The General Data Protection Regulation or GDPR takes effect on May 25, 2018. By now you would have received a TON of emails in your inbox regarding the new regulations and at times like this it’s often confusing what EXACTLY you should be doing (if anything). So, here’s what you need to know regarding the new laws and your health and fitness business.
What exactly is GDPR?
The EU General Data Protection Regulation or GDPR is a new regulation out of the European Union designed to increase the protection surrounding the processing of the personal data of subjects in the European Union. The GDPR laws come into effect on May 25, 2018. Now, you might be thinking – who cares? My business is not in Europe – so does this really apply to me? The anwer is yes.
The laws apply to any organisation processing personal data in the European Union (not you if you’re an Australian based company) OR any organisation that processes the personal information of EU subjects regardless of whether you conduct business in the EU or not.
Basically if you collect, store, manage or analyse data of any type (including emails), it’s likely that you’ll be affected by GDPR.
What’s Changed?
Specifically GDPR covers three explicit things: Consent, Individual Rights & Data Processing.
GDPR institutes much high standards of consent for our users. Consent for you to collect personal data from customers must be both informed and explicit. Basically what this means is that when you collect data from customers (especially on your website), customers MUST consent to you collecting that data – either through a checkbox or by clicking a link in a confirmation email (we sometimes call this a double opt in).
GDPR also expands the rights of an individual in relation to their personal data. Several rights have come into play including: The right of access to their data, the right to rectification (if their data is wrong), the right to be forgotten (if an individual withdraws consent), and the right to object.
The laws outline a variety of requirements around the processing of personal data. Specifically around controllers and processors. If you use a third party platform to process and store data that platform is a processor and you are the controller of that data. Controllers must have clearly documented contracts with processors that define the scope of processing. If you are using ActiveCampaign as your CRM – you can request their DPA form to comply with this. Other email marketing providers may have a similar process – you should speak to your email marketing provider for more information.
What Do I Need To Do?
Firstly, you should update your Privacy Policy to comply with the new laws. There are plenty online services that can help you build a sufficient privacy policy – or better yet – seek out a legal professional to help you with this. You absolutely should have your Privacy Policy on a page on your website (this is compulsory if you are doing any kind of advertising on Google or Facebook).
Some good GDPR Privacy Policy template can be found at termsfeed.com, itgovernance.co.uk, and smartinsights.com.
Secondly, you should email your database with a new link to your privacy policy – just to let the know that you are complying with the new laws.
Thirdly, if you use a third party platform to process personal data (like a CRM or email marketing software), you should speak to them about signing a DPA (Digital Processing Agreement) as this is part of the new law. If you use ActiveCampaign you can request one here.
For more information regarding the GDPR laws go here.
Disclaimer: The content of this post does not constitute legal advice. The page is provided for information purposes only. For further information regarding how your specific business needs to comply with the GDPR policies you should seek the council of a legal professional.