware.co.uk/accreditations

Paul Simpson
Paul Simpson

Paul Simpson, Legend’s chief operating officer, is responsible for Legend’s ISO27001 Information Security Management accreditation.

Simpson makes his expertise available to those who have industry GDPR/ information security concerns. He can be contacted at: [email protected]

http://www.leisureopportunities.com/images/299762_993010.jpg
Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital for operators to take action on how they store and secure all member data
Latest News
Global boutique fitness giant Xponential Fitness has appointed Michael Abramson, president of D1 Sports Training, ...
Latest News
Physical fitness has been associated with better brain structure and brain functioning in adults. The ...
Latest News
The UK fitness industry should make a concerted effort to highlight the importance of strength ...
Latest News
Saudi Arabia-based Leejam Sports Company has appointed former Bannatyne Group chief executive Justin Musgrove as ...
Latest News
Disability organisation Purple has claimed that health club operators and gyms are losing "millions of ...
Latest News
New Barnet Leisure Centre in North London has become the second new facility to open ...
Latest News
Four Seasons has teamed up with fitness expert and Four Seasons Global Fitness Advisor Harley ...
Latest News
Self Esteem Brands, the parent company of Anytime Fitness, has purchased The Bar Method – ...
Latest News
A radical ring-shaped aquatic centre with wellness facilities and outdoor green space – designed by ...
Latest News
Female-only fitness franchise Vivafit has opened its fifth studio in India – a 110sq m ...
Latest News
A study has claimed that "millions of disabled people" are not being catered for at ...
Job search
POST YOUR JOB
Featured supplier news
Featured supplier: The secrets to designing a stand-out fitness studio
The design and construction of a group fitness or exercise studio can have a big impact on the success of your gym.
Featured supplier news
Featured supplier: Dyaco grows UK business with new headquarters and key appointment
Following a year of strong growth, leading fitness equipment provider Dyaco has moved to a new UK headquarters in Milton Keynes, marking a significant milestone for the company.
Company profiles
Company profile: Myzone Group Ltd
At Myzone we reward Effort to solve the pervasive problem of ‘diminishing motivation within exercisers’ ...
Company profiles
Company profile: MoveGB
Move is the online fitness platform where consumers go to get active, and operators collaborate ...
Catalogue Gallery
Click on a catalogue to view it online
Directory
Fitness equipment
FunXtion International BV: Fitness equipment
Exercise equipment
EXF Fitness Equipment: Exercise equipment
Trade associations
International SPA Association - iSPA: Trade associations
Skincare
Comfort Zone - Davines S.p.A: Skincare
Member access schemes
Move GB: Member access schemes
Spa software
SpaBooker: Spa software
Audio visual
Hutchison Technologies: Audio visual
Governing body
EMD UK: Governing body
Lockers/interior design
Craftsman Quality Lockers Ltd: Lockers/interior design
Professional services
Deloitte UK: Professional services
Property & Tenders
Diary dates
21-22 Sep 2019
Locations worldwide,
Diary dates
23-26 Sep 2019
JW Marriott Turnberry Resort & Spa, Miami, United States
Diary dates
Search news, features & products:
Find a supplier:
Optimum Nutrition
Optimum Nutrition