The General Data Protection Regulation (GDPR) comes into force this year, 25th May to be exact. GDPR is bringing a wave of new legislation into play, changing the way you can legally handle and store customer and employee data.
Although it’s a regulation established by the European Union, it applies to all businesses that handle data belonging to a business or individual within the EU, even if you operate outside the EU. So, if you’re a US-based online personal trainer with clients in Europe, GDPR applies to you.
As a gym-owner, protecting the data of your members is vital to ensure that you stay on the right side of the law and respect the privacy of each member. But you may be overwhelmed by the idea of GDPR. So, where do you start?
We’ve created this guide and a handy downloadable, to help get you on the road to regulation compliance in no time. We cover all kinds of essential aspects like the dull legal bits, to the in-depth strategies and processes you can employ to keep your data secure and compliant.
Table of Contents
How Does GDPR Affect Fitness Businesses?
Like most modern businesses, the fitness industry has grown increasingly reliant on modern tech and data storage. However, there hasn’t been a new set of data security legislation since the Data Protection Directive in 1995, so it’s a much needed update to keep in-check with the new technology we use on a daily basis.
It affects fitness businesses as they handle data, and lot’s of it! When a customer becomes a member of your gym, they register a lot of personal and sensitive information with you, like financial information.
But whether you store customer data on the cloud, on a secure hard drive or via a third party, the legislation is relevant to you.
Keeping customer information securely is increasingly important as more and more of them live their lives online. GDPR will mean we’re all implementing the latest processes and security procedures to ensure we continue to keep their data safe.
Quite a lot actually, owing to the huge steps forward that data storage techniques have seen since 1995. But here are some of the key takeaways from the new legislation.
- Easier to exercise rights: The new legislation makes it easier than ever for customers to exercise their rights.
- More rights for customers: Your customers will have more choice over what you do with their data. They can have their data erased, opt out from marketing and more.
- Enhanced responsibility: There will be an increase in your responsibilities towards the data of your customers. You must create and document an internal record of all of your data processing and controlling activities, ensuring that they fall in line with the regulations laid out within the GDPR.
- Stricter rules about consent: Long drawls of terms & conditions are a thing of the past. GDPR will introduce the requirement for consent to be requested in a clear, easily accessible form. This means that customers must provide consent for their data to be processed, or you can not use it. Plus, you must give your customers information regarding where their data is being stored, who has access to it and much more.
- Clarity in case of a security event: If there has been a breach in your data security, which may “result in a risk for the rights and freedoms of individuals”, you must inform your customers within 72 hours.
- Enormous fines: If you fail to adhere to these new rules, there is a huge penalty for doing so. Your business could be fined up to 20 million euros, or 4% of your income, whichever is greater.
These are some of the key points to take onboard, but for the full rundown of the new rules, click here.
What Should You Do First?
Initially, it’s crucial to identify exactly what personal data you hold, where you store it and how much of it there is. Some questions to consider are:
- What quantity of customer data is stored within your business?
- In which manner is this customer data stored?
- Have your customers all given consent to have their data stored?
- Who can access this data?
- Has this data been transferred anywhere? And if so, where?
- What procedures do you have in place to dispose customer data?
These steps can help towards formulating a plan of approach for implementing GDPR regulations, and will make the entire process much smoother and easier.
Completing this data audit should allow you to draw up an extensive analysis of all the data your business currently handles, and where you need to improve in order to fall in line with the GDPR.
The former EU “Cookie Law” is also being overhauled by the EU and is called the ePrivacy Regulation. It will have the same global application and fines as the GDPR. It will supplement the GDPR and will apply to all digital communication providers and cover metadata, cookies, direct marketing, and online marketing.”
Linda Priebe – Attorney, Culhane Meadows
What Can You Improve?
The next step on the road to GDPR compliance is making the necessary adjustments and improvements to your business to ensure you’re up to speed and covering all bases. Here’s a breakdown of some crucial points to consider during this process:
- Collate and revise all documentation that is sent out to your members, to make sure it’s compliant with GDPR standards. (Disclaimers, marketing information etc)
- Evaluate the policies you have in place regarding data handling, and act on any improvements that are needed
- Identify any changes and upgrades that may be needed on your IT systems. Remember: Old software and hardware always pose a security risk
- Ensure your current consent request documentation is thorough enough to meet the standards set out by the GDPR
- If your business is based in the EU, you will need to revise any contracts you have with businesses situated outside its borders
- Make sure your data collection procedures let your members know exactly why you’re requesting their data
- Keep your employees trained in the latest data privacy practices, and make sure they know of the changes coming with GDPR
- Check your online and offline marketing materials (website, flyers etc) for any information or imagery that may need consent from the persons involved.
- For the future, instill consent gathering procedures for any marketing materials
Top Things to Check to Make Your Gym GDPR-Ready
- Be 100% clear about what you do with the member data that you store; ideally, put this in your terms and conditions to ensure clarity
- Create and maintain contracts with any third party data processors you do business with. At Virtuagym, we’ll be creating and sharing a data processing agreement that takes yours, and our, roles in GDPR into account.
- Audit your current data handling procedures, implement any changes that are need to maintain a safe and consistent workflow
- Personal and sensitive data that clients share with you is protected under GDPR, ensure you handle it accordingly
- If a member revokes their data, and no longer wishes to be maintained on your systems, their data must always be erased
The GDPR can appear daunting. A huge overhaul of any kind of legislation will bring its own unique challenges, especially when it concerns something as sensitive as private data.
But by preparing in advance, and making sure your business complies with the necessary legal frameworks, you can make sure your gym is safe, secure and the perfect place for members to enjoy.
Virtuagym will be GDPR ready when the 25th of May 2018 rolls around, and we’ll be happy to assist all of our clients in the process of becoming GDPR compliant.