I have received so many emails offering training courses on GDPR, online discussions, documentation to read etc that I have been a bit scared by the whole thing. In my own mind I simplified it down to checking whether people still wanted to be on our email list. It is slightly more than this. Dee Ryan initially wrote a blog for us and Moyra Banks who is an HR specialist has added to and rewritten parts. Thank you girls.
GDPR – General Data Protection Regulation
The General Data Protection Regulation comes into force on 25th May 2018. This means that you must only hold data that is relevant, you must be open and honest about the data you hold and why you hold it. You must also have sufficient safeguards in place and you should have the permission of everyone whose details you hold on a database.
The types of data you may hold for dance classes can include a list of students and contacts who you email regarding events and products. You won’t need to scrap your mailing list but you will need to ensure everyone you email regularly for business purposes has given their explicit permission for you to contact them in this way and you must also give people the option to be removed or “forgotten” by you. You may have received many such emails yourself from mailing lists you subscribe to.
You will need to contact everyone on your current database and get their permission to remain on your database and give them the option to opt out. This is called Re-Permission. A Re-Permission Campaign is a simple campaign that asks your subscribers whether or not they want to keep receiving your emails. They serve the purpose of both reminding your customers of your brand and helping you comply with the upcoming GDPR regulations. Re-permission campaigns set clear expectations, and offer a simple Yes (I want your emails!) or No (get me off your list!) options. If you do not receive a reply you will need to delete them from your database/mailing list. Your inevitably smaller mailing list will have met the compliance standards of GDPR, future-proofing your mailing list, while re-engaging your customers.
You have several responsibilities towards your clients under GPDR. You will need to ;-
– Tell them who you are when you receive their data.
-State what information you will hold on them and why (i.e emergency contact details if there was an accident in class, email address to inform people of class times)
-Only request and store data that is relevant to the business (i.e you would probably want to know about any health condition if teaching classes however you would probably not need to know eye colour or political beliefs)
– Say how long you will keep their data (Things like accident books and class lists should be kept for 3 years – check with your insurers as some may want them kept longer – whereas emails from students asking class times can be securely destroyed sooner)
-State what safeguards you have in place to protect their data (will this be a password protected spreadsheet, a locked cabinet )
-State who, if anyone, you share data with and why (i.e. passing this on to hotels for residential weekends). If you share your data then it is a good idea to refer people to the privacy notice of the company.
– Use plain language
– Get their clear consent to process the data and confirm implications if they do not give consent (i.e they may not be able to join the class if you don’t have emergency contact information)
– Give people the right to opt out of direct marketing that uses their data (people should always opt into marketing emails rather than explicitly opting out).
– Let people access the data you hold about them if they request it
– Inform people of data breaches if there is a serious risk to them
– Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs (health is probably the only aspect you would need for dance class, things like race, sexual orientation would probably be considered excessive information for dance class)
– If you transfer data to countries outside of the EU, such as SurveyMonkey or a database held outwith the EU, then you should make sure that the organisation signs up to the privacy shield framework.
– If you teach children then you need to ensure that you adapt this information above accordingly so it is easy to understand and they are clear on what information you are holding on them and why. You may wish to consider asking for parental consent.
For more information:
Get in touch for more information