While relevant a wide variety of industries, the GDPR is specifically important for those in the fitness industry due to the sensitive nature of information collected.
The GDPR is being introduced on the 25th of May this year, and it is going to be the strictest privacy law in the world. It’s aim is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. If you are based in the EU or UK, or have any members or clients in the EU or UK, then this law applies to you. There is a great deal of information available online, along with confusing terminology. We’ve broken it down so that you know what you need to do as a gym owner to adhere to the incoming GDPR laws.
Terminology
As a gym, you are a “data controller”, as you collect and control the information of your members. As the company that uses your members’ information, we are the “data processor”. Both of us will have unique ways in which we are required enforce this new law.
A Simple Checklist for Gym Owners
We’ve drawn up a simple checklist of things that you can start doing now to make sure that you will be ready for when the law comes into effect from May 25th.
1. Do an Audit of How You Collect and Store Data
It’s essential to be able to prove that you are complying with the GDPR. By doing a comprehensive audit & creating a document of how your business collects, stores and processes data, you’ll have a resource for anyone enquiring into whether you are compliant. Answer these questions and put them into a GDPR summary document:
- What personal data do you have?
- Where is it sent?*
- Where is it stored?*
- How is it processed?*
- What do you tell people about how it’s processed?
- How do you collect it?
*You can contact our Data Officer if you need help answering these questions.
2. Explicit Consent
Current members You are required to get permission from your current membership database to ensure they give explicit permission to receive marketing/promotional content from you. It is a good idea to do this as soon as possible, as you may need to contact them multiple times in order to obtain their permission. From May 25th this year, you will no longer be able to contact them without explicit consent. As of our next release, GymMaster will help you facilitate this by requiring members to double opt-in to receive non essential emails; which requires the member provide & then confirm their email address. New members Ensure that all new members explicitly give permission for you to send promotional material when they sign up with your facility. This could be as simple as sending them an email which requires them to click a link, hereby authorizing you to send them promotional material. Simply having a checkbox for them to tick is no longer enough. Your members must also be able to withdraw their consent for marketing material with ease. It’s important to note that although promotional communication will occur through your data processor, the responsibility falls on you, the data controller, to ensure that explicit consent is given by the individuals.
3. Make Your Terms & Conditions Crystal Clear
Your terms and conditions must be painstakingly clear and easy to read to your members so they know where their data is kept, whether any third parties receive it (ie your payment provider, and software company), and how they can obtain a copy of their personal information. The purpose of this is to eliminate complicated contracts that are designed to confuse users into giving their consent to selling their data to third parties, which will now be against the law.
4. 72 Hour Breach Notification
If there is a data breach of your members information, it is your responsibility to notify your members within 72 hours of the breach. We, as the data processor, will inform you with enough time for you to be able to notify your members within the required timeframe.
5. The Right to Access
This clause is about data transparency. Your members have the right to obtain confirmation as to whether personal data concerning them is being processed, where, and for what purpose. You must also be prepared to provide them with a copy of their personal data, free of charge, in an electronic format. GymMaster is currently working to provide this feature in time for May.
6. The Right to be Forgotten
Your members have the right to be forgotten. This means that they can request that their information be deleted, that circulation of their data is ceased, and potentially have third parties halting the processing of their data. This can happen under one of these conditions: once the data is no longer relevant to its original purpose, or when a member simply withdraws their consent.
7. Data Portability
The GDPR states that your member may be able to obtain the personal data concerning them in a ‘commonly used and machine readable format’, with the right to be able to transmit that data to another controller, such as another gym.
8. Make Sure your Third Parties are Compliant
Think about every single business that you share your members’ information with and make sure that they are compliant with the GDPR.
Summary
Hirola posted a great summary of rules that your website and data collection must comply with:
Opt-in Only
All contacts must provide consent to be contacted. The sender (your business) must be able to prove they have consent.
No soft opt-in
Implied consent is no longer enough. Make sure users are ticking a box to something they can understand when you collect their data.
Right to be forgotten
Anyone on your contacts list has the right to have all their data deleted for free at any time.
If you have any queries about what GymMaster is doing to ensure compliance with the GDPR or any related questions, you can contact our Data Officer. [tcm id=“3”]