I would suggest that you set some time aside over the coming weeks to review your compliance with the GDPR, conduct a review of your processes and documentation and make any necessary changes. Remember the GDPR comes into effect on 25th May 2018.
The changes and information surrounding the GDPR and the actions which we all need to take are vast. I have put together some highlights from the research which I have done, which I feel are relevant if you are a yoga teacher. Further information can be found on the ICO website.
- Document all Information you hold – document (on a spreadsheet or equivalent) what personal data you hold about your yoga students, where it came from, who you share it with (if applicable), what you do with it and identify what your lawful basis (see Appendix 1) for storing it is.
- Decide what information you should keep – you may keep basic contact details as you have a contractual reason to do this. However, if you hold other details on record for your students, then you will need to identify a lawful basis as to why you need this.
- Review privacy notices on your website and terms and conditions – inform students why you process data, your lawful basis for processing the information, your data retention period and inform students that they have the right to complain to the ICO if there’s a problem with the way you handle their data.
- Check and amend your procedures – ensure they cover all the rights individuals (see the previous blog) have, including how you would delete personal data or provide data electronically and in a commonly used format if a request is received.
- Subject Access Requests (SAR) – you should create or update your procedures and plan how you would handle a request for information.
- Consent – review how you seek, record and manage consent and whether you need to make any changes to gathering information when a new student joins a class. You have a contractual necessity to keep a student’s contact details and a legitimate interest to email them information e.g. a newsletter or information about a workshop which they may be interested in. However, if you wanted to email them marketing material particularly if they are no longer a student, then you will need to have their consent for this. I would recommend that you ask students to consent to their information being stored and used for your marketing purposes when they sign up for your classes. All information must be given freely, and if taken electronically there must be a positive opt-in, it cannot be given from inferred silence or pre-ticked boxes. This must be separate from other terms and conditions. Remember if you are emailing your students to give them the option to unsubscribe from your emails.
- Data breaches – you must ensure that you have a procedure in place to detect, report and investigate a data breach. This could be from hacking or simply from losing a laptop or memory stick which is not password encrypted. An email sent incorrectly to the wrong person could constitute a breach, you should ensure that your email disclaimer states that if the email is sent to someone in error that it should be deleted. All organisations must notify the ICO of a breach to personal data which is likely to result in a risk to the rights and freedoms of individuals, e.g. it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. An incorrectly sent email would not need to be reported to the ICO.
- Appoint someone to be accountable – a member of your team (if you have one) should be appointed to take responsibility for data protection compliance.
- Employing staff – ensure any of the employed yoga teachers data is kept securely and they are aware what data you are keeping and why. You will also need to document what data you hold for them, why you are asking for it and determine a time period for keeping this information after they have left employment. I will produce a blog in the coming weeks with further information regarding employing staff.
- Former-Students – decide how long you will keep their data for. It is fine to keep some of their data, for example in case you need to contest a future legal issue, and to keep a sales record. I would recommend that you remove their payment details, as you have no legal reason to keep these. There is no set time for how long you should keep records for, it is normally common practice to keep these for 7 years. Remember you will need to gather former students consent before the act comes into effect if you plan to market to them in any way.
- Awareness – ensure your team (if you have one) are aware that the law is changing and the impact that these changes will have on your business.
- Set up a GDPR Assessment file – store your audits, and GDPR procedures in this file and all other information pertaining to GDPR compliance, you will need it should the ICO ever have to investigate a complaint.
- Children – if you teach yoga to or work with children then you may need to put systems in place to verify individuals’ ages and obtain parental or guardian consent for any data you hold about them. The GDPR sets the age at which a child can give their own consent at 16, although this may be reduced to 13.
- Sharing Information with a Third Party – if you share your student’s data with a third party, this could be a with therapist or another studio, then you will need to make your students’ aware that you do this, the reasons for it and lay out what the third party will be using their information for.
Lawful Basis (Legal Reasons) for Processing Information
- Contractual necessity – you need to process someone’s personal data to perform a contract you have with them, e.g. where you have a contract with a student to provide a product or service (yoga class).
- Legitimate interest – where you are a private sector organisation and you have a genuine and legitimate interest (can include commercial), so long as this is not outweighed by harm to an individual’s rights. I recommend using this reason to explain why you are asking for health questionnaires to be completed, you have a legitimate interest to protect the student during a class and make necessary adjustments to meet their needs.
- Consent – your students have consented to data processing i.e. put something in your application form which allows them to tick a box to confirm that they are happy for you to store their data.
- Vital interests – it is necessary to protect someone’s life.
- Legal obligation – where you need to process an individual’s data because your organisation has to comply with legal obligation under UK or EU law – not applicable to yoga teachers
- Official function – you need to process data in order to carry out an official function or task which is in the public interest and you have a basis for proceeding under UK law. This is not relevant to teachers and applies to public bodies.
The contents included in this blog are for information purposes only, we cannot provide specific legal advice. This information has been put together from the research we have conducted into the GDPR for interest only. If you require any legal advice, then please consult a legal expert.