Get HCM digital magazine and ezines FREE
Sign up here ▸
Jobs   News   Features   Products   Magazine      Advertise  
Liability
Data alert

New legislation is exposing weakness and potential liabilities in the management of customer data in health clubs, says Andy Chesterman


Health clubs and leisure centres have become some of the most data-intensive operations when it comes to customer records.

Every member relationship generates sensitive data, including things such as direct debit mandates, PAR-Q and medical screening records, access control logs and CCTV footage. There may also be marketing preferences, cancellation records and – for sites with junior programmes – children’s activity data. In addition, if the operator has an app, then activity in this could also be recorded.

This is a significant volume of information, much of it relating to highly sensitive areas including health, payments and family.

Every member interaction leaves a trail and that data typically sits across several systems: booking apps, CRM platforms, payment processors, access control systems, marketing tools, CCTV providers and head office platforms.

Managing data across that many systems is normal for operators in the sector, but problems arise if a member challenges how their data has been used and there is no clear process for handling their query.

This is no longer acceptable in the UK and under the Data (Use and Access) Act 2026 – a piece of legislation that received Royal Assent on 19 June (www.hcmmag.com/DUA) – organisations must now have a clear and robust process for handling data protection complaints.

Andy Chesterman
Andy Chesterman

Penalties have increased, with fines potentially reaching £17.5m, or 4 per cent of global turnover

Complaints may not look like complaints

A member doesn’t need to use the words ‘data protection complaint’ for the club to have a data protection issue to deal with. Members are far more likely to ask things such as why they’re still receiving marketing emails after cancelling their membership, who has access to their medical screening form, whether CCTV footage of them has been retained or why their details are still on file after they left.

Once a member has raised such a query, the responsibility sits with the health club to recognise whether the complaint relates to the handling of personal data. If it is, it must be acknowledged, investigated, recorded and answered through the club’s own data protection complaints process.

This is where the sector has a practical challenge. A complaint might arrive through reception, a club manager’s inbox, a membership team call, a customer service form or a social media message and the first person to receive it may have no reason to treat it differently from any other member query.

Medical screening records are a good example. They’re used routinely in the sector, but they can include health information, which is treated as special category data under UK GDPR and requires stronger protection.

If a member challenges how that information has been stored, who’s seen it, how long it’s been retained or whether it’s been shared, the operator needs to do more than give general reassurance that the information is secure. It needs to report on exactly what happened, who checked it, what decision was made and how the member was informed.

The challenge is rarely that health club operators don’t care about member data, because most do. The challenge is that responsibility can become blurred between reception, club managers, regional teams, head office, technology suppliers and external processors.

The Information Commissioner’s Office will expect to see evidence of how a complaint was handled if it’s escalated

What 19 June actually changes

The Data (Use and Access) Act 2026 marks a structural change, and the Information Commissioner’s Office now expects operators to handle data protection complaints themselves initially, before a member can escalate their case to the regulator. This means operators must adopt a complaints process that’s visible, documented and followed reliably, not just a general intention to deal with member queries fairly.

For example, complaints must be acknowledged within 30 days, and dealt with without undue delay and the Information Commissioner’s Office will expect to see evidence of how the complaint was handled if it’s escalated at a later date.

The commercial stakes are significant. Penalties relating to the Privacy and Electronic Communications Regulations have increased under the new Act, with fines potentially reaching £17.5m, or 4 per cent of a company’s global turnover, for serious breaches.

Failure to handle data complaints properly can also increase regulatory scrutiny, cause reputational damage and – in serious cases – create enforcement risk, particularly where the data involved relates to health, children, payments or surveillance.

Operators must now know where a data complaint can arrive, who recognises it, who investigates it, how suppliers are involved, how the response is recorded and how the member is kept updated throughout.

This is not a compliance exercise that sits separately from the business. It’s part of running a modern operation that members can trust with their health information, payment details and, in many cases, their family’s data.

Andy Chesterman is MD at Privacy Helper

Woman in high plank position
Consumers trust fitness, health and wellness operators with their health and personal data / Shutterstock / WellStock
FEATURED SUPPLIERS

CoverMe extends matching service to personal training, rewriting how members and personal trainers connect
CoverMe, the global leader in fitness workforce management, today launches CoverMe PT, an on-demand personal training platform that connects the right personal trainer to the right client in under 10 seconds. [more...]

Cornerstone Connect helps Active Blackpool tackle health inequalities
Active Blackpool is deploying Cornerstone Connect, a new digital interface allowing disparate information from multiple systems to be aggregated into one dataset, to support its focus on reducing health inequalities and improving healthy life expectancy. [more...]
+ More featured suppliers  
COMPANY PROFILES
Orbit4

With Orbit4, you’ll always have full visibility of your equipment inventory, the true market value [more...]
Everyone Active

Everyone Active operates leisure centres in partnership with local councils across the UK. Today, Ev [more...]
+ More profiles  
CATALOGUE GALLERY
 
+ More catalogues  

DIRECTORY
+ More directory  
DIARY

 

23-26 Aug 2026

Elevate Spa Riviera Maya Edition

The Riviera Maya Edition Kanai, Playa del Carmen, Mexico
10-12 Sep 2026

ASEAN Patio Pool Spa Expo 2026

MITEC Kuala Lumpur,Malaysia, Malaysia
+ More diary  
 
ABOUT LEISURE MEDIA
LEISURE MEDIA MAGAZINES
LEISURE MEDIA HANDBOOKS
LEISURE MEDIA WEBSITES
LEISURE MEDIA PRODUCT SEARCH
 
HCM
LEISURE OPPORTUNITIES
HEALTH CLUB HANDBOOK
PRINT SUBSCRIPTIONS
FREE DIGITAL SUBSCRIPTIONS
ADVERTISE . CONTACT US

Leisure Media
Tel: +44 (0)1462 431385

©Cybertrek 2026
Get HCM digital magazine and ezines FREE
Sign up here ▸
Jobs    News   Products   Magazine
Liability
Data alert

New legislation is exposing weakness and potential liabilities in the management of customer data in health clubs, says Andy Chesterman


Health clubs and leisure centres have become some of the most data-intensive operations when it comes to customer records.

Every member relationship generates sensitive data, including things such as direct debit mandates, PAR-Q and medical screening records, access control logs and CCTV footage. There may also be marketing preferences, cancellation records and – for sites with junior programmes – children’s activity data. In addition, if the operator has an app, then activity in this could also be recorded.

This is a significant volume of information, much of it relating to highly sensitive areas including health, payments and family.

Every member interaction leaves a trail and that data typically sits across several systems: booking apps, CRM platforms, payment processors, access control systems, marketing tools, CCTV providers and head office platforms.

Managing data across that many systems is normal for operators in the sector, but problems arise if a member challenges how their data has been used and there is no clear process for handling their query.

This is no longer acceptable in the UK and under the Data (Use and Access) Act 2026 – a piece of legislation that received Royal Assent on 19 June (www.hcmmag.com/DUA) – organisations must now have a clear and robust process for handling data protection complaints.

Andy Chesterman
Andy Chesterman

Penalties have increased, with fines potentially reaching £17.5m, or 4 per cent of global turnover

Complaints may not look like complaints

A member doesn’t need to use the words ‘data protection complaint’ for the club to have a data protection issue to deal with. Members are far more likely to ask things such as why they’re still receiving marketing emails after cancelling their membership, who has access to their medical screening form, whether CCTV footage of them has been retained or why their details are still on file after they left.

Once a member has raised such a query, the responsibility sits with the health club to recognise whether the complaint relates to the handling of personal data. If it is, it must be acknowledged, investigated, recorded and answered through the club’s own data protection complaints process.

This is where the sector has a practical challenge. A complaint might arrive through reception, a club manager’s inbox, a membership team call, a customer service form or a social media message and the first person to receive it may have no reason to treat it differently from any other member query.

Medical screening records are a good example. They’re used routinely in the sector, but they can include health information, which is treated as special category data under UK GDPR and requires stronger protection.

If a member challenges how that information has been stored, who’s seen it, how long it’s been retained or whether it’s been shared, the operator needs to do more than give general reassurance that the information is secure. It needs to report on exactly what happened, who checked it, what decision was made and how the member was informed.

The challenge is rarely that health club operators don’t care about member data, because most do. The challenge is that responsibility can become blurred between reception, club managers, regional teams, head office, technology suppliers and external processors.

The Information Commissioner’s Office will expect to see evidence of how a complaint was handled if it’s escalated

What 19 June actually changes

The Data (Use and Access) Act 2026 marks a structural change, and the Information Commissioner’s Office now expects operators to handle data protection complaints themselves initially, before a member can escalate their case to the regulator. This means operators must adopt a complaints process that’s visible, documented and followed reliably, not just a general intention to deal with member queries fairly.

For example, complaints must be acknowledged within 30 days, and dealt with without undue delay and the Information Commissioner’s Office will expect to see evidence of how the complaint was handled if it’s escalated at a later date.

The commercial stakes are significant. Penalties relating to the Privacy and Electronic Communications Regulations have increased under the new Act, with fines potentially reaching £17.5m, or 4 per cent of a company’s global turnover, for serious breaches.

Failure to handle data complaints properly can also increase regulatory scrutiny, cause reputational damage and – in serious cases – create enforcement risk, particularly where the data involved relates to health, children, payments or surveillance.

Operators must now know where a data complaint can arrive, who recognises it, who investigates it, how suppliers are involved, how the response is recorded and how the member is kept updated throughout.

This is not a compliance exercise that sits separately from the business. It’s part of running a modern operation that members can trust with their health information, payment details and, in many cases, their family’s data.

Andy Chesterman is MD at Privacy Helper

Woman in high plank position
Consumers trust fitness, health and wellness operators with their health and personal data / Shutterstock / WellStock
LATEST NEWS
PureGym announces expansion into Ireland
The Republic of Ireland will become the latest market in PureGym’s expanding international portfolio, with the first launch planned for Dublin in 2027.
Total Fitness CEO Sophie Lawler launches leadership coaching venture
Sophie Lawler, CEO of Total Fitness, has launched a leadership coaching business aimed at helping women realise their professional potential.
Anytime Fitness targets Europe after opening a club a day in 2025
Anytime Fitness opened more than one club a day in 2025 and is on track to maintain this rate of growth this year, as parent company Purpose Brands targets further international expansion.
Everyone Active opens £33.9 million next-generation leisure and wellbeing hub
The £33.9 million Leighton Leisure and Community Centre has opened in Leighton Buzzard, UK, creating a next-generation public leisure, health and wellbeing hub for the local community.
YogaSix responds to Pilates boom with launch of strength-focused Y6 Core class
YogaSix, the yoga brand of Xponential Fitness, has launched a heated, Pilates-inspired class called Y6 Core.
Bromley’s £17m Walnuts revamp adds EGYM, rehab and recovery
Walnuts Leisure Centre in Orpington, in the London Borough of Bromley, has reopened following a £17m transformation designed to secure the long-term future of the public leisure asset and reposition it as a community wellbeing hub.
The Gym Group breaks the million members mark for the first time
The Gym Group, has announced that it's sustained positive trading momentum has continued through the first half of 2026 and the company remains confident about the outlook.
Hyrox offers charity spots in sold-out races
Hyrox has announced it will be working with a second charity in the upcoming season and offering charity spots in sold-out races.
Amped Fitness debuts Amped Universe flagship
US low-cost operator, Amped Fitness, has launched a flagship location in Texas, debuting its multi-sensory Amped Universe design architecture.
X-Club gears up to open its flagship site in central London
Luxury boutique Pilates and wellness studio, X-Club, officially launches a 4,000sq ft flagship at Marylebone on 16 July Built around X-Club’s four pillars of wellness – mind, movement, nutrition and therapy – the facility features two group exercise studi
LifeFit Group expands in southern Germany with Fitness Sigmaringen acquisition
The LifeFit Group continues its buy and build strategy with the acquisition of the Fitness Sigmaringen club in the German state of Baden-Württemberg.
Industry veterans partner to launch women-only strength brand, LiftHer
An ambitious women’s-only strength and lifting studio concept is set to launch in Dallas this September, with a wider US rollout already in active development.
+ More news   
 
FEATURED SUPPLIERS

CoverMe extends matching service to personal training, rewriting how members and personal trainers connect
CoverMe, the global leader in fitness workforce management, today launches CoverMe PT, an on-demand personal training platform that connects the right personal trainer to the right client in under 10 seconds. [more...]

Cornerstone Connect helps Active Blackpool tackle health inequalities
Active Blackpool is deploying Cornerstone Connect, a new digital interface allowing disparate information from multiple systems to be aggregated into one dataset, to support its focus on reducing health inequalities and improving healthy life expectancy. [more...]
+ More featured suppliers  
COMPANY PROFILES
Orbit4

With Orbit4, you’ll always have full visibility of your equipment inventory, the true market value [more...]
+ More profiles  
CATALOGUE GALLERY
+ More catalogues  

DIRECTORY
+ More directory  
DIARY

 

23-26 Aug 2026

Elevate Spa Riviera Maya Edition

The Riviera Maya Edition Kanai, Playa del Carmen, Mexico
10-12 Sep 2026

ASEAN Patio Pool Spa Expo 2026

MITEC Kuala Lumpur,Malaysia, Malaysia
+ More diary  
 


ADVERTISE . CONTACT US

Leisure Media
Tel: +44 (0)1462 431385

©Cybertrek 2026

ABOUT LEISURE MEDIA
LEISURE MEDIA MAGAZINES
LEISURE MEDIA HANDBOOKS
LEISURE MEDIA WEBSITES
LEISURE MEDIA PRODUCT SEARCH
PRINT SUBSCRIPTIONS
FREE DIGITAL SUBSCRIPTIONS