Welcome to the OneFitStop guide to GDPR. The team at OneFitStop is committed to your success and we want to make it as easy as possible for your fitness business to understand some of the key GDPR requirements and the impact on the fitness industry.
This is a guide that will take you through the key terms and summarise your obligations on how you can begin to prepare for GDPR. This is a guideline and not any legal recommendation. We do highly recommend that you seek legal counsel to ensure compliance as GDPR is something you should not ignore but also not anything you should be afraid of.
What is GDPR?
GDPR stands for the General Data Protection Regulation and it comes into effect for all businesses on 25 May 2018. The aim of GDPR is to protect EU citizens’ personal data by implementing stricter measures on businesses who handle, store and utilise personal data. The fines are quite significant for any organisation that is in breach of the regulation.
What is the direct impact for my Fitness Facility and Businesses?
As a fitness facility and business owner, you will fall under the category of a ‘data controller’ within GDPR. Whether you keep manual files offline or you store data on your computer or on OneFitStop it will be your responsibility for ensuring compliance with this data.
You will need to review the member data you collect and how you use that data. GDPR does not restrict you from collecting such information, instead it provides the guidelines for the notable actions you must take at specific times to ensure continued compliance.
What is new in GDPR?
Client Rights – clients and members now have greater controls over their data. They need to be presented with ways to easily opt out of communication or to have data deleted upon request. As mentioned above, this includes all data both stored online related to membership management or marketing system and offline systems.
Accountability – fitness facility and business owner are liable for demonstrating compliance with data protection rules. In relation to data storage and processing there must be recorded policy and procedures.
A duty to report breaches – When there is a serious data breach any individual has the obligation to notify national supervisory authorities and impacted individuals. It is highly recommend to explore implementing a data break notification procedure so that you and all staff are aware of the procedures to follow should there be any such breach.
How do I prepare for GDPR compliance?
Preparation is extremely important as it is similar to a good training session or workout. We recommend seeking legal counsel on GDPR, however, here are two core areas that you should consider for the GDPR:
Determine what personal data you hold
Your business holds data across many sectors with different data sets. These sectors may be related to employees, clients or prospects. Within each category, it is critical for you to identify all the data endpoints that you collect and understand the duties that you have to ensure compliance.
The processes that you implement may vary greatly, but you would need to consider many different scenarios such as procedures to handle data over a certain age in the database and what is the direct purpose of storing data with the correct consent.
Review how you store personal data
15 years ago, data would be written and stored on paper and pen. Today, data is far more spread across many offline and online systems. It is critical that you review all technical systems where your client data is stored to ensure they are GDPR compliant. For example, the cloud based application for membership management like OneFitStop will provide you with the necessary tools and options as the data processor to give you the data controller the power to execute certain protocols.
It is critical to remember that with all third party software systems that the main duty under GDPR remains with the data controller.
What are the key steps I can take to get GDPR ready?
- To ensure that your members have consented to you storing and processing data you must review all your documentation including waivers and membership contracts.
- It is important to create a deadline of the 25th of May to make sure all the processes and procedures are in place for handling data. You do not want to receive a fine for failure to comply with the GDPR.
- Ensure that all of your staff members are trained and versed in GDPR procedures and to ensure they understand all the new policies you have in place.
- Have policies in place for deletion of data when members leave your business or if they ask for their personal data to be fully deleted from your records.
- Create procedures for how you handle and report a data breach and understand your obligations to any members whose personal data has been compromised.
Marketing to Customers
One of the most important aspects to address with GDPR is the consent the person provides to the data they are sharing. With GDPR, processing data to directly market your services to your customers is regarded as a legitimate use of their data but you must provide them with the ability to opt out of such communications. If you have no direct record of the opt-in status of personal data from members, clients or prospects it would be valuable to ask them again for permission to gain access to this data. If that consent is not forthcoming, you should no longer send them any form of marketing communication.
The road to GDPR compliance may seems daunting or a heavy burden on existing business practices. Unlike many other common business procedures, the changes that GDPR brings will need to be wholly accepted by all stakeholders and staff members to ensure compliance and avoid the significant penalties that may follow.
Take the proactive and positive approach towards GDPR and it will ensure you also spend the necessary time to really understand how you interact and store key information with clients and prospects.