The first thing you need to know is that the Data Protection laws are set to change.
On 25th May 2018 the UK Government will implement the General Data Protection Regulation, aka the GDPR. This will change the way businesses deal with personal information, all businesses are obliged to comply with these changes.
The entire act is 260 pages in length and I will highlight some of the key changes which our members should be aware of below. I will be publishing a series of blogs about this over the coming weeks.
It is important to be prepared and action these changes before the GDPR comes into effect.
Why are the Data Protection Laws changing?
The previous legislation was written in the mid-1990s while the internet was in its infancy. Over the last 25 years, technology has transformed our lives in ways nobody could have imagined. This regulation has come from the European Parliament, the Council of the European Union and the European Commission and is intended to strengthen and unify data protection for all individuals within the European Union.
The GDPR’s primary aim is to give people control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
What is changing?
The main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly under the current law then most of your approaches will remain valid under the GDPR and can be the starting point to build from. However, these will be expanded and a number of new rights and obligations will be introduced. The general effect of the changes is that you will have to take pro-active steps to demonstrate compliance, rather than assume that data is protected. This is captured in two key themes: transparency and accountability.
The GDPR contains six, rather than eight principles, However, these broadly restate the current principles under the DPA. Personal data should be:
- processed lawfully, fairly and transparently;
- only be used for specific purposes;
- be limited to what is necessary and relevant;
- retained for no longer than necessary and
- protected against unlawful use or loss.
The key things which are changing are summarised below:
- Transparency and Accountability – general requirement for businesses to be accountable for data processing with a greater emphasis on transparency. All students have a right to be informed about why their data is collected, for what purposes and how the data will be used. You will need to keep up to date records to ensure you can demonstrate compliance with the GDPR.
- Greater rights of individuals – students have always had rights but the GDPR has increased the number of rights given to individuals in terms of the information which you keep for them, refer to Appendix 1 below.
- Record Keeping – the nature of data a business can retain and for how long needs to be identified and monitored and you will also need to keep records of any decision making processes, more on this in Part 2.
- Marketing to Ex Students – you will be unable to directly market to them after the GDPR comes into place unless you have their consent to do this. If you have ex-students who you stay in touch with via email and market to them, you will need to gain their consent that they still wish to receive these. I would recommend that you keep their consent in a safe place in case of a complaint. If you do not receive consent, it is recommended that you archive their basic details so they cannot be contacted in error.
- Request for information – your students have the right to request access to the information which you hold on file about them. This is known as a Subject Access Request (SAR). The main change here is that the time limit for providing this information is changing from 40 days to one month. You are no longer allowed to charge for providing this information.
- Data Protection by Design and Data Protection Impact Assessment (DPIA) – data protection by design promotes privacy and data protection compliance from the start of any project. It ensures that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle, e.g. building a new system for storing or accessing personal data or embarking on a data sharing initiative. DPIA is a document which assesses the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. The GDPR makes privacy by design, a legal requirement.
Part 2 of this blog series will highlight the actions which you need to take to make preparations for the GDPR.
Appendix 1 –
1. Individual Rights
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability*
- the right to object
- the right not to be subject to automated decision-making including profiling
*Data Portability is a new right and allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. It is unlikely that this is relevant to the yoga world but useful to know.