Welcome to the Glofox Guide to GDPR for gym management and studios. We created this guide because we know that there is a lot of confusion and concern out there about GDPR and its impact on the fitness industry. Don’t worry, GDPR is not something to be afraid of but it is definitely something you should not ignore.
In this guide you will find explanations of all the key terms, a summary of your obligations and some pointers on how to prepare for GDPR and what steps you should take to be GDPR ready.
What is GDPR?
GDPR stands for the General Data Protection Regulation and it comes into effect for all businesses on 25 May 2018. GDPR is an EU regulation which aims to improve the protection of EU citizens’ personal data by imposing stricter measures on businesses that handle and store personal data and imposing hefty fines on businesses that are found to be in breach of the regulation.
Are these obligations new for gym and studio owners?
No, as a gym or studio owner, you already have data protection obligations under existing legislation due to the fact that you are a data controller. A data controller is the individual or company who controls and is responsible for the keeping and use of personal information on computers or in structured manual files.
As a gym or studio owner you are entitled to store, process and use your members’ personal data in order to run your business. However, you have an obligation to ensure that the manner in which you store and process personal data complies with GDPR.
What is new in GDPR?
- More rights for Members– it is now easier for Members to exercise their rights and have greater control over their data. Members can request to have all data you store on them deleted and must be provided with a way to easily opt out of marketing communications.
- Privacy by design – data protection safeguards must be built into products and services from the outset and apply by default.
- Accountability – gym and studio owners are responsible for demonstrating compliance with data protection rules. You must have recorded policy and procedures in relation to data stoarge and processing activities.
- A duty to report breaches – you have an obligation to notify national supervisory authorities and impacted individuals of serious data breaches.
- Increased fines – gyms and studios breaching data protection rules can face huge fines of up to 4% of annual turnover.
What should I do to prepare?
Similar to a good training session or workout, preparation is key. In order to prepare for GDPR there are three main areas that you should consider:
Determine what personal data you hold
As a business owner and an employer, you may hold personal data related to your employees, your customers and your prospects. It is important that you can categorise all this data to determine what obligations you have in relation to each category. You should also consider whether you need to retain all this data. For example, do you need to store data from prospects from five years ago?
The most important question to ask is whether the person has consented to you using the data for the specific purpose? For example, as a Member I probably consent for you to use my data to contact me about new classes or membership offers but not to give my information to other businesses to market to me.
Image Credit: Abhishek Srivastava
Review the manner in which you store the Data
In the past, all data would have been stored in manual records and on paper etc. Nowadays like most modern businesses, gyms and studios rely on cloud based applications like Glofox to store data. It is therefore important that you ensure that any third party that processes data on your behalf is GDPR compliant.
While you may use a tool like Glofox to assist you with data management, it is important to remember that under the GDPR the primary obligation remains with you the controller. If for example, a member of your staff accessed your system and extracted your members personal data and shared it, you are responsible for that breach.
Review your processes and procedures around data collection and storage
Under the GDPR it is crucial that you can demonstrate that your business has processes and procedures in place that are adhered to when it comes to data storage.
What are the key steps I can take to get GDPR ready?
- Review all your documentation including waivers and membership contracts to ensure that your Members have consented to you storing and processing data. Be clear what exactly you do with the Member data and the purpose of the storage, the more transparent the better.
- If you do not already have processes and procedures in place for handling data, it is very important that you create them in advance of the 25 May deadline. You do not want to receive a fine for failure to comply with the GDPR.
- Train your staff on the GDPR and make sure that they know what policies and procedures you have in place and how it impacts their role day to day.
- Have policies in place for deletion of data when Members leave your business or if they ask for their personal data to be fully deleted from your records.
- Create procedures for how you handle and report a data breach and understand your obligations to any members whose personal data has been compromised.
How does GDPR affect my marketing plan?
GDPR rules relating to data and consent also apply to direct electronic marketing communications. Rules around electronic marketing communications are also found in the ePrivacy Directive and the new ePrivacy Regulation due later this year or next year.
Marketing to Customers
Under GDPR, the most important aspect in respect of any use of data is the consent of the person to whom the data relates. Under GDPR processing data to directly market your services to your customers is regarded as a legitimate use of their data but you must provide them with the ability to opt out of such communications. You should ensure that your members can easily opt out of any marketing communications that you send to them.
Marketing to Leads / Prospects
When it comes to leads and prospects, you must receive explicit consent in order to send emails or texts to each email or mobile account holder.
When receiving consent, it must be very clear what the person is “opting in” to and it must be a positive action. You cannot pre-check the opt in box for them.
The big issue for businesses is that this obligation to ensure consent also applies retrospectively to the names in your current database or marketing lists. If you can’t demonstrate that the prospects on your marketing list explicitly “opted in” then you will need to contact them prior to the May 25th deadline to gain their consent. If that consent is not forthcoming, you should no longer send them any form of marketing communication.
While GDPR seems very daunting and looks like it will add a heavy burden on businesses, in reality, a lot of the requirements are common sense and good business practice.
Rather than looking at it as a chore, look at GDPR as an opportunity to clean up your database, improve your processes and to ensure that you only store the minimum amount of data required on your Members.
Whatever you do, don’t leave it until midnight on 24 May, start today…
Up Next: 3 pieces of advice for new crossfit gyms