May 25th 2018 saw the introduction of the new rules on Data Protection (GDPR) and now, over a year on, many martial arts instructors still aren’t compliant.
With fines of over 20 million Euros, the first question you need to ask is; does GDPR apply to me?
The short answer is YES.
If you operate within the EU or offer goods or services to customers or businesses in the EU and process personal data, then GDPR applies to you.
Think about that for a moment, even groups outside of the EU are affected.
But what is personal data?
Personal data is classed as any information which can be used, either directly or indirectly, to identify a person.
This can be anything from a name, photo, email address, bank details, medical info, computer IP address, cookies or even posts on social media and networking sites.
This has far reaching consequences for martial arts groups worldwide.
It’s not just the larger associations that need to consider GDPR compliance.
Small clubs and self-employed instructors are just as responsible for protecting the personal data of their customers.
Like every other part of your business, you need a plan.
Start by working out, who in your business is responsible for data protection.
If you are a larger organisation, you want to consider appointing a Data Protection Officer (DPO).
For the majority of small businesses, this isn’t a legal requirement.
Legally, you only need a DPO if handle lots of data. In the UK advice can be requested from the information commissioner office (ICO)
What areas of your business does GDPR affect?
Most people think that GDPR is an “IT department” issue and only applies if you do a lot of online marketing, sales or have a larger association,
That’s just not true.
Information Technology (IT) is part of daily life. I would be surprised to hear of any business not using a computer, laptop or mobile phone.
Therefore, GDPR has implications for your whole business.
While this might sound extreme, especially for smaller businesses or self-employed instructors, but understanding the two key areas below, will make compliance easier.
You need to collect information about students to successfully run your classes.
Medical details, emergency contact information and payment plans are all covered by GDPR.
You need to plan how you will collect, store and share this information.
How you control access is very important and should be restricted.
Even paper copies of information, will need to be securely stored
You also need a plan for how staff share information.
Yes share, there are times when you need to share information between staff and possibly people outside of your business,
Certain third parties, like the police and your insurance company, have the legal right to request information.
Marketing is arguably the biggest area impacted by GDPR.
The most important thing to remember, is that you’re not allowed to contact prospects or even reach out to your existing customers unless they’ve given you permission to do so.
It is good practice to get permission renewed annually.
if you’re sending out emails or text alerts, then everyone on your list needs to have given clear consent to receive them.
GDPR rules state that subscribers need to express their consent, In a freely given, specific, informed, and unambiguous way, which is reinforced by a clear affirmative action.
Gone are the days of automatically subscribing someone to your list or assuming they want to receive marketing communications from you simply because they’ve dealt with you in the past.
They need to opt-in.
The best way to prove consent is through an opt-in form.
This is where you ask students or customers to give their permission to store and use their personal data.
As i’ve said above, it must be asked for in a clear, unambiguous way and you need to tell them what you will be using their information for.
Any opt-in options must not be pre-ticked, the customer must actively and expressly give consent by ticking the box themselves.
While double opt-in isn’t compulsory under GDPR, it’s a good way to gain permission as it gives customers a second chance to refuse.
Double opt-ins are usually when someone is signing up to your email list and they receive an email they need to click on to confirm their subscription.
Until the person has clicked on the confirmation button, they won’t be added to your email database.
If you would like help on compliance or the issues raised by GDPR please get in touch, by emailing firstname.lastname@example.org