Data Protection laws and GDPR
What is Data Protection?
Any business, which holds and processes personal information about their students, clients, employees or suppliers are legally obliged to protect that information. This applies to any type of business, from sole traders to Limited companies. There is legislation in place which gives people control over their personal data and protects their right to privacy.
What Legislation do I need to follow?
2018 was a big year for Data Protection. The European Union implemented legislation to strengthen and unify Data Protection laws within member countries. Previous UK legislation was written in 1998 (UK Data Protection Act) while the internet was in its infancy. Over the last 25 years, technology has transformed our lives in ways nobody could have imagined!
Meet the General Data Protection (2018) Regulation, aka the GDPR. This regulation came from the European Parliament, the Council of the European Union and the European Commission and is in place within all EU member countries and businesses who transact with customers within the EU.
What is covered in the GDPR?
The GDPR contains six principles for using and storing personal data. Data should be:
- Processed lawfully, fairly and transparently;
- Only be used for specific purposes;
- Be limited to what is necessary and relevant;
- Retained for no longer than necessary;
- Protected against unlawful use or loss.
Be aware that individuals (students) have rights
The GDPR has given more rights to individuals than they previously had. They have the right to be informed, have access to their data, rectify errors in their data, erasure, restrict processing of their data, data portability, object to the data that is held and the right not to be subjected to automated decision-making including profiling of their details.
Your students (and ex-students) have the right to request access to the information which you hold on file about them. This is known as a Subject Access Request (SAR). If you receive a request, you should provide this information within one month and should not charge for providing this information.
Does my organisation need to register under the GDPR?
In the UK, the Information Commissioner’s Office (ICO) maintains a register of businesses and organisations who are responsible for processing information and the purposes for which they use personal information.
If you hold and process information about individuals who are customers, employees, suppliers, clients or other members of the public, you may need to record that on the register. This is called ‘notification’. Check out if you are required to register. This is an annual process so it would be worth checking your registration is up to date!
What should yoga teachers do to comply with GDPR?
You need to be seen to have taken proactive steps to demonstrate compliance with the GDPR, and not assume that individual data is protected. The GDPR is a large document and I have summarised below some of the points which I feel are relevant to yoga teachers.
- Identify the lawful basis you have for processing/storing information about students. Ensure that you only gather the information that is relevant and pertinent to your business, refer to Appendix 1.
- Document all information you hold - document (on a spreadsheet or equivalent) what personal data you hold about your students, where it came from, whom you share it with (if applicable), what you do with it and identify what your lawful basis for storing it is. Keep the document in a safe place.
- All students have a right to be informed about why their data is collected, for what purpose, how their data will be used and how long it is stored. You should keep a record that you have told students about your data processing procedures.
- Ensure you have a privacy notice on your website and in your terms and conditions. Use this to inform students about your data protection policies.
- Obtain consent for marketing purposes - you have a legitimate interest to email students information e.g. a newsletter or information about a workshop in which they may be interested. However, if they are no longer a student you will need their consent to send them marketing material. I would recommend that you ask students to consent to their information being stored and used for your marketing purposes when they sign up for your classes. All information must be given freely, and if taken electronically there must be a positive opt-in, it cannot be given from inferred silence or pre-ticked boxes. This should be separate from other terms and conditions. Remember if you are emailing your students to give them the option to unsubscribe from your emails.
- Data breaches - you should have a procedure in place to detect, report and investigate a data breach. This could be from hacking or simply from losing a laptop or memory stick that is not password encrypted. An email sent to the wrong person could constitute a breach, you should ensure that your email disclaimer states that if the email is sent to someone in error that it should be deleted. You need only notify the ICO of a breach of personal data if it is likely to result in a risk to the rights and freedoms of individuals.
- The person accountable - a member of your team (if you have one) should be appointed to take responsibility for data protection compliance.
- Employing staff - ensure their data is kept securely and they are aware of what data you are keeping and why. You should also document what data you hold for them, why you are asking for it and determine a time period for keeping this information after they have left employment. Refer to Data Protection Guide to Employing staff - (add link)
- Former Students - decide how long you will keep their data for. It is fine to keep some of their data, for example in case you need to contest a future legal issue, and to keep a sales record. I would recommend that you remove their payment details, as you have no legal reason to keep these. There is no set time for how long you should keep records, it is normally common practice to keep these for 7 years.
- Children - if you work with children then you should have a system in place to verify individuals’ ages and obtain parental or guardian consent for any data you hold about them. The GDPR sets the age at which a child can give their own consent at 16, although this may be reduced to 13.
- Sharing information with a third party - if you share your student’s data with a third party, such as a therapist or another studio, then you will need to make your students’ aware that you do this, the reasons why and layout what the third party will be using their information for.
- Pictures and videos - if you use pictures or videos of classes on your website, social media or in marketing material then you must ensure that you have the relevant students’ permission to use their image. If they object, then their images cannot be used.
For further information, please refer to the ICO where you will find lots of useful information and templates to use.
Lawful Basis (Legal Reasons) for Processing Information
- Contractual necessity - you need to process someone’s personal data to perform a contract you have with them, e.g. where you have a contract with a student to provide a product or service (yoga class).
- Legitimate interest - you have a genuine and legitimate interest (can include commercial), so long as this is not outweighed by harm to an individual’s rights. I recommend using this reason to explain why you are asking for health questionnaires to be completed, you have a legitimate interest to protect the student during a class and make necessary adjustments to meet their needs.
- Consent - your students have consented to data processing i.e. put something in your application form which allows them to tick a box to confirm that they are happy for you to store their data.
- Vital interests - it is necessary to protect someone’s life.
- Legal obligation - where you need to process an individual’s data because your organisation has to comply with legal obligation under UK or EU law - not applicable to yoga teachers
- Official function - you need to process data in order to carry out an official function or task which is in the public interest and you have a basis for proceeding under UK law. This is not relevant to teachers and applies to public bodies.
Useful links -