Marlborough House, Westminster Place

York Business Park, York, YO26 6RW

[email protected]
www.legendware.co.uk
(T) 01904 529 575

Legend GDPR Toolkit

Contents

Overview ................................................................................................................................................. 3
Purpose ................................................................................................................................................... 3
Data Governance .................................................................................................................................... 3
Collecting & Using Data .......................................................................................................................... 4
Purpose Limitation .............................................................................................................................. 5
Privacy by Design ................................................................................................................................ 5
Data Protection Impact Assessments ................................................................................................. 6
Retention Periods ............................................................................................................................... 6
Record keeping ....................................................................................................................................... 6
Data Security ........................................................................................................................................... 7
Security Controls ................................................................................................................................. 7
Data Breaches ..................................................................................................................................... 8
Third party suppliers ........................................................................................................................... 9
International data transfer ................................................................................................................. 9
Individual Rights ...................................................................................................................................... 9
Right of Access .................................................................................................................................... 9
Right to be forgotten ........................................................................................................................ 10
Summary ............................................................................................................................................... 10

Legend GDPR Toolkit

Page 2
Overview

From 25 May 2018, all organisations in the UK will be subject to the General Data Protection Regulation
(GDPR). GDPR builds on existing data protection laws to give individuals more rights in relation to their data,
and places an increased onus on all organisations, whether commercial companies or not-for-profit
organisations to secure individuals’ data and use it only as necessary. GDPR will ensure that data is kept more
secure, and that organisations only hold the data that they need to. It will also increase transparency as to how
data is used.

Organisations holding personal data will need to be prepared to give more information to people about what
they do with those people’s data, why, and for how long it is retained. They must also keep the information
secure. This may involve the use of a secure database such as the Legend system but if you store data in other
ways, you will need to think carefully about how this data is secured.
In the UK, the data protection regime is monitored and enforced by the Information Commissioner’s Office
(ICO). The ICO has a large amount of guidance available on its website, which can be found here:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Data protection can be a complex area, and this toolkit is not intended to give every answer to every scenario
or question, and Legend customers should review guidance on the ICO website. It is, however, a starting point
for Legend customers. It does not seek to give legal advice.

Purpose

Legend has put together this toolkit to help its customers in the following ways:
• To understand what the new data protection laws require
• To provide practical steps to achieve compliance
• To signpost to further resources to help achieve compliance.

Data Governance

It is important that someone takes proper responsibility for privacy and data within your organisation and,
ideally, they should have some relevant experience. We recommend that this person is a member of the
management team so that they will have visibility of how data is used throughout the organisation.
Some organisations are legally required to designate a formal Data Protection Officer and for this person’s
contact details to be provided to the ICO. Others may choose to, and some law firms, or consultancies, can
provide an outsourced service. Whether or not you formally register a Data Protection Officer with the ICO,
what is important is that there is at least one person in your organisation tasked with understanding what data
is used and why.
The ICO has produced guidance on Data Protection Officers, which can be found here: https://ico.org.uk/for-
organisations/guide-to-the-generaldata-protection-regulation-gdpr/accountability-and-
governance/dataprotection-officers/.

Legend GDPR Toolkit

Page 3
Action: You should designate someone to take responsibility for data protection compliance and where this
role sits within your organisation.

Collecting & Using Data

A fundamental principle of GDPR is that an organisation must only use data fairly, lawfully and transparently. It
must be clear to an individual how it uses his or her data, and why. This is usually set out in a privacy notice,
which is generally available on the website at the bottom of the home page.
You must be clear on why you are collecting and using data and then only use it for those purposes. There are
a number of lawful ways in which an organisation can use an individual’s data. Sometimes an individual must
give consent for his or her data to be used, but in many cases consent is not actually necessary.
You will need to ensure that the reasons for handling individuals’ data fall within one of the lawful grounds for
processing set out in the GDPR and the new law which will enact it. The principal grounds are set out below.
Note that this means that you will often have an alternative to seeking the individual’s consent for their data
to be used.

How Legend can help you.

Legend has prepared a Personal Data Summary detailing what personal information is stored within the
Legend membership System, what it is used for and giving examples of where you might send the data to.
Note the list is not exhaustive of the areas you may share data with. This will become apparent from your own
data audit exercise.

Legitimate interest providing this is not outweighed by the rights and interests of the individual.
The basic running of a leisure facility will rarely need consent. The following processes will not require an
individual’s consent (but you will need to explain to individuals that you are carrying out this processing. This
should be done through a privacy notice – see below):
• inputting members details onto your membership management system.
• recording who officiates at matches
• maintaining lists of members, parents of children at a club, staff etc.
Legal obligation. An organisation may process an individual’s data if there is a legal obligation to do so. For
example, where you are required to maintain accounting records, or provide information to HMRC, this will be
subject to a legal obligation.
Performance of a contract. An organisation may use an individual’s data where it is necessary for the purposes
of performing a contract. An example of this would be using someone’s details for access/use of the leisure
facilities or booking an activity.
Consent. There are some circumstances when you will need consent. Email marketing is a good example of
this - you need consent to sign an individual up to receive marketing or promotional material by email, either
from the organisation, or from its sponsors or partners, unless you can rely on the soft opt-in. This must be
“clear, affirmative consent” – it must be opt in, separate from other documents and cannot be bundled with a
service or other unrelated offer (for example, you cannot make entry into a competition conditional on giving
consent to marketing). Where you need an individual’s consent, it is important that you record that this has
been given. Note that children cannot give consent for online services, like marketing – for those defined as a
child under GDPR, you will need parental consent.

Legend GDPR Toolkit

Page 4
It may be that your newsletters sent out digitally might contain some sponsor advertisements or links to
websites. When a document ceases to be a legitimate update, and starts to be marketing, is a question of
degree, but a useful rule of thumb is that if adverts are incidental to the newsletter, it is not a marketing
communication.
More detail on direct marketing rules can be found on the ICO website: https://ico.org.uk/media/for-
organisations/documents/1555/direct-marketing-guidance.pdf.
Privacy Notices. How you use an individual’s data should be set out in a privacy notice. If you undertake other
activities, you may need to add to this, or provide a separate notice. This privacy notice must be available to
anyone whose data you use. The most obvious place for this to be made available would be on the website of
the club.
Cookie Policies. If your club has a website, they will also need a policy setting out how that website uses
cookies. These tend to be in standard form and will often be provided by the company that has produced your
website.
The ICO has provided a guide to privacy notices, which can be found here:
https://ico.org.uk/fororganisations/guide-to-data-protection/privacynotices-transparency-and-
control/privacy-noticesunder-the-eu-general-data-protection-regulation/.

Purpose Limitation

Individuals’ data can only be collected and used for specified and legitimate purposes. It must not be used
further in a way that is incompatible with these purposes.
Ensure that you have a process in place that does not allow individuals’ data to be used beyond what you have
told individuals you will use their data for. For example, if you collect individuals’ data for general
administrative purposes, you cannot automatically add them to a database of people who receive commercial
mailings from sponsors.
The ICO has further details on this on its website, which can be found here:
https://ico.org.uk/fororganisations/guide-to-data-protection/principle-2-purposes/.

Privacy by Design

Related to transparency, another principle of the law is that organisations must only hold and use the data
that they actually need to use.
Even where there is a legitimate interest, or consent, for collecting and using data, you should ensure that you
only collect the data that you actually need.
When collecting data, consider why you are doing so, and what you need. Every piece of data you collect
should be necessary for a purpose you have set out in your privacy notice. For example, only collect bank
details if you actually need to use them. In particular, be careful only to collect sensitive data (such as
ethnicity, health information, religion or sexuality) if this is absolutely necessary for a particular purpose.
Always consider if you could use information at an anonymous level instead. It may be that you do need to
collect health and medical information, for example to ensure members are not exposed to any activity
harmful to their wellbeing. This will need consent.
Another principle is that data must be accurate and kept up to date. The law requires that “every reasonable
step” is taken to ensure that inaccurate data is erased or corrected. You should review the data you hold on a
regular basis. This includes data held on the Legend system as well as any other records.

Legend GDPR Toolkit

Page 5
More detail on this principle can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-
dataprotection-regulation-gdpr/principles/.

Data Protection Impact Assessments

Where the club is using individuals’ data, there are some occasions when it must conduct a Data Protection
Impact Assessment (DPIA). DPIAs are required where new technologies are used and there is a high risk to the
rights of individuals. This may be required if a club has or installs CCTV on a large scale or if new technology
such as facial recognition or biometric access is introduced.
Further details on when a DPIA must be carried out can be found here: https://ico.org.uk/for-
organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-
protectionimpact-assessments/.

How Legend can help you.

Legend has created a number of documents to help you in your practical steps. Provided in this toolkit is:

 Legend Privacy Impact Statement. A document written to act as a basis for your PIA. It contains the
Legend stance and guidance on where to complete your own statements.
Further guidance on how to carry out a DPIA can be found here: https://ico.org.uk/media/for-
organisations/documents/1595/pia-code-of-practice.pdf.
The ICO has also produced a code of practice for CCTV, which can be found here: https://ico.org.uk/media/for-
organisations/documents/1542/cctv-codeof-practice.pdf.

Retention Periods

You will need to state the maximum time period for which you will retain individuals’ data. It may be that you
need to retain data for a long time. You may keep some data indefinitely for historical and record purposes,
such as usage records. For other information, it will be appropriate only to keep data for a shorter period of
time. For example, you will not need to keep bank details of former employees.
You could include retention periods within the privacy notice, but you must ensure that you actually follow the
policy and delete data when you say you will. You may also wish to generate a more formal data retention
policy covering all personal data – members and staff.
It is acceptable to retain members’ details whilst they are members – it is not necessary to remove them and
add the details afresh each year.
Having all of this data in one place, such as the Legend Membership System, will make this process easier.
The ICO has produced guidance, which can be found here: https://ico.org.uk/for-organisations/guide-todata-
protection/principle-5-retention/.

Record keeping

One of the key areas of GDPR is that an organisation will have to demonstrate that it is compliant.
Consequently, there is a larger emphasis on record keeping. You will need to keep records of:

Legend GDPR Toolkit

Page 6
 • The data controller – this will be the party that determines the purposes for which and the manner
in which any personal data are, or are to be, processed.
• The purposes of why you process data;
• How long you process data
• A description of the categories of individuals whose data you hold
• A description of how data is shared with, or obtained from, third parties and any international data
sharing that goes outside the EEA.
Your Privacy Notice will be a key provider of most of this information and you’re a likely to have a current
version on your website. Most are found as a link at the very bottom of the home page.
Action: You should review your Privacy Notice.
You will also need a register of processing activities, at least for the sensitive and regular data processing that
you carry out. This is in effect an internal register that sets out how your organisation uses data. Guidance and
templates for this record of processing can be found on the ICO website.

How Legend can help you.

Legend has created a number of documents to help you in your practical steps. Provided in this toolkit is:

 Legend Register of Processing Activities (ROPA). A summary of what Legend does with your data as a
data processor

If you rely on certain legal grounds for processing sensitive data, like processing sensitive data for employment
law purposes, you will also need a policy document setting out how you approach data protection principles,
particularly retention and deletion.
You should also consider if any particular teams or people in your organisation need guidance on how to
handle data, or requests for individuals. Consider here temporary staff or subcontracted personal trainers.
You will need to produce this documentation if the ICO requests it.
For guidance on the documentation required, and in particular if you have 250 employees or more, see here:
https://ico.org.uk/for-organisations/guideto-the-general-data-protection-regulation-gdpr/accountability-and-
governance/documentation/.

Data Security

Security Controls

It will be vital for your organisation to implement appropriate security controls for all data. Some of these
controls can be technological ones, but many other controls are very practical.
A secure way to store data will be in the Legend Membership System, where significant technological security
measures are in place.
For other ways in which you store data, there are a variety of steps that you can take:
• If data is secured on a computer, ensure that antivirus software is kept up to date
• Any computer on which data is stored has appropriate password protection and is kept secure

Legend GDPR Toolkit

Page 7
 • Any hard copy documents containing individuals’ data are kept secure
• If there are any databases or spreadsheets containing large amounts of personal data, consider
whether these should be password protected.
Also be aware of how data is transferred:
• If you send out spreadsheets or lists of individuals’ data, consider whether you need to send these
all out by email, and to each recipient.
• Where emails are sent out to large distribution lists and there is no need for others to reply to all,
ensure recipients are bcc’d rather than cc’d to avoid disclosing others’ contact details.
How Legend can help you.
Legend has prepared templates that can be used to conduct self-audits on computer equipment and work
areas within a workplace.

 Legend Desk Audit Template – To assess if personal data is left in the open at workplaces
 Legend Device Audit Template – To assess if personal data is stored on local devices and that
antivirus, loaded software is authorised

A basic guide to technology security is here: https://ico.org.uk/media/for-

organisations/documents/1575/it_security_practical_guide.pdf.

Data Breaches

A data breach is, put simply, a security incident that has affected the confidentiality, integrity or availability of
personal data. There will be a personal data breach whenever any personal data is lost, destroyed, corrupted
or disclosed to an unauthorised party; if someone accesses the data or passes it on without proper
authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on
individuals.
There may be a number of ways this can happen, such as a lost laptop, a file sent to the wrong recipient or a
hack. It need not be technological, a lost hard copy file will also be a data breach.
You will need to have in place a procedure to manage a data breach. This will need to include a decision
whether to inform those individuals whose data may have been disclosed, or to inform the ICO. The key thing
to consider is that you should act quickly.
The procedure need not be complex. In fact, the simpler it is, the better. A suggested procedure might be to
have three stages with decision points for each:
1. Discovery. Initial assessment, is personal data at risk, how to stop the breach
2. Preliminary Investigation. Notify investigation team, third parties needed (such as Legend), has a
criminal offence taken place, need to notify police or ICO?
3. Formal Investigation. Involve all necessary parties, identify data involved, notify parties, legal advice,
marketing messages
Note that this is only a suggested starting point and not a formal process approved by the ICO – you should
work out a process which is appropriate for your organisation.
Where to find more information
The ICO has detailed guidance on what constitutes a data breach and what to do. This can be found here:

Legend GDPR Toolkit

Page 8
https://ico.org.uk/for-organisations/guide-to-thegeneral-data-protection-regulation-gdpr/personal-
databreaches/.

Third party suppliers

Many organisations will use third parties to process data for them. This could be another company hosting a
website or database (such as Legend), or for larger and more complex organisations other actions such as
mailing houses for larger scale mail outs, or other technological providers.
There will be limited occasions where you may be a joint controller of data with another organisation. You may
share data with a third party who uses it for different purposes, such as gym equipment providers.
Where a third party is using data on your behalf and under your instructions, it is more likely that the third
party will be a “data processor”. You will need to have a contract with that third party, and it will need to
ensure that the third party will process data in accordance with the GDPR, including having appropriate
technical and organisational measures to protect against unauthorised or unlawful processing of personal
data.

International data transfer

It may be that a third party processing data on your behalf transfers data outside the European Economic Area
(EEA). For example, data may be stored in a cloud based overseas. This is important, as many jurisdictions
outside the EEA have less stringent protections for individuals’ data. Where you engage a third party data
processor, find out whether they will hold individuals’ data outside the EEA.
If the third party will hold individuals’ data outside the EEA, then check that they can provide adequate
protection for that data by signing up to EU Commission approved model contract clauses, demonstrating that
they have authorised Processor Binding Corporate Rules, operate in a white-listed country, or can rely on a
Privacy Shield certification if they are based in the United States.

How Legend can help you.

Legend does not store data outside the EEA. This is detailed within the Legend Register of Processing Activities
(ROPA).

Individual Rights

Right of Access

An individual may request a copy of all personal data held by you. This is not a new right, but from 25 May
2018 organisations are no longer able to charge a fee for this, and the information must be provided within 30
days.
This can be an onerous task, but it is an important one. You will need to have a process for providing this. You
should have clear authorisation processes particularly where the request comes from a third party.
You will need to find all data held by the organisation on that individual. If all individuals’ data is held in one
place (for example the Legend Membership System), this will be easier. You may need to go through emails,
databases and other places where individuals’ data is stored. If an individual requests data held in Legend from
Legend GDPR Toolkit
Page 9
the club, then it is the responsibility of the club to supply this – requests should not be forwarded on to
Legend.
If an individual requests his or her data, you should engage with him or her fully. Often an individual will only
want a specific set or piece of information. It may be helpful to find out if this is the case so that only that
piece of information need be provided.
This is a complex area, as there are exemptions to a requirement to provide information, and it may not be
possible to provide an individuals’ data when it is intertwined with the data of another individual and it is not
reasonable to disclose this data. There is extensive guidance on the ICO website, here: https://ico.org.uk/for-
organisations/guide-to-the-general-data-protectionregulation-gdpr/individual-rights/right-of-access/.
How Legend can help you.
Legend Reporting has a standard report available called GDPR Data Request – member. This can be output as a
printout, csv or xlsx file format.

Right to be forgotten

There are a number of other rights afforded to individuals. These include a right to rectification if data is
incorrect, a right to erasure of data (the so called “right to be forgotten”), a right to have data restricted (so it
is not actively used), and a right to object to how data is used. There are also rights in relation to automated
decision making and rights of “portability” in some circumstances. Not all of these will be relevant.
You should also be aware that you have a right, as a business to protect yourself from fraud. For example, an
individual cannot use the “right to be forgotten” to remove all of their data if they have a debt, have a lifetime
ban from the facility, or if they are in a disciplinary process.

How Legend can help you.

Legend has a data redaction process available which can be configured to run in accordance with your data
retention rules or on an individual request to be forgotten basis. The process redacts personal data from a
member’s record but keeps the usage and transaction information so you can still run meaningful
management reports on historical data. Full details are available in the Legend Redaction Process Document.
Further information can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-
dataprotection-regulation-gdpr/individual-rights/.

Summary

You should already be discussing the implication of GDPR on your business and if you have attended one of the
many Legend briefings on GDPR it is likely you will have undertaken some of the following steps:

 Allocated a suitable person to deal with personal data within your organisation
 Ensure data protection is an agenda item on your management meetings
 Conduct a data audit to look at data within your organisation
o What data do you collect?
o How do you use that data – what is the purpose of collecting it?
o Where does the data go? (in and outside of your organisation)
o Do you need all the data you collect?
 Review your privacy notice – is it up to date and cover all data activities
Legend GDPR Toolkit
Page 10
  Review who has access to personal data
 Review password policies
 Educate staff on data protection and build an information security culture as an ethos

How Legend can help you.

Legend has a created a document giving answers to all the GDPR type questions you may have around Legend
and its systems. This can be found in the Legend GDPR Information Document.

Legend GDPR Toolkit

Page 11