Scribd Logo
Unggah

Selamat datang di Scribd!

  • Legend GDPR Faqs

    Diunggah oleh

    api-137303031
    85 tayangan2 halaman

    Judul Asli

    legend-gdpr-faqs

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    85 tayangan2 halaman

    Legend GDPR Faqs

    Diunggah oleh

    api-137303031

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 2

    GDPR & the Legend Solution

    F REQUENTLY A SKED Q UESTIONS


    The European Union How will Legend help enforce the data centres: a primary and a
    customer’s “right to be forgotten” secondary datacentre. The
    General Data Protection and ensure that out of date data is datacentres have the following
    Regulation (GDPR) will take deleted or destroyed? physical security controls in place:
    effect in the UK on 25th of The Legend solution has a data perimeter security; manned
    redaction facility which enables physical access controls with
    May 2018, placing personal data to be redacted whilst access by appointment only; anti-
    increased data security and retaining the non-personal ram barriers, restricted access to
    privacy responsibilities on management information and information processing and storage
    statistics. Redaction can be areas.
    all organisations handling triggered by individual request or In addition to this, our offices are
    data. Legend delivers linked to a business rule which can access controlled and have
    answers to questions that be set in the system, such as nn- physical security risk assessments
    months after a member leaves. which analyse and identify controls
    are frequently asked on this This allows each customer to have for the following: fire and flood
    topic. its own data retention policy in their protection requirements; building
    Legend system. Once redacted an services, equipment and utilities
    How will Legend ensure that individual's personal information
    personal data is processed in resilience; business continuity
    record is no longer available in requirements; business insurance
    accordance with GDPR?
    general use. and indemnity requirements.
    Legend is registered with the
    In special cases, such as in a Legend also operates a clear desk
    Information Commissioner’s Office
    dispute, claim or for legal reasons, and screen policy which applies to
    (registration Z9255164, since
    requiring access to an individual's all staff. No customer data is held
    2005). Legend acts as a data
    record after redaction, it is possible at our offices.
    processor for its customers through
    to identify and access that record
    the provision of its management How will Legend maintain security
    but only via a secure route outside
    system in a Software-as-a-Service of customers’ data with reference
    of the operational Legend system
    model. Personal data in the Legend to security of individual databases?
    and only with the associated
    system is protected by being held
    permission activated. Access to individual data tables
    exclusively at secure Tier III certified
    datacentres that are ISO27001 containing sensitive information are
    Should there be a need to delete
    certified and PCI DSS compliant, protected by system security
    the data, for example at contract
    with system access controlled by settings. System data is stored and
    end, this is undertaken by Legend
    strict security measures limiting transmitted securely using
    in accordance with industrial data
    access to authorised users only. appropriate encryption protocols.
    disposal standards. Additionally, on
    Legend also holds ISO27001 Further, the Legend system utilises
    hardware disposal, all
    certification and operates within a separate, discrete databases per
    decommissioned media is securely
    tightly managed Information customer.
    wiped and destroyed as part of the
    Security Management System hardware disposal process in line How will Legend ensure the
    (ISMS), which is audited externally with our ISO27001 processes. reliability of its employees who have
    by British Standards Institute. All Similarly, the destruction of failed access to personal data?
    Legend staff are trained regularly hard drives is a controlled process. All Legend staff that are supporting
    on information security and are We use a combination of specialist or accessing the system are
    independently vetted with firms for drive destruction, background checked and regularly
    background checks where data depending on supplier, and the audited for access control as part
    access is required as part of their service provided by HP for all HP of our ISO27001 ISMS. Legend
    job function. drives. certifies that all individuals who are
    How will Legend maintain security involved in your contract and the
    of customers’ data with reference software development process
    to physical security of locations? pass the appropriate background
    investigation.
    The Legend system is hosted
    exclusively at two secure Tier III
    Page 2 of 2

    Are annual independent reviews of performed on the system to identify statement applies to backups and
    Data Protection and Security any issues that could affect archives too.
    Assessments, including penetration security.
    and vulnerability assessments, Can it be accessed by Legend staff
    carried out to identify privacy and As per our ISO27001 ISMS outside of UK (e.g. Canada)?
    security risks for the required procedures, Legend ensures that Access is normally limited to UK
    service? all infrastructure is kept up to date staff. In certain circumstances, out
    with the latest operating system, of hours support could be provided
    Yes. ISO27001 is a rigorous
    hardware, and firmware patches, from our Canadian office; at all
    standard to maintain, which
    ensuring all devices receive the times subject to the same internal
    demonstrates how seriously we take
    latest security patches. processes and controls as in the
    customers’ data and information
    security. This means that we Legend has active maintenance UK. Further, the Legend support
    undergo regular external and contracts with all hardware and representative is only able to view a
    internal audit, third-party scanning software suppliers. This means that session or login if the user first
    and penetration tests to maintain all patches are tested and checked consents. If there were a desire not
    our ISMS. for reliability and security by the to permit support from Canada this
    manufacturer prior to deployment. could be catered for but may limit
    How will you ensure the systems some out of hours support
    They are then tested by Legend
    and procedures comply with the
    against a non-live environment availability.
    principle of "Data Protection by
    Design", so it promotes security and before being released to the live How will the system meet the
    data compliance throughout the environment. consent mechanisms within the
    whole process? Critical patches that may affect GDPR?
    The solution has been designed system uptime or carry serious Legend provides the ability to
    from the bottom up to protect data security risks are applied within one record consent at many levels,
    and privacy, also, prior to GDPR, in week of notification of the patch. All including customer specific
    accordance with Data Protection patches are released during our consent. Consent choices can be
    legislation. The Legend solution is maintenance window and do not easily updated by staff or members.
    designed and configured to meet affect the performance of live Customers need to be mindful that
    high levels of security and access operations. In the unusual event the way they obtain consent should
    control, and data protection, where a patch is so critical it needs be inline with the GDPR guidelines.
    ensuring that only minimal changes to be applied outside of the
    maintenance window, the customer Will the solution be updated at
    have been needed to enhance the
    Legend’s cost to comply with the
    system to fall within the new will be notified and we will liaise with
    GDPR?
    guidelines. them to agree a release time in
    order to minimise risk and impact. Yes, Legend is committed to
    All staff are trained and regularly maintaining and updating
    educated on ISO27001 matters Legend also has in place a Security customers’ legislative requirements
    including, processes, threats and Incident and Event Monitoring and warrants that this service will be
    counter measures. The system and Two Factor ongoing.
    development process includes Authentication security for access
    regular forums conducted in an to key infrastructure services. Will the solution be updated prior to
    environment of continuous the effective date of the GDPR?
    How can users serve a request by a
    improvement. data subject (e.g. member) asking Yes, through Legend’s seamless
    We supplement this with periodic what information is held on them? free upgrades process.
    externally conducted penetration The Legend system has standard
    tests and monthly network scans to reports to produce a list of the
    F URTHER
    draw attention to issues or relevant personal information held I NFORMATION
    vulnerabilities so that these can be in the system.
    proactively remedied. Day-to-day, ICO guidance on preparing for
    development coding is subject to Is customer data stored in the UK? GDPR
    peer code-review, and architecture Yes, it is stored in the UK only.
    analysis. All developments are then Health Club Management
    Legend can also confirm that no
    further tested though independent Article 
    data is transferred outside of the
    Quality Assurance and User European Economic Area in its
    Acceptance Testing prior to data processing activities. This
    release. Post-release monitoring is

    Anda mungkin juga menyukai