Are annual independent reviews of performed on the system to identify statement applies to backups and
Data Protection and Security any issues that could affect archives too.
Assessments, including penetration security.
and vulnerability assessments, Can it be accessed by Legend staff
carried out to identify privacy and As per our ISO27001 ISMS outside of UK (e.g. Canada)?
security risks for the required procedures, Legend ensures that Access is normally limited to UK
service? all infrastructure is kept up to date staff. In certain circumstances, out
with the latest operating system, of hours support could be provided
Yes. ISO27001 is a rigorous
hardware, and firmware patches, from our Canadian office; at all
standard to maintain, which
ensuring all devices receive the times subject to the same internal
demonstrates how seriously we take
latest security patches. processes and controls as in the
customers’ data and information
security. This means that we Legend has active maintenance UK. Further, the Legend support
undergo regular external and contracts with all hardware and representative is only able to view a
internal audit, third-party scanning software suppliers. This means that session or login if the user first
and penetration tests to maintain all patches are tested and checked consents. If there were a desire not
our ISMS. for reliability and security by the to permit support from Canada this
manufacturer prior to deployment. could be catered for but may limit
How will you ensure the systems some out of hours support
They are then tested by Legend
and procedures comply with the
against a non-live environment availability.
principle of "Data Protection by
Design", so it promotes security and before being released to the live How will the system meet the
data compliance throughout the environment. consent mechanisms within the
whole process? Critical patches that may affect GDPR?
The solution has been designed system uptime or carry serious Legend provides the ability to
from the bottom up to protect data security risks are applied within one record consent at many levels,
and privacy, also, prior to GDPR, in week of notification of the patch. All including customer specific
accordance with Data Protection patches are released during our consent. Consent choices can be
legislation. The Legend solution is maintenance window and do not easily updated by staff or members.
designed and configured to meet affect the performance of live Customers need to be mindful that
high levels of security and access operations. In the unusual event the way they obtain consent should
control, and data protection, where a patch is so critical it needs be inline with the GDPR guidelines.
ensuring that only minimal changes to be applied outside of the
maintenance window, the customer Will the solution be updated at
have been needed to enhance the
Legend’s cost to comply with the
system to fall within the new will be notified and we will liaise with
GDPR?
guidelines. them to agree a release time in
order to minimise risk and impact. Yes, Legend is committed to
All staff are trained and regularly maintaining and updating
educated on ISO27001 matters Legend also has in place a Security customers’ legislative requirements
including, processes, threats and Incident and Event Monitoring and warrants that this service will be
counter measures. The system and Two Factor ongoing.
development process includes Authentication security for access
regular forums conducted in an to key infrastructure services. Will the solution be updated prior to
environment of continuous the effective date of the GDPR?
How can users serve a request by a
improvement. data subject (e.g. member) asking Yes, through Legend’s seamless
We supplement this with periodic what information is held on them? free upgrades process.
externally conducted penetration The Legend system has standard
tests and monthly network scans to reports to produce a list of the
F URTHER
draw attention to issues or relevant personal information held I NFORMATION
vulnerabilities so that these can be in the system.
proactively remedied. Day-to-day, ICO guidance on preparing for
development coding is subject to Is customer data stored in the UK? GDPR
peer code-review, and architecture Yes, it is stored in the UK only.
analysis. All developments are then Health Club Management
Legend can also confirm that no
further tested though independent Article
data is transferred outside of the
Quality Assurance and User European Economic Area in its
Acceptance Testing prior to data processing activities. This
release. Post-release monitoring is