GDPR General Data Protection Regulation.
GDPR Basics

GDPR 101

You’ve qualified as a Barre instructor and you’re looking to start your business, build your website and develop your client list. People keep talking about this awful sounding compliance law called GDPR and you’re wondering what it is and asking if it applies to you.

 

In this post we’ll help you answer the following questions:

  1. What is GDPR and what do I need to know?

  2. Does GDPR apply to you? (Spoiler Alert: yes!)

  3. What do I have to do to run a GDPR compliant Barre business?

 

What is GDPR and what do I need to know?

 

The General Data Protection Regulation, known as GDRP, was brought into European Law in May 2018 and was also passed into UK law once the Brexit transition period ended at the end of 2020.

 

The purpose of GDPR was to protect people’s rights and freedoms, especially their personal data and its use and ensuring that companies that collect it take the relevant steps to protect it. It’s a good thing to ensure that peoples data is looked after and cared for and it’s worth noting that there are some pretty sizable fines due if you’re found not to be adhering to the regulations.

 

There are some core concepts of GDPR to understand and

 

Controller (you): a person(s) who determines the purposes and means of processing personal data. Example: If you’re deciding what data you want to collect (e.g. email address, name), you’re the controller.

 

Processor: a person(s) responsible for processing personal data on behalf of a controller. Example: your email service provider like MailChimp or Google Analytics.

 

Data Subject (client): a data subject is any person whose personal data is being collected, held or processed. For barre instructors the data subject will usually be your client(s).

 

Personal Data: any piece of information that can be used to identify an individual. 

 

Does GDPR apply to you?

 

Both the UK and EU laws protect their citizens and operating in either the UK or the EU means that these rules apply to you. In addition, with the explosion of online fitness classes and subscriptions, the EU laws can still apply if you are offering services to EU citizens online from the UK and visa versa.

 

In short, yes! The regulations apply to all barre instructors who collect personal data from the UK and EU.

 

What do I have to do to run a GDPR compliant Barre business?

 

First things first, don’t be scared. Whilst there’s lots of policy to read, it boils down to following the principles below:

 

  1. Lawfulness, Fairness and Transparency: Be clear to the client why you’re asking for their data and what you’re going to do with it. Using a privacy policy is the best way to do this and include it as a check box when collecting any client data (including on paper!)

  2. Purpose Limitations: Only use the data for what you say you’re going to use it for. If a client contacts you about Barre Class times, don’t use that data to sell them t-shirts or water bottles unless you have marketing consent from the client at the time they entered the class time query.

  3. Data Minimisation: Simply this is only asking for the data you need. If you don’t need to know the name of someone’s first school, don’t ask for it.

  4. Accuracy: You need to ensure all the data you hold is up to date and accurate, this can be achieved through asking clients to confirm their data hasn’t changed since you collected it every 6 – 12 months.

  5. Storage Limitation: Don’t keep client data longer than needed. This goes to the purpose of why you collected it, for example if you ran a competition and the competition is over, you no longer need that data.

  6. Integrity and Confidentiality: Make sure you control who has access to the data and that it is only to those who need it. Ensure that you’re keeping it safe with passwords on your machine or the email / CRM solution like MailChimp.

 

What steps do you need to take?

 

  1. Develop a privacy policy and provide it when clients enter their data. Print a copy or use a check box with a link to the policy anytime you collect client data online or on paper forms. There is an example of an online resource listed below to help you make a start on this and the policy needs to be kept up to date, so worth a periodic review.

  2. If you want to market to prospective or current clients, you need to ask for their consent. The easiest way to do this is to use a check box when collecting their details and email address to ask them for consent to keep in touch with them on new services and offerings.

  3. Doing a data review on a regular basis will help keep everything in check. In the review take a look at what personal data you have and what it’s used for, where it is stored and who has access to it. You can then take action to securely delete the data no longer required or make the changes so there everything is safe.

  4. Register with the ICO – Any business that processes client information needs to register - this is a small fee (£40 for limited companies at the time of writing) and an obligation to do so

 

What about Social Media for my Barre Business like Facebook and Instagram? Fortunately, these platforms usually are responsible for the GDPR compliance and terms are set out in their privacy policies and terms of use. This is only for use within those platforms, you can’t take their details from Facebook and add them to your email marketing