Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Legend GDPR Information Document

    Enviado por

    api-137303031
    146 visualizações7 páginas

    Título original

    legend gdpr information document

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    DOCX, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato DOCX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    146 visualizações7 páginas

    Legend GDPR Information Document

    Enviado por

    api-137303031

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato DOCX, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 7

    Marlborough House, Westminster Place

    York Business Park, York, YO26 6RW


    info@legendware.co.uk
    www.legendware.co.uk
    (T) 01904 529 575

    Information Security Management System

    Legend GDPR Information Document

    Version 1.1
    Date: 14/04/2018
    Version History:

    Version Date Summary of change Author

    Draft 02/02/2018 Draft issued for review Paul Simpson

    1.1 12/04/2018 Issued for internal review Paul Simpson

    Approvals:
    This document must be approved by the following:

    Name Signature Title / Responsibility Date Version

    Sean Maguire Managing Director

    Paul Simpson Chief Operating Officer

    Related Documents:
    These documents will provide additional information.

    Title Version

    Version 1.1 Legend GDPR Information Document


    Page 2
    CONTROLLED
    Contents

    Overview ................................................................................................................................................. 4
    Purpose ................................................................................................................................................... 4
    Scope ....................................................................................................................................................... 4
    GDPR Information for Legend ................................................................................................................. 5

    Version 1.1 Legend GDPR Information Document


    Page 3
    CONTROLLED
    Overview

    This document provides the information required by Legend customers as part of their assessment of suppliers
    in line with GDPR.
    For the purpose of this document:
    The Legend Customer is the Data Controller
    Legend Club Management Systems is the Data Processor

    Purpose

    This document will be available to Legend customers wishing to validate Legends approach to GDPR and to
    assist Legend customers in the development of their own GDPR documentation.

    Scope

    This statement applies to the Legend Club Management software system (Legend) and the services offered by
    Legend Leisure Services (LLS) covering the processing of Direct Debit Payments and the provision of media
    marketing services.

    Version 1.1 Legend GDPR Information Document


    Page 4
    CONTROLLED
    GDPR Information for Legend

    Does Legend have an appointed Data Protection Officer?


    Yes. Paul Simpson.
    Legend Club Management Systems
    Marlborough House
    York Business Park
    YORK
    YO26 5RW
    Paul.simpson@legendware.co.uk

    Please detail any training that Legend employees have undertaken in respect to Data Protection
    and Information Security in the last 12 months.
    Legend Club Management Systems holds the ISO9001:2015 and ISO27001:2013 certifications which
    are both externally assessed by BSi. As part of our Information Security Management System (ISMS)
    we undertake regular briefings and training for staff and cover Information Security as part of our
    induction processes. Training is in the form of presentations and questionnaires to all staff. As part
    of our ISMS culture we encourage staff to take a keen interest in security matters.

    How is customers data kept secure? How is it stored? Are there any security / encryption
    measures in place?
    Legend systems and data is stored at secure Tier III datacentres located in Leeds and Northampton.
    Both datacentres hold ISO9001 and ISO27001 certifications. Each location has perimeter security
    with CCTV coverage. Access is strictly controlled and only by prior appointment. Legend data is
    stored on Legend owned co-located servers within our own secure cabinets in the datacentre. There
    are a number of security measures in place to protect the data and we will be completing the option
    to enable data encryption at rest for the database during 2018.

    Describe who has access to the data.


    Legend staff do not access customers data unless in the execution of specific duties for the support
    or processing of the data with the specific approval of the customer. Roles that may access data
    include:
    Support: To investigate problems or provide support for specific queries. This would be limited to
    the particular issue in hand at that time. Note that Legend has an out of UK hours support desk
    running from its Canada office. If customers would rather that the Legend staff in Canada should not
    see their data for providing support they should say so at the time of the call although his may limit
    the advice that may be given.
    Implementations & Training. To migrate data from or between systems at the express instruction of
    the customer. To provide specific training using the customers own data.

    Version 1.1 Legend GDPR Information Document


    Page 5
    CONTROLLED
    Database Administrator. To conduct administration tasks in line with the maintenance of the
    database.
    Note that staff whose role might mean they access data frequently undergo background checks
    before receiving such access.

    How will Legend dispose of any paper or digital copies of our information?
    Legend will rarely print any copies of personal data. Where this is required we operate a policy of
    shredding any information which might contain personal data.
    Digital data is only ever stored at our datacentres and we have a policy of not storing customer data
    on any standalone devices. Should a customer move away from Legend the digital data will be
    removed to an agreed process and timeline agreed with the customer. Any redundant disks will be
    destroyed and certified destroyed by an appropriately approved data destruction company.
    Where data is to be removed in line with the customer data retention policy, personal information is
    redacted from the database. This is under the control of the customer by the setting of data
    redaction rules. These can cater for redaction on an individual or club basis.

    Is Legend data shared with any third parties?


    Legend only shares data with third parties to provide services contracted with our customers and
    with the approval of our customers. Examples of such third parties might be but not limited to:
    Mailing companies
    Retention companies
    Gym equipment systems
    Legend assesses all such parties and by default looks for those with the appropriate information
    security systems in place. Where a customer requires a third party link outside of our vetting process
    we will highlight the responsibilities of the customer to accept that risk.

    Does Legend hold any ISO Accreditations that are relevant to data protection?
    Yes. Legend holds the following ISO/IEC accreditations:
    ISO9001:2015
    ISO27001:2013

    Does Legend hold any data outside of the United Kingdom or the European Economic Area (EEA)?
    No. Legend data is stored within the datacentres in Wakefield and Northampton.
    Note that we can only answer for data stored by Legend. Customers should validate this area with
    third parties who they wish to use with links to Legend.

    Version 1.1 Legend GDPR Information Document


    Page 6
    CONTROLLED
    Has Legend had any data protection breaches in the last 12 months which have been reported to
    the Information Commissioner?
    No.

    Has Legend performed any security tests on the IT infrastructure or software?


    Yes. Legend undertakes annual software penetration tests where any vulnerabilities are assessed by
    their CVSS score and actioned accordingly. Additionally Legend undertakes regular ASV scanning of
    its networks.

    Does Legend have any other provisions in place in relation to protection / compliance under the
    General Data Protection Regulations that has not been covered above?
    No.

    Has Legend conducted a Data Protection Privacy Impact Assessment (PIA) on its system?
    Yes. Legend has conducted a Privacy Impact Assessment is such a manner that its customers can
    adapt it for their own use in relation to data stored in the Legend system.

    Can data be exported from Legend in line with an information access request from an individual?
    Yes. There is a standard report in the New Reports section that allows a single members personal
    data to be extracted in printed form or electronic such as CSV or XLSX. Note that it is the customers’
    responsibility to validate the authenticity of, and to put in place suitable approval processes for such
    requests.
    Legend will not initiate any such release of data unless at the express request of the Data Controller.

    How is ‘consent’ managed in Legend?


    There are eight standard consent items in the terms of communication preferences. Four for own
    use and four for 3rd party use. These are split into email, text, phone and letter. There is also the
    option to create extra consent items in the software if required.
    Legend is not responsible for the gathering of consent from members for its customers.

    Version 1.1 Legend GDPR Information Document


    Page 7
    CONTROLLED

    Você também pode gostar