The General Data Protection Regulation (GDPR) deadline is fast approaching. May 25th, 2018- Doomsday. It is the most significant overhaul of data protection rules in 20 years. The legislation comprises 99 articles, establishing the digital rights of individuals and the responsibilities of data “controllers” and “processors”. Any company that processes or controls EU customer data needs to adjust their business model accordingly. Before you basque in Brexit liberties, note that the UK government are implementing the Data Protection Bill which largely mirrors GDPR.
After the scandal involving Cambridge Analytica and its corrupt use of 87 million Facebook users’ data, GDPR comes into force at a befitting time. The law itself was decided in April 2016, giving companies a two-year transition period, but many are still unprepared for the changes. It is a lot to get your head around, but once in place will simplify the use of data and grant individuals access to their personal information.
The new regulation specifies that a person’s data is only to be used if they give direct consent. GDPR affects every company that handles the data of any EU citizen, regardless of where the company itself is based. Anyone in breach of the new laws will face a fine of €20 million or 4% of global revenues (whichever sum is larger).
A sports centre or activity provider “controls” customer data. Personal data refers to any information that can be used to identify someone. According to the EU commissioner, this is “anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Sports providers gather most of this data during the booking process: making OpenPlay a “processor” of data. We, at OpenPlay, have no reason to contact your customers. We must provide tools to help you (the “controllers”) comply, but ultimately it is your responsibility to ensure your system is in place. If you are a large sports centre, you might consider hiring a Data Privacy Officer.
We’ve compiled a list of changes you will need to implement…
OpenPlay will be adding a tick-the-box question that requires customers to explicitly grant or deny permission for your company to contact them. Keep a record of these permission forms. You will no longer be able to market to customers without receiving prior consent. You can still send emails or texts that directly relate to the customer’s booking.
Accepted: A confirmation or cancellation email. Necessary information: “Sorry the gym has run out of towels. Please bring your own.”
Not accepted: Mass emails that reveal the email addresses and names of other recipients. Promotional content: “The gym has a lovely range of luxury towels available for purchase,” “Upcoming Easter Course- Selling out fast!”
Lawful Basis for controlling data
For each piece of evidence you store, you must be able to justify its purpose (or gain explicit consent). For example, medical records are of vital interest to sports providers; they are part of the safeguarding process. Superfluous, unconsented data may be flagged in audits.
You must ensure that you are storing customers’ data safely. Extra security systems should be put in place so that outsiders cannot access sensitive information. Email is the biggest risk of third party interference, be it a malicious or accidental breach.
This refers to both your customers and your employees. You must obtain written permission from your staff to use their full name and/or contact details on your website, social media posts, cover list, and any in-house posters.
If a customer demands to see the data you have on them and the third parties with whom you share it, you must be able to send them a detailed breakdown of the information.
Delete Expired Data
If someone has not booked with you in three years, you must erase all of their data. However, you should also consider deleting any data that is deemed irrelevant even if it is within this three-year window.
The UK has been extra vigilant in their requirements of companies handling the personal data of children. Parental consent must be acquired for those under the age of 13. When obtaining children’s data, you must ensure that each bit of information forms a crucial part of your safeguarding system.