If your business operates inside the EU (or you have EU prospects or clients) then GDPR applies to you.
As of 25 May 2018 the new data protection laws become enforceable and there’s a potential fine of up to 20 million Euros or 4% of your global turnover (whichever is higher).
The information contained on this page should not be taken as legal advice
Why does it matter to you?
You want to become the leading health and fitness professional in the local area, right? Well, that place comes with some responsibility.
If you’re charging what you’re worth then it’s important that you’re also up on the business aspects of things. GDPR is there to protect individuals’ data.
What is GDPR?
GDPR (the General Data Protection Regulations) is the new data protection law that covers the entire EU. It helps protect the data of individuals located inside the union (territorial scope covers all data subjects located inside an EU member state as being subject to the regulations: articles 3 & 4) by setting out regulations on the use, storage and processing of any personal data.
That personal data can cover:
- Phone number
- Date of birth
- Bank details
There’s also stricter guidance on the storage and use of personal data that is considered sensitive data: this is any information about a person’s sexual preference, religion, political affiliation, trade union membership, and health and medical information (among other things).
This means that you, as a health and fitness professional, should take this new law seriously. Not simply because of the increase in the maximum allowable fine, but because you don’t want to look like an idiot in front of your clients or actually having a data breach/loss and then being investigated by the ICO (Information Commissioners Office; or other regulatory body in your EU member state).
Legal Grounds for Processing
In order to store or use any personal data of an individual you first need to decide on the legal grounds for processing those data. And, it’s as simple as a prospect sending their details in a contact form on your website. GDPR means it’s essential that you take into consideration what grounds you have for processing data.
There are six grounds, but I feel as though only four would be applicable to you as a health and fitness professional. These are:
- Contract – processing information due to a contract being formed or the potential of one being formed
- Legal Obligation – processing information necessary to comply with a current law
- Legitimate Interests – processing information is necessary for your legitimate interests or that of a third party
- Consent – where it is freely given for processing in line with a specific purpose and consent for the processing can be withdrawn at any time
The other two grounds are generally used by governing bodies and aren’t really necessary for a health and fitness professional.
Let’s Take An Example
Let’s say a prospect contacts you through your website.
Once their data is submitted you begin to start processing it (you might not be actually “processing ” it, but under the law any use, storage or transfer is classed as processing).
Your legal grounds for processing that information would be contract (or the potential of a contract). When the individual completed the form they expected you to call them back, text them or email them.
Once they become a client you can retain and store their information under contract.
There is one important point here about health and medical information (like what’s on a PAR-Q). This information is covered in the law as sensitive data and requires extra thought on your legal grounds for processing and retention. We’ll talk about sensitive data later.
If you email the client a newsletter or send them other communications about products/services closely related to what you provide them then, in general, you could rely on Legitimate Interests to send them emails.
However, in order to rely on Legitimate Interests you will need to complete an assessment and retain this in your records (one is contained in the GDPR Pack I’ve linked to).
Keep in mind that any communications with your clients in this way would need to conform to the PECR (the Privacy and Electronic Communications Regulations) too.
Once the client ends their contract this changes things slightly.
You can store the data about their contract and anything that forms the contract for seven years after the termination of the contract. This is under the Limitations Act (should someone want to sue you for breach of contract then you need to retain adequate information to defend a claim).
Also, you would keep any payment information because you have a legal obligation to do for HMRC etc.
When it comes to marketing to those ex-clients that is something that can become complicated. In my opinion, you should ask for their consent to continue to send them your monthly newsletter and/or other marketing information.
This is an important one for fitness and health professionals.
It doesn’t matter if you’re fitness focused (like a personal trainer or exercise coach) or health and medically focused (Osteopath, Chiropractor, Physiotherapist or C.H.E.K Practitioner), you’ll be dealing with health information.
Health and medical data is covered in sensitive data in GDPR and requires further consideration and protection.
If you ask an individual to complete a PAR-Q or any other form about their medical and health data then this covers you and you need to comply.
In order to process these data (which includes any “use” or “storage”) then you need a legal ground.
There are three things to think about:
- Considered a health professional under law – if you’re a Chiropractor or Osteopath under their relevant acts then you can process the information without further grounds
- Part of a governing body – if you’re part of a governing body (most physios are; most PTs aren’t) then your body usually requires confidentiality and retention of data, so that’s your legal bases
- The data is crucial to service delivery – now we’re getting into complicated territory. You need to be assured that the health data is crucial to your service being delivered and you wouldn’t be able to delivery the service without it. However, if the first two aren’t applicable then this potentially might be (this is also the ground that some clients of Strength Marketing are in)
- Consent – the regulations state that all sensitive data requires explicit consent, which means a form (whether physical or online) needs to have explicit consent for processing. If you don’t fall into the above categories (some personal trainers and gyms will not) then you’ll require explicit consent (a copy of this form is in the GDPR Pack a refer to at the end of this article).
You may see consent used quite a lot in the many different guides out there and when you talk to other business owners. It’s generally going to be used when someone signs up for marketing from you, as well as lots of people will default to consent when they’re unable to justify any other legal grounds for processing information.
It’s used by businesses who don’t actually understand the GDPR laws (Data Protection Act 2018 in the UK) and are using consent because they don’t know anything else.
The main thing about consent is that it must be freely given (so no pre-ticked/checked boxes) for the specific purpose you’re asking consent for. So, that means lots of tick/check boxes if you’re asking for multiple areas of consent; that’s a bit of an administration nightmare if you ask me.
And, that consent can be withdrawn at any time. See why it might not be the best legal grounds to rely on outside of marketing data?
How long should you hold on to personal data?
This, alongside data security that is discussed below, is a big deal in GDPR.
The regulations state that personal data should only be retained for as long as is “reasonable” or if you have a legal ground for processing.
This means you could keep all client data for 7 years after they’ve left for contractual reasons (just in case someone sues you; statue of limitations), but you would need a contract in place for that to be seen as sound.
If the individual is a prospect who has never bought anything from you then you can sensibly assume that their data should be deleted in a reasonable amount of time after they’ve become inactive or opted out. What is considered reasonable is pretty much a guess, but keeping that for more than one year I would believe is disproportionate.
This covers any providers you use (known as processors) to store or use or process any data.
If you do then you need to check that the company is GDPR compliant. If you hold or transfer any data outside of the EEA (European Economic Area) then there are usually further restrictions or safeguards you need to put in place.
If you’re saying to yourself that you don’t transfer any data outside the EU, but use a large multi-national from the examples above then you might do so without knowing. So, an investigation is needed.
Here’s a quick run down of what you could do:
- Make a list of all providers you use and their locations (and what data is stored)
- See whether they’re located inside the EEA (if they are then they’ll most likely be GDPR compliant)
- Not in the EEA? The EU has stated that 12 countries have adequate privacy protection
- US? They’ll need to be in the EU/US privacy shield
- US but not in the privacy shield? Then you’ll require contractual clauses (known as model clauses)
All of the above does seem complicated, but it isn’t. In the GDPR pack I recommend all of the checklists and documents you need are in there.
This is a key aspect of the GDPR. That personal data should be kept secure and confidential, and that it is the responsibility of you as data controller to ensure that provisions are in place.
- Adequate anti-virus, malware protection and a firewall on your computer (and yes, for Mac users too)
- Employees and contractors are trained
- Passwords on devices are secure
- Passwords to accounts are hard to guess or hack
- Messaging clients takes place in a secure environment
- 2FA (two factor authentication) is used wherever possible
Business Website and Online
You should ensure that your website is adequately protected from any online threats and that the data stored on there in the form of orders or contact forms.
Also, if anyone else outside of your company/organisation has access then they should be signing a processor agreement (with contractual clauses if needed) in order to gain access or update things.
Analytics, cookies (how websites remember you) and any advertising/re-targeting aspects should also be GDPR compliant.
There are lots of other things included under GDPR that you should consider as a health and fitness professional:
- Subject Access Requests
- Photos and videos of people
- Refer a friend info
- Right to be forgotten/ right to erasure
Where To Get More Information
This article is just a brief overview of what you should be thinking about with the data protection laws.
If you want more information, help and guidance then you should buy Suzanne Dibble’s GDPR pack. She is a data protection lawyer in the UK and has a lot of sensible advice about preparing for GDPR and your responsibilities.
You can reach out to me and the team at Strength Marketing.