The General Data Protection Regulation (GDPR) is a new law brought in by the European Union that came into effect on 25th May 2018. Two initial points to make are that it can be potentially very costly for those found in breach of GDPR, particularly larger organisations who deal with large amounts of personal information on a daily basis. Secondly, this new regulation applies to anyone collecting data from within the EU. So if you’re a personal trainer based outside of the EU who delivers online exercise plans to clients within the European Union, this law still applies to you.
Regardless of the size the organisation, whether an independent PT studio, or multi-site health club chain, everyone working in the active leisure industry needs to be increasingly mindful of the personal data they collect from users, customers and clients and what this information is used for. Generally speaking, GDPR looks to bring in stricter rules around collecting, storing and processing customer data.
More information and advice can be found on the ICO’s website. Those working in health and fitness have potential to come into contact with a wealth of personal information and in some cases, that information could be highly sensitive in nature. This information could include:
- Payment/card details
- Medical information (e.g. height, weight, medical conditions, disabilities)
The majority of fitness facilities will already have procedures in place for securing and processing data, and there’s a chance these will already be GDPR-compliant. It’s still important for every fitness professional, particularly those who are freelance/self-employed to be aware of the principles of GDPR.
Before the finer points of GDPR can be explored, it’s important to define a few key terms.
Firstly, GDPR applies to two roles: controllers and processors. A controller is a person who determines the purposes and means of processing personal data. The second role is a processor, this person is responsible for processing personal data on behalf of a controller. This processing could involve the collection, recording, storage and even deletion or destruction of personal data. Under GDPR, specific legal obligations fall on processors, for example, they have legal liability if they are responsible for a data breach.
Data controllers still have obligations and they must ensure the contracts in place with processors are GDPR-compliant. An easy to grasp example is a gym using an external company to collect direct debit payments for monthly memberships. The external company is the processor and would have to take legal responsibility for any data breaches that occurred with the data that they’ve collected.
As previously mentioned, GDPR not only applies to processors or those processing data who are based in the EU, but also those based elsewhere who offer good and services to individuals within the EU.
Processing personal data
1 – Personal data must be processed in a lawful, fair and transparent manner
2 – Any data that’s collected must be done so for a specific and stated purpose. It must be explained to the user/customer/client why that data has been collected and what it is going to be used for
3 – Data collected must be relevant to a specific task, in other words, minimise the amount of data collected where possible
4 – Personal data must be kept up to date and accurate
5 – Data must not be stored for longer than is necessary
6 – Personal data must always be stored securely
It’s not just a case of ensuring personal data satisfies GDPR’s principles, it must also be processed in a lawful manner. Simply put, a controller must satisfy at least one of the following conditions:
Consent – The data subject (user/customer/client etc) must give explicit consent that their data can be stored and used
Contractual performance – The personal data is required to perform a contract or enter into a contract. A simple example would be payment details needed by a gym in order to bill a customer for their monthly gym membership
Legal obligation – The controller has a legal obligation to process personal data
Vital interests – This is necessary information to protect the interests of the data subject, for example, any underlying medical conditions a client has that could impact their ability to exercise
Public interest – The controller is processing personal data as it is justified by public interest
Legitimate interest – Processing is necessary for the purposes of legitimate interest, for example, direct marketing
If you’re processing sensitive data, as well as one of the above processing conditions, it must also satisfy one of the following special data conditions, all of which are self-explanatory:
- Employment purposes
- Not for profit
- Data has been made public
- Legal proceedings
- Health purposes
- Archiving and research
Consent has been one of the most widely talked about topics related to GDPR, it’s also the most commonly used processing condition. Consent is defined as “a freely given, specific, informed and unambiguous indication of the data subject’s wishes”. Consent must be given by a positive statement or by a clear affirmative action, for example, a client ticks a box on your website stating that they would like to receive your email newsletter.
In order to meet GDPR’s requirements, these consent conditions must be satisfied:
- Clear and simple language
- Separation – consent for multiple things must be clearly defined
- Opt-in – not taking action or pre-ticked boxes don’t count as giving consent
- No bundled consents – the data subject must provide individualised consent for all the data that’s being collected
- Genuine choice
- No imbalance of power
- Freedom to withdraw consent
- Explicit consent for sensitive data
GDPR also introduces two new rights for data subjects, building upon the three rights that already exist under current data protection law. The five rights in total are:
- The right to object to direct marketing
- The right to make a data subject access request
- The right to object to being subject to automated decisions having a legal or significant effect
- The right to be forgotten (or the right to erasure)
- The right to data portability
While GDPR as a whole may seem complex and even confusing at times, the basics are straightforward to grasp. In fact, if you’re a freelance professional who always been mindful of data protection rules and best practices then you may find you may only need to make minor tweaks with how you collect, store and use personal data. Some larger fitness organisations may find they have a lot of work to do to become GDPR compliant, while others may not have to make any wholesale changes at all.
Particularly if you a freelance professional or have been tasked with ensuring your gym, studio or club is GDPR compliant, here are a few simple first steps to take:
Perform a data audit – Formerly this is known as a Data Protection Impact Assessment (DIPA) and depending on the size of an organisation and clients/customers served will influence how long this audit will take. Important questions to ask are:
- What personal information do you currently have?
- Where is it stored?
- What is it used for?
- Who has access to it?
The results of the data audit may be as you’d expect or they may surprise you. You may discover that you’re collecting much more personal data from clients or customers than you actually need. If that’s the case then you should find any data you no longer need or use and securely delete it, securely being the operative word.
Ensure you get consent – Following on from the above, it’s important that prospects, customers and clients are always providing consent. This relates to everything from signing up and paying for your services, receiving a newsletter and even getting a phone after they’ve made an initial enquiry.