Select Page

GDPR - Things To Know

This regulation comes in to effect on 25th May, 2018
 
;

GDPR – General Data Protection Regulation

by Graeme Lunn. See the follow up article here

Introduction

On 25th May, 2018 the European Union will bring in to law the European Union General Data Protection Law (GDPR).  This law is set out to better safe guard personal data that is collected, processed or stored by third parties.

In many cases the third party will be you

This article sets out to highlight the basics and what I think you need to know. It’s a bare minimum and of course you should do your own research and you may in fact want to get your own external advice. I’m by no means legally trained or trained in GDPR, this is just my reading of the regulation and how I think it’s supposed to be used.

See more of the Seasonal Yoga Hub content (free for Early Summer)

Quick Links (please note that the screen will scroll quickly and may flicker)

  1. What I need to know – before starting
  2. What I need to know – data collection
  3. What I need to know – processing data
  4. What I need to know  what I can be asked

Disclaimer: I’m no legal expert and I’ve had no formal GDPR training or certification. I have taken the time to read through the 80+ pages of GDPR and made multiple pages of notes which I’m summarising for you here. Do your own research and homework and seek professional advice on GDPR where appropriate

Questions to ask yourself before going further

To see if GDPR applies to you:

  1. Am I running a website that people may contact to ask me questions about classes, my teachers, events, workshops, retreats, visiting teachers, teacher training?
  2. Am I collecting personal information (e.g an email address) either on the website or at any of the above electronically or on paper?
  3. Am I using that information to send emails, newsletters or marketing (to advertise events or classes)?

If you answer ‘Yes!’ to any of the above then GDPR applies to you.  There’s others too (like do you have employees that you keep employee records on?) but the above 3 are more specific to Yoga Teachers / Schools as they cover pretty much all the activities one of these would be doing and I know some studios have teachers on a pretty much adhoc basis.  Remember, GDPR is to protect a single students information so it applies to a 1-2-1 as well as a multi-national corporation that holds records on thousands of customers.

A bit about myself

For those of you who don’t know me I’m the one behind the scenes here putting all Julie, Sue and Marits’ work here online for you! Those of you who did the SYTT Training you’ll know me from the supporting website there too (SYTTOnline.com).  Something you might not know, however, is that I was on the same Yoga Teacher training with Marit and Sue and although I don’t hold a Seasonal Yoga certificate I do have my 200hr hour with the predecessor (Chi Yoga School) and another with John Scott that I completed recently (I look after John’s website now too). I’ve been working in IT for almost 35 years and spent around 4 years of that working in EMV compliance (EuroPay, Mastercard, Visa) for chip card transactions for one of the UK’s latest retailers.  So I do have a cross over from both my yoga and IT knowledge here as GDPR is mostly compliance related and this article is specifically looking at GDPR from a Yoga School/Teacher’s perspective.  As I said to Julie recently, “If I can’t understand what GDPR’s all about there’s a lot of people who are going to struggle with it for sure”.  So hopefully what I’ve laid out below will mean you don’t have to struggle with GDPR as much

Some Scenarios

Before introducing the details on GDPR see if you can see the difficulties in each of the following fictitious scenarios below.  You’ll find my views, from my understanding of GDPR, following the last one.

A yoga teacher takes a class register at the beginning of class, asking anyone new to class for their contact details, any existing injuries and asks them to sign a PAR-Q class waiver before they join the class. The form also asks some basic medical history which the student completes before signing and dating at the bottom. The teacher then stores the forms in a box at home. The teacher is going on holiday and the sub teacher is asking if there’s anything they should know about the students in the class they’re going to cover.  The teacher is also considering sending out an email to let everyone know they’re away on holiday and to introduce the sub teacher.  There’s also some new mat bags that might make a good offer in the email.
A family are celebrating their daughter’s birthday and the catering company they are using have asked about dietary requirements for the food that they’re being asked to prepare. The family want to send out a party invite via email and ask if their daughter’s friends have any specific requirements.  One family replies that their son has a very strong peanut allergy and the hosts are now thinking as the caterer has said their equipment also processes nut based ingredients that it might be best not to invite this boy. The next door neighbour’s son is also having a birthday soon and his mother has asked if she could borrow the invite list as their children share many of the same friends
A family run luxury car company has an email contact list of over 1,000 buyers who have their sports cars serviced with them. One brand of car had to be recalled some years back and some of the letters were returned with forwarding addresses but it appears these updates haven’t been applied to the contact database. The car company has recently been acquired by a much larger country-wide dealership which also has a similar database and they’re planning on combining the two together and sending the entire list a welcome email to invite everyone including the luxury brand owners to an open day
A centre is thinking of running a new program to reach a minority group that they know are in the area. On the questionnaire they want to find the interests, age and background of the local inhabitants so they can determine whether their idea might have value in the area or not. They’re planning on using a market research company to carry out the survey. A majority of the local inhabitants are already members and they’re hoping to combine the new information with the data they hold on their paper based system.  Eventually they’re hoping to store the details electronically
A website has a low profile and the owner has been advised that they need to have their site ‘on the first page of Google’ to drive traffic to the site. The owner is thinking about using a third party site that offers to contact their database of thousands of contacts with email shots. They’ve also seen there’s an email subscription company that will provide a source of traffic provided they can have a link placed on the website from where they can collect details from interested people. They’re also considering using analytics to see if the website traffic actually improves following the email shots
The local health centre where you are a member has been broken into and the computer that has the staff details and membership records has been stolen. You read about the theft in the local newspaper the following week. The centre manager is very apologetic and says that the centre is doing everything to ensure that the centre is better secured and will have security CC cameras fitted to the building.  The computer was recovered by the police in the back of a stolen car though the graphics card and internal storage had been removed and couldn’t be found.  The newspaper article revealed that the data on the device wasn’t encrypted. Your partner wants to know if your data was on there
So some of the above is a little contrived but the idea is to make you think a little more deeply about information and how it might be collected and used.  Before I go over my take on the above here’s some basic principles about GDPR as an introduction…

Five Key Principles

GDPR has five key principles with regards the collection, storing and processing of personal data:-

Data Minimisation, Accuracy, Storage Limitation, 

Integrity and Confidentiality, Accountability

  • Data Minimisation

The data you ask for should only be relevant to what you need it for

  • Accuracy

If data changes and you’re told about it you need to update your records

  • Storage Limitation

You can keep data only as long as its necessary to process it unless there are local laws that require you to keep your data for longer

  • Integrity and Confidentiality

Any processing must be of a lawful nature and you must prevent against accidental loss, destruction or damage

  • Accountability

Essentially this means that you need to be able to show that you have in place processes that adhere to the above earlier 4 principles

So what do you think of the above scenarios? Can you see where there might be some issues with what’s going on in each?  Let’s take another look at the scenarios to see what GDPR might be interested in and some questions you might ask. Click each tab to the right to see the notes I made:
So there’s a couple of things here in this scenario. What is the collected data being used for? What level of detail do the injury questions go to on the form? Is it asking for dates, diagnoses? Does the form ask for a date of birth? All of these sorts of questions you would need to be prepared to show what’s called “Legitimate interest”. Ie that your business really needs the data to do what it does. Don’t worry about this too much it’ll come up again later on. As for the form, where is it being held and is it being held securely? Essentially you have to protect anyone’s personal data. So for paper this would mean protecting it against fire! Sharing information is allowed as long as this is detailed on the form itself (so the students know you could be doing this). There’s a thing called ‘Bundled Consent’ that requires you now to effectively tell someone whose data you are collecting what each individual process you are planning to use with any data someone provides and you need to state that at the time of the collection. This also means you have to work out what your legitimate interest in each piece of information is. So reading through all of this scenario I’d expect the form in this case to allow opt-ins for :- sharing data with a sub-teacher; sharing medical information with a sub-teacher; using the contact details for email marketing as well as details on how the data is securely stored and how the medical information is to be used (ie that it might prevent a new student from joining the class)
So the point of this scenario is to let you think about whether you’re going to collect data on children. According to GDPR an adult is ’16 or over’ and there’s very specific rules to protect children when their data is collected. If you’re working with children at all you may already be aware of the stricter requirements but I do highly recommend you seek external help with the legal aspects if you are. The other thing here is asking any health related information. Basically you can’t do it unless you’re showing Legitimate Interest in the data. I think it’s pretty much a given that if you’re running a Pregnancy Yoga class you might want to ask when the baby is due to determine the level of activity appropriate for the student in your class. It’s a safety issue after all. Having a peanut allergy I suspect is ok too but the point about excluding the boy with this allergy is something you need to think carefully about. GDPR specifically sets out specific rules on any decision making based on data someone gives if it’s going to impact them negatively, but again, as long as you’re telling people that having a certain condition might result in then being excluded you should be ok. I’ve seen plenty of class waivers that ask if you have a heart condition and that entry to a class might be prevented if you do. The point here is to be transparent. This is also highlighted by the mother from next door how would like access to the list. If you’ve not specifically motioned this then your “appropriate level of risk” will determine whether to share the data or not. I think where friends are concerned,  usually who share lots of information anyway, there’s a good case that “Implied Consent” would cover your actions.  Again this is down to what level of risk you’re prepared to put yourself at by any of your actions
Another data sharing scenario but in this case GDPR simply states that ok, yes, you can do this but at the first early opportunity the acquiring company should reach out to anyone whose data they’ve just acquired to tell them the data has been passed to them and also, if they’re doing things right, asking if it’s ok to continue storing and processing it. They may have their own privacy notice that really would imply that the newly acquired customers should re-consent to any processing. Under GDPR you have to be careful about what processing has been granted for. If I grant you permission to hold my phone number so you can call me to let me know my car service is finished and I can come pick up my car I wouldn’t expect the larger dealership to call me to say there’s a new offer on their specific range of cars as to me theses are two different services.  At the point where I hand over my details there should be two opt-ins, one for each service.  This is the “bundled consent‘ again!
Will the class they are hoping to run be open to all or just the minority group? You have to be very careful when asking questions that specifically identify someone’s ethnicity, their political views or religious beliefs, and any details concerning health and sexual orientation. This is called “Special Categories”.  You can still ask for this sort of information as long as you can show you have a “Legitimate Interest” in the information and it’s necessary for the processing you do.  See the ICO’s 3 Part Test below. I see some sites now are also asking for my age to ensure that I’m old enough to access their site (pinterest.com is one) when in effect all they need to know is that I’m old enough, not my specific age
For any websites there should be a Terms and Conditions page and a Privacy Notice that detail what data is collected (given or tracked) and what it is going to be used for. I think it’s ok to tell people you’re going to use an analytics package to help improve the features and content on your site.  I’d consider that a legitimate interest on trying to work out my return on investment of the effort I’ve put in to add a new feature against whether people are actually using the feature or not. The email subscription service is, I suspect, a pretty common thing. Just make sure the service you’re using is also GDPR compliant. There’s the question here about who the data processor is. If you simply embed a form on your website but all the data entered goes straight to the email service then they’re the data processor (they have all the data). If by entering an email address you also create a user account on your site then you’re the data processor (of that piece of data) too. Be careful if you consider changing your email service provider as you have to ensure that when the data is in transfer that it’s secure and safe
GDPR specifically requires any ‘data breach’ to be reported within 72 hours. That sounds like a good length of time but remember that if a breach happens on a Friday just before closing then you’ve really got to inform your supervisory authority on the following Monday. Make sure you have a process in place that you can follow without delay and make sure you let people know. Gone are the days where you hear about a website losing customer data in a hack that happened a couple of years previously.  You might find this interesting but there’s specific rules about recording with CC TV too and of course the Centre should really have made sure any data was encrypted so that even if it does fall in to the wrong hands there’s still a very good chance they won’t be able to access or read it.  Be especially careful about what information you carry around on your phone or tablet device as these often have direct access to stored data.  If your passcode is 1111 I wouldn’t consider that very secure.  As far as asking about your data, GDPR introduces a thing called a “Data Subject Request”, You being the ‘Data Subject’.  I’ll go into this in more detail below but just be aware that there’s certain requests you can ask a holder of your data to do.
Your views might be different to mine but that’s good! At least you’re starting to think about the implications of this new regulation

Five Take Aways

So the five take away things you should take from this are (roughly) –

  • You need to explain who you are, what the data you are collecting is for and how long you’re planning on holding on to it
  • Detail who on your team will be able to see your data especially if you’re planning on sharing it
  • You’re asking for consent to be freely given. You, in return, need to be clear and forthcoming about what you’re doing with the data
  • Provide a means for people to see their data, download it, and delete it if they want
  • Inform people if their data has been part of a data breach

This is covered nicely by this infographic from the European Commission: http://ec.europa.eu/justice/smedataprotect/index_en.htm (opens in a new tab)

What do I need to do?

So now we’ve covered some basics the main question is of course, “What do I need to do?”.

Let’s break this down into 4 areas – before starting; data collection; processing; and what someone can ask you to provide

Before we start that a quick note on who you’re actually responsible to. GDPR is essentially the work of the European Commission. The EC pass on responsibility for local governance of the legislation to a local ‘Supervisory Authority’. In the case of the UK this is the Information Commissioners’ Office or ICO (ico.org.uk). The ICO offers a range of information on GDPR but be aware that they can ask you to participate in an audit with them. There’s financial penalties for anyone who breaks the regulations so it’s certainly worth while spending some time to make sure you’re on the right side of the law

Before collecting data from anyone you should ideally run a data audit to work out a couple of things:

  • What sort of data you’re looking to ask for
  • What your legitimate interests are in asking for and using the data you collect
  • Whether you’re collecting information from under 16s or not
  • What wording you’re going to use to ask for it
  • Whether you’re going to use double opt-in or not
  • Where and how you’re going to hold it
  • How you’re going to use the information
  • Who’s going to be able to see the information
  • Who are you going to share the information with
  • Is any decision making process going to be done automatically
  • Whether you’re going to register with the Supervisory Authority or not (recommended you do)
For each of the data sets that you propose to capture it’s a good exercise to plan out the journey that the data would go through from beginning to end. So from the point that, say, a student enters your classroom for the first time up to the point where they ask you to remove their data because they are no longer planning on coming to your class (they may be moving away for example)

It’s important to do this exercise as you can use this to do a check at each point of change to see whether there are any weaknesses in where the data is processed or stored, is it vulnerable to loss or being hacked it it’s not secure. Whilst it’s impossible without a massive undertaking to be 100% sure that data will be kept secure you should be confident that you could be able to show that you’ve tried to the best of your ability to consider any weaknesses, reduced the possibility of a data breach to a level as low as you can and that you’ve tracked and recorded each step that you take when doing so

So as an example, here’s a checklist I’m working on for a Yoga Teacher I’m helping out.  You can download a blank one of these at the bottom of this page

Ask yourself the following (ICO’s 3 Part Test) :

Prechecks

  • is the data being used in a reasonably expected way and does it have a minimal privacy impact?
  • Is there a very good reason for you to process the data? Eg marketing, fraud prevention, transfer of information inside your company, etc
Step 1: Legitimate Interest

  • What is your specific legitimate interest?
  • What are your aiming to do by processing the data?
  • Who is set to gain from the processing you are doing?
  • What impact would it have if the data you collect couldn’t be processed?
Step 2: Necessity test

  • Does your processing further your goals?
  • Is it a reasonable way to process the data?
  • Could you achieve the same results but doing it a different way (that may be less intrusive)?
Step 3: Balance test

  • Does your proposed processing pose more threat to the owner’s data than it is a benefit to you?
  • What’s your relationship with the data owner?
  • Are you collecting any sensitive data you need to take more care with?
  • Are you collecting data in children?
  • What safeguards can you adopt to protect the data?
Terms and Conditions and Privacy Notice

This is a good point to also consider what wording you’re going to put into your Terms and Conditions and Privacy Notice (or amend these where you already have them). There are certain things that GDPR is expecting you to put into the wording but it will save a lot of time and space here to simply ask you to review the wording of the T&Cs and Privacy Notice here on Seasonal Hub. The 3 Kickstart Packs below include a template for each and feel free to use these as a starting point

The T&Cs will be particular to what you are doing with your own site, for sure, but as a minimum I recommend putting contact details and a statement about whether you allow children to access your site or not

  • Anyone who gives their consent should do so “freely” and can withdraw their consent at any time. You need to record when either of these happen
  • Be wary of ‘Bundling Consent’. This is where you have one opt-in box that covers multiple processing paths for the data you’re collecting. It’s advised to have one opt-in for each possible processing path
  • Any form you present must be concise, transparent, intelligible and in an easily accessible form, using clear and plain language. Note that GDPR covers what someone tells you verbally (say over the phone) though in this instance you have to verify they say who they are some other way (it doesn’t state how you do this, though)
  • You have to have a legitimate reason for collecting the data you’re after. i.e. if you ask for someone’s age you need to be processing that information somehow in what you’re using it for. An easy test would be ask, “would my processing fail without this one piece of information?”
  • Special rules exist covering the capture of personal data on children (not covered here) – Note that a child is ‘below the age of 16 years’. None of the business I’m working with require data from children so I’ve not added any child related information here. You should, however, have a statement in your terms and conditions that specifically states whether your website is not to be used by children if this applies to you
At the point of collection you must also provide:

  • contact details of the controller and how to get in contact with them
  • your legitimate interests in the data and the purposes for its processing
  • the recipients of the personal data (if any)
  • Whether you’re going to transfer any of the data to a third country or international organisation
  • the period for which the personal data will be stored (Your Legal Obligation may require you to keep their data for longer) or if this can’t be stated by what means it might be calculated. Legal obligation covers things like orders, invoices and employee records which by law (in the UK) you’re required to keep  for 7 years as far as I know

You also need to state what rights anyone giving you their data has, their Data Subject Request Rights. This might be good for your Privacy Notice or you may choose to do this on a per collection basis. The rights include:-

  • access to their data, complete any missing data, correct any errors, object to its processing, withdraw consent (at any time), lodge a complaint

One thing you will also need to state is whether any automatic processing is happening on the data someone gives you. I suspect for most of us this won’t be the case but be aware of this. I believe this is here so people can avoid giving information which might put them at a disadvantage. Say for example you only want to provide a service to rich clients and you’re asking for someone’s salary. If they give you their information on this you could decline to offer your services to them, and if you do this automatically you’re in effect breaking GDPR if you haven’t told them you’re doing this sort of profiling. You can of course amend your process so this specific decision is done manually by someone who has access to the data. Just keep this in mind

Note that someone’s data can also be ‘Restricted’. In this case the data is not deleted but effectively frozen and shouldn’t be used for any further processing. Restriction may occur if someone is under a criminal investigation for fraud, for example. A restriction on someones data can also be removed so make sure you keep track of all of this too!

So now you’ve collected your data and it’s in your possession and naturally GDPR has some things for you to consider here now too…

  • You should have in place a means of securing the personal data. This needs to be ‘appropriate to the risk’ so if you consider the information low risk to the owner then it should be easy enough for you to secure it (password protect or encrypt somehow)
  • You should keep an eye on whether any of your requirements change as you’ll have to keep the level of security you have on the data up to current standards over time too
  • You should want to limit the access to the data you now have. Having poor security or allowing anyone access breaks one of the fundamentals of GDPR and leaves you open to prosecution. Do the most that you can rather than the least. That way you have a better chance of avoiding a data breach. Many of the texts I have read talk about your ‘level of acceptable risk’. If you’re happy taking more risks and possibly exposing the data then that’s ok. If you’re risk averse like me then you’ll do the most you can to secure the data. With GDPR the switch is now that everything is an opt-in or on-by-default so your security measures should default to be active
  • Only use the data for what it has been specifically collected for unless you’ve specifically pointed out what extra processing the data may be used for. So you can’t collect data on students attending a class (for your records) and then send them all an email shot unless you’ve specifically stated you’re going to do this
  • Where there is more than one person processing the data GDPR requires you to have a written contract between you. This should cover who is responsible for what data and that both recognise that they are responsible for the data and will follow the privacy procedure as set out by you. You have to be careful here. You shouldn’t, for example, ask someone to do some work for you that grants them access to the data you have without there being a record of your relationship with them. You need to record how the data is processed, who accesses it, how long they have access, and whether any copies they have are destroyed when they finish their processing. You remain fully liable while someone else is processing the data you have
  • Keep records to show you’re following the regulations. You should include :-
    • name and contact details of the controller
    • purposes of processing
    • a description of the categories of personal data
    • the categories of recipients to whom the personal data will be disclosed (if any)
    • where possible, the envisaged time limits for erasure of the different categories of data
    • where possible, a general description of the technical and organisational security measures that secure the data
    • document any personal data breaches and report them when they occur (both to the owner and the Supervisory Authority)

Note that the Supervisory Authority (ICO) can ask to see your records during an audit and that they can impose fines of up to 20 000 000 EUR, or up to 4% of your total worldwide annual turnover. They do, however, offer an advisory audit on request where they would assess how you’re doing and give you pointers on how to improve your processes. That might be worth considering

A note on what you can’t do

Gather information that identifies a person’s:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic or biometric data concerning health
  • details of sex life or sexual orientation<

You can’t charge for people requesting to see the info you hold on them unless it’s excessively difficult to retrieve

Data Subject Access Requests

Someone who has provided you data has certain rights under GDPR. Their data isn’t being transferred to you, they still own it, and as a consequence there’s certain things that they can ask you to do…

They can :-

  • ask you to tell them the purposes of the processing and how long it will be stored (this should be on any form where their data is first collected). Where it’s not possible to give a time limit a description of the criteria that will determine how long the period will be is required
  • Ask you to tell them who will have access to their data
  • Ask you to tell them where any information you have on them that you’ve not specifically asked them for came from (if you get details from third party databases for example)
  • Ask if there is any automatic decision making / profiling being carried out on their data

Specific “Rights”

  • Right to request restriction of processing
  • Right to object to any processing
  • Right to lodge a complaint with a supervisory authority
  • Right to rectification of data / completion of missing data
  • Right to be forgotten
  • Right to data portability – data must be made available electronically (encrypted but machine readable format)

You should have in place a documented process on how to handle each of the above

5. Conclusion

So hopefully you can see from the above that there’s a lot more than just adding a tick-box! Try not to get too anxious about any of this as there’s a relatively low chance of the ICO auditing a small yoga class with half a dozen students.  I read an article recently that suggested that the ICO weren’t “looking for perfection” when it came to compliance but they were looking for “a good intent” when it came to complying.  Just be happy with your own level of risk, if there’s any at all

I imagine the Supervisory Authority are more interested in the Cambridge Analyticas of this world but of course you should invest in protecting your interests now rather than hedging your bets against the knock on the door

Resources

GDPR KickStarter Pack 1

The basics
£0
  • What’s in the Pack:
  • a blank GDPR Check List
  • a sample Privacy Notice
  • sample Terms and Conditions
  • no commentary
  • no summary
  • no page references
More Info

GDPR KickStarter Pack 2

Reference Guide
£15
  • What’s in the Pack:
  • a blank GDPR Check List
  • a sample Privacy Notice
  • sample Terms and Conditions
  • 16 Page GDPR Reference
  • no page references to GDPR text
  • no summary document
More Info

GDPR KickStarter Pack 3

GDPR Commentary
£20
  • What’s in the Pack:
  • a blank GDPR Check List
  • a sample Privacy Notice
  • sample Terms and Conditions
  • 35 Page Commentary with page refs
  • 7 Page GDPR Summary
  • Full GDPR text (available free elsewhere)
More Info

Free Resources

Toolkit 1

ICO – 12 Step Guide

Toolkit 2

ICO – Access Aware

Toolkit 3

ICO – Think, Check Share

ICO Checklists

Photo Credits (all Unsplash)
Waiver – rawpixel
Birthday – Gaelle Marcel
Sports car – Joey Banks
Hands – rawpixel
Analytics – Carlos Muza
News – Keenan Constance

Return to the Current Season