Get HCM digital magazine and ezines FREE
Sign up here ▸
Jobs   News   Features   Products   Magazine      Advertise  
Sponsored briefing
Legend - Data Matters

With the new General Data Protection Regulation (GDPR) on the horizon, Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital operators take action on how they store and secure all member data


Rarely a week goes by without news of a data security breach hitting the headlines, with issues such as the global WannaCry ransomware attack – which crippled parts of the NHS – and our own industry-specific PayAsUGym attack in December 2016 heightening fears for the wider industry.

Unfortunately, this increased awareness isn’t leading to action to improve matters. Furthermore, ignorance about basic data security principles and obligations is placing the industry at significant risk of everything from accidental misadventure to financial fraud, with the repercussions ranging from regulatory fines and brand damage to business failure.

Data vulnerability
Leisure and gym operators are custodians of a huge volume of detailed personal information about members and customers, making our industry not only a soft target, but also an attractive one.
To safeguard valuable information, think about your data assets. What information do you hold on your customers? Where is it stored? Is it up to date? Is it still required? Is it digital, or are paper records still in use? Are your employees accessing information via their own mobile devices?

Data breaches occur in many forms, including password theft, physical attacks and the biggest threat of all – user error.

Common user error breaches include obvious examples, such as incorrect handling of credit card data, and less obvious examples, such as paper-based customer information being stored in unlocked filing cabinets.

Routine tasks undertaken by front of house staff are often conducted without data safeguards in place and in many cases, too little staff training is provided on data security protocols and their importance, leaving operators vulnerable.

This situation is complicated by the nature of the industry. For example, staff turnover makes it challenging to ensure training is given to all staff who are handling customer data. The result is inadequate security, which jeopardises both the customer and the operator.

Better Guidance
In our unregulated industry there has historically been little or no guidance provided to staff regarding the safeguarding of information.

In addition, although existing legislation – such as the Data Protection Act (DPA), and the Payment Card Industry Data Security Standards (PCI DSS) – requires adherence to very specific data security processes and policies, many in the industry would be hard pressed to demonstrate compliance, leaving them in a highly vulnerable position.

The situation will become even more challenging in May 2018, when the EU’s new General Data Protection Regulation (GDPR) comes into effect, bringing with it higher penalties and even more stringent requirements regarding information security, as well as the need to inform any individual affected by a data breach within 72 hours.

In short, GDPR demands the attention of all businesses and operators who hold customer data of any kind.

Business Implications
The UK Payment Card Industry Security Standards Council (PCI SSC) has warned that UK businesses could face up to £122bn in penalties for data breaches when the GDPR comes into effect. It has also stated that fines are likely to be dwarfed by the reputational damage incurred by data breaches.

If customers lose confidence in an establishment’s ability to safeguard personal data, then the online portals and payment processes that have streamlined our businesses so effectively over recent years will be put at risk.

Creating a New Ethos: Confidentiality, Availability & Integrity
So now is the time to take action. Only by considering every piece of information in line with three guiding principles – confidentiality, availability and integrity – can you begin to protect your data.

• Confidentiality
Assurance of data privacy is achieved by ensuring it’s only accessed by authorised individuals and that excellent access controls and good internal processes are in place for the use of paper-based documentation.

• Availability
This demands that data is available whenever it’s needed – a ransomware attack, for example, denies this.

• Integrity
Achieving data integrity is all about ensuring it’s accurate and up to date.

There are two areas of GDPR where focus is needed. One is consent, which imposes robust criteria on you to obtain permission from individuals for the processing of their data. The second is data retention, and the individual’s ‘right to be forgotten’.

These two areas need careful assessment to ensure there’s a clear case for holding data for specific time periods and that consent has been given to do so.

Next steps
The coming of the GDPR is a real opportunity for leisure and health and fitness businesses to embrace the chance to make huge improvements to the way their extremely valuable data is stored and handled.

It's also the time to expand the current view of information beyond that which is held electronically to include all information assets in the business, both digital and paper-based. Finally, it's time to embed best practice into all daily operations. This includes improving physical infrastructure and creating a robust, ethical security culture, that protects customer data, for the long-term.

To learn more about how Legend has helped its customers get ready for the arrival of the fast-approaching GDPR legislation, please visit our website at: www.legendware.co.uk/accreditations



 

Paul Simpson
 

Paul Simpson, Legend’s chief operating officer, is responsible for Legend’s ISO27001 Information Security Management accreditation.

Simpson makes his expertise available to those who have industry GDPR/ information security concerns. He can be contacted at: [email protected]


FEATURED SUPPLIERS

Legends never die: four legends, four philosophies of life
Panatta brought together four of the most influential figures in bodybuilding history on the stage of RiminiWellness 2026: Phil Heath, Lee Haney, Ronnie Coleman and Hany Rambod. [more...]

Cornerstone Connect helps Active Blackpool tackle health inequalities
Active Blackpool is deploying Cornerstone Connect, a new digital interface allowing disparate information from multiple systems to be aggregated into one dataset, to support its focus on reducing health inequalities and improving healthy life expectancy. [more...]
+ More featured suppliers  
COMPANY PROFILES
Safe Space Lockers

We provide a full turn-key solution for clients from design and consultation, through to bespoke man [more...]
Serco Leisure

Serco Leisure Operating Limited is one of the UK’s leading national operators of leisure centres, de [more...]
+ More profiles  
CATALOGUE GALLERY
 
+ More catalogues  

DIRECTORY
+ More directory  
DIARY

 

23-26 Aug 2026

Elevate Spa Riviera Maya Edition

The Riviera Maya Edition Kanai, Playa del Carmen, Mexico
10-12 Sep 2026

ASEAN Patio Pool Spa Expo 2026

MITEC Kuala Lumpur,Malaysia, Malaysia
+ More diary  
 
ABOUT LEISURE MEDIA
LEISURE MEDIA MAGAZINES
LEISURE MEDIA HANDBOOKS
LEISURE MEDIA WEBSITES
LEISURE MEDIA PRODUCT SEARCH
 
HCM
LEISURE OPPORTUNITIES
HEALTH CLUB HANDBOOK
PRINT SUBSCRIPTIONS
FREE DIGITAL SUBSCRIPTIONS
ADVERTISE . CONTACT US

Leisure Media
Tel: +44 (0)1462 431385

©Cybertrek 2026
Get HCM digital magazine and ezines FREE
Sign up here ▸
Jobs    News   Products   Magazine
Sponsored briefing
Legend - Data Matters

With the new General Data Protection Regulation (GDPR) on the horizon, Paul Simpson, chief operating officer of Legend Club Management Systems, explains why it’s vital operators take action on how they store and secure all member data


Rarely a week goes by without news of a data security breach hitting the headlines, with issues such as the global WannaCry ransomware attack – which crippled parts of the NHS – and our own industry-specific PayAsUGym attack in December 2016 heightening fears for the wider industry.

Unfortunately, this increased awareness isn’t leading to action to improve matters. Furthermore, ignorance about basic data security principles and obligations is placing the industry at significant risk of everything from accidental misadventure to financial fraud, with the repercussions ranging from regulatory fines and brand damage to business failure.

Data vulnerability
Leisure and gym operators are custodians of a huge volume of detailed personal information about members and customers, making our industry not only a soft target, but also an attractive one.
To safeguard valuable information, think about your data assets. What information do you hold on your customers? Where is it stored? Is it up to date? Is it still required? Is it digital, or are paper records still in use? Are your employees accessing information via their own mobile devices?

Data breaches occur in many forms, including password theft, physical attacks and the biggest threat of all – user error.

Common user error breaches include obvious examples, such as incorrect handling of credit card data, and less obvious examples, such as paper-based customer information being stored in unlocked filing cabinets.

Routine tasks undertaken by front of house staff are often conducted without data safeguards in place and in many cases, too little staff training is provided on data security protocols and their importance, leaving operators vulnerable.

This situation is complicated by the nature of the industry. For example, staff turnover makes it challenging to ensure training is given to all staff who are handling customer data. The result is inadequate security, which jeopardises both the customer and the operator.

Better Guidance
In our unregulated industry there has historically been little or no guidance provided to staff regarding the safeguarding of information.

In addition, although existing legislation – such as the Data Protection Act (DPA), and the Payment Card Industry Data Security Standards (PCI DSS) – requires adherence to very specific data security processes and policies, many in the industry would be hard pressed to demonstrate compliance, leaving them in a highly vulnerable position.

The situation will become even more challenging in May 2018, when the EU’s new General Data Protection Regulation (GDPR) comes into effect, bringing with it higher penalties and even more stringent requirements regarding information security, as well as the need to inform any individual affected by a data breach within 72 hours.

In short, GDPR demands the attention of all businesses and operators who hold customer data of any kind.

Business Implications
The UK Payment Card Industry Security Standards Council (PCI SSC) has warned that UK businesses could face up to £122bn in penalties for data breaches when the GDPR comes into effect. It has also stated that fines are likely to be dwarfed by the reputational damage incurred by data breaches.

If customers lose confidence in an establishment’s ability to safeguard personal data, then the online portals and payment processes that have streamlined our businesses so effectively over recent years will be put at risk.

Creating a New Ethos: Confidentiality, Availability & Integrity
So now is the time to take action. Only by considering every piece of information in line with three guiding principles – confidentiality, availability and integrity – can you begin to protect your data.

• Confidentiality
Assurance of data privacy is achieved by ensuring it’s only accessed by authorised individuals and that excellent access controls and good internal processes are in place for the use of paper-based documentation.

• Availability
This demands that data is available whenever it’s needed – a ransomware attack, for example, denies this.

• Integrity
Achieving data integrity is all about ensuring it’s accurate and up to date.

There are two areas of GDPR where focus is needed. One is consent, which imposes robust criteria on you to obtain permission from individuals for the processing of their data. The second is data retention, and the individual’s ‘right to be forgotten’.

These two areas need careful assessment to ensure there’s a clear case for holding data for specific time periods and that consent has been given to do so.

Next steps
The coming of the GDPR is a real opportunity for leisure and health and fitness businesses to embrace the chance to make huge improvements to the way their extremely valuable data is stored and handled.

It's also the time to expand the current view of information beyond that which is held electronically to include all information assets in the business, both digital and paper-based. Finally, it's time to embed best practice into all daily operations. This includes improving physical infrastructure and creating a robust, ethical security culture, that protects customer data, for the long-term.

To learn more about how Legend has helped its customers get ready for the arrival of the fast-approaching GDPR legislation, please visit our website at: www.legendware.co.uk/accreditations



 

Paul Simpson
 

Paul Simpson, Legend’s chief operating officer, is responsible for Legend’s ISO27001 Information Security Management accreditation.

Simpson makes his expertise available to those who have industry GDPR/ information security concerns. He can be contacted at: [email protected]


LATEST NEWS
Researchers find that 90-120 minutes of strength training a week has longevity benefits
According to research which tracked more than 147,000 people for 30 years, 90-120 minutes of strength training a week may deliver some of the biggest long-term health rewards.
Everlast pushes internationally with Dublin site
Everlast Gyms expands its footprint outside of the UK this month with the imminent launch of a club in Dublin.
UK updates physical activity guidelines with focus on daily movement
The UK's four Chief Medical Officers have published a refreshed edition of Physical activity guidelines: UK Chief Medical Officers' report, updating the evidence that underpins the nation's physical activity recommendations and placing greater emphasis on strength, balance, reducing sedentary behaviour and, for the first time, supporting people taking weight loss medications.
Places Leisure is working with Roberts Limbrick to build £60m wellness flagship in Basingstoke
Places Leisure has exchanged contracts to build and operate a flagship £60m water and leisure destination on behalf of Basingstoke and Deane Borough Council.
PureGym announces expansion into Ireland
The Republic of Ireland will become the latest market in PureGym’s expanding international portfolio, with the first launch planned for Dublin in 2027.
Total Fitness CEO Sophie Lawler launches leadership coaching venture
Sophie Lawler, CEO of Total Fitness, has launched a leadership coaching business aimed at helping women realise their professional potential.
Anytime Fitness reaches milestone moment and targets Europe for growth
Anytime Fitness opened more than one club a day in 2025 and is on track to maintain this rate of growth this year, as parent company Purpose Brands targets further international expansion.
Everyone Active opens £33.9 million next-generation leisure and wellbeing hub
The £33.9 million Leighton Leisure and Community Centre has opened in Leighton Buzzard, UK, creating a next-generation public leisure, health and wellbeing hub for the local community.
YogaSix responds to Pilates boom with launch of strength-focused Y6 Core class
YogaSix, the yoga brand of Xponential Fitness, has launched a heated, Pilates-inspired class called Y6 Core.
Bromley’s £17m Walnuts revamp adds EGYM, rehab and recovery
Walnuts Leisure Centre in Orpington, in the London Borough of Bromley, has reopened following a £17m transformation designed to secure the long-term future of the public leisure asset and reposition it as a community wellbeing hub.
The Gym Group breaks the million members mark for the first time
The Gym Group, has announced that it's sustained positive trading momentum has continued through the first half of 2026 and the company remains confident about the outlook.
Hyrox offers charity spots in sold-out races
Hyrox has announced it will be working with a second charity in the upcoming season and offering charity spots in sold-out races.
+ More news   
 
FEATURED SUPPLIERS

Legends never die: four legends, four philosophies of life
Panatta brought together four of the most influential figures in bodybuilding history on the stage of RiminiWellness 2026: Phil Heath, Lee Haney, Ronnie Coleman and Hany Rambod. [more...]

Cornerstone Connect helps Active Blackpool tackle health inequalities
Active Blackpool is deploying Cornerstone Connect, a new digital interface allowing disparate information from multiple systems to be aggregated into one dataset, to support its focus on reducing health inequalities and improving healthy life expectancy. [more...]
+ More featured suppliers  
COMPANY PROFILES
Safe Space Lockers

We provide a full turn-key solution for clients from design and consultation, through to bespoke man [more...]
+ More profiles  
CATALOGUE GALLERY
+ More catalogues  

DIRECTORY
+ More directory  
DIARY

 

23-26 Aug 2026

Elevate Spa Riviera Maya Edition

The Riviera Maya Edition Kanai, Playa del Carmen, Mexico
10-12 Sep 2026

ASEAN Patio Pool Spa Expo 2026

MITEC Kuala Lumpur,Malaysia, Malaysia
+ More diary  
 


ADVERTISE . CONTACT US

Leisure Media
Tel: +44 (0)1462 431385

©Cybertrek 2026

ABOUT LEISURE MEDIA
LEISURE MEDIA MAGAZINES
LEISURE MEDIA HANDBOOKS
LEISURE MEDIA WEBSITES
LEISURE MEDIA PRODUCT SEARCH
PRINT SUBSCRIPTIONS
FREE DIGITAL SUBSCRIPTIONS