What personal trainers, coaches, gyms, and online businesses need to consider when handling personal data.
Disclaimer: See this blog post as your overview of UK-GDPR (General Data Protection Regulation) for gyms, personal trainers, and businesses in the fitness industry. While this is not legal advice, we have put together information on how to be compliant with your marketing data and the benefits of doing so.
GDPR compliance was the buzzword of 2018. When new EU guidelines were announced in May of that year, companies had to evaluate their data management, clean lists, and add a double opt-in to sign-up processes.
The problem is - GDPR was not one and done. After the initial rush to make sure business was compliant, many have forgotten to keep up with data regulations and returned to an old way of thinking.
In a post-Brexit UK, the EU GDPR guidance no longer applies in the same way. However, the UK has incorporated EU GDPR into its UK Data Protection law, so you should continue to use the guidance in a UK business context. The new UK-GDPR took effect on January 31 2020.
It is worth noting that if you have clients in the EU and the UK, you will have to follow both the GDPR laws and the UK-GDPR laws.
Managing your database maintains good business ethics and can have brilliant benefits for your marketing campaigns. We’ll talk about that later on, but first, let’s take a quick recap.
What is GDPR?
In the UK, GDPR falls under the Data Protection Act 2018. It states that everyone responsible for using personal data has to follow a set of rules called the data protection principles to make sure data is used fairly, lawfully, and transparently.
There are seven principles of GDPR - they don’t act as hard rules, but as a framework to state the purpose of data protection.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
- Accountability (new to the UK law)
You can find out more about each of these areas under Article 5 of the legislation. In short, you (as a company or freelancer) should be responsible and thoughtful about how you collect and use data. You should also regularly check and clean data and choose only to collect what you need to.
For example, you can hold (data control) the personal information of an ex-member or ex-client for up to seven years after termination of the contract. It would, however, be unethical to market to that contact after contract termination.
Who does it affect?
This affects anyone who handles personal data. For the fitness industry this means gyms, personal trainers, and physical or online shops that sell products or services.
The aim of the Data Protection Act is to hold the data handler responsible for safekeeping personal information and also to give a customer the right to find out what information a business or organisation is storing about them.
There are two key terms to remember when reading about GDPR policy - the ‘data controller’ and the ‘data processor’. A ‘data controller’ will be the one who collects and controls the information, whilst a ‘data processor’ will be the one who uses the information. A company can be both or one or the other.
Okay, so how does GDPR apply to the fitness industry?
With any of the following business models, it is important to first ensure that you have legal grounds to hold the information and data.
How gyms collect data
As a member-based business model, gyms will store personal and sensitive information about their members such as name, email address, home address, phone number, age, gender, and payment details.
Third parties should not gain access to this information unless you have explicitly stated to your members that this would be the case upon sign-up.
How PT’s collect data
As a personal trainer, you may collect and keep on file sensitive data about clients similar to what we mentioned above. We recommend that you keep this information in a structured format, in a safe system that only you and any relevant employees have access to.
How online service or product-based businesses collect data
Fitness coaches or businesses that sell products or services online will collect data through cookies, sales, and newsletter sign-ups. You should provide an opt-in to receive marketing information and you can use this process to your advantage (we’ll talk about this more below).
In all of the cases mentioned above - if a customer asks you to remove their details from your database / stop contacting them, you are obligated to remove their data completely.
Where do I need to implement UK-GDPR?
In short, UK-GDPR needs to be implemented anywhere data is collected, even verbally. The following areas should be considered by professionals working in the fitness industry when handling customer data:
Customer database / email list
We’d suggest starting with a database clean to ensure you’re on the right track - making sure to carry this out at least every six months to a year. This includes:
- Removing unsubscribed customers from your database
- Clean out duplicate addresses
- Bounced contacts
- ‘Spammy’ email addresses like info@
You might also want to segment your database so that you can send out more effective email campaigns. You can do this in whichever way benefits your business - by interest or location for example. If you’re starting out with segmentation or trying to re-engage contacts, we’d recommend segmenting customers by their activity level to keep track of their customer journey and campaign success.
If it’s been a long time since you cleaned a list and you’re not sure who is a warm contact, send out a re-engagement email asking them what news they’d like to opt-in to. This might even re-engage some conversations you’ve been meaning to pick up!
For email campaigns, you always need to include an unsubscribe option, which most email software builds in as standard nowadays.
On your website, ensure opt-ins are included anywhere you collect data and maybe even ask customers what kind of information they would like to see from you, whether that be marketing information, offers, products, and tips.
Make sure that you’re only collecting the data that you need from customers - one of the seven principles of GDPR is data minimisation - and be clear about why the customer is giving you their information.
If you have multiple employees across the business, provide them with up-to-date training and information on how to handle data. It’s also a good idea to review who has access to documents containing sensitive or personal information.
Promotions or competitions
Running competitions or promotions are a great way to engage customers and gain sign-ups or your email list. But you don’t want to be caught out by GDPR here.
Make it clear what information you’re collecting and why. If you plan to contact them in the future, ask them to opt in to updates.
What are the benefits of being GDPR compliant?
First of all, being transparent and honest with customers or clients showcases that you care about their safety and privacy. Customers will be aware of how their data is being used and have a level of trust.
For example, if a customer has opted in to receive news on new products or services, they’re less likely to be annoyed about receiving marketing emails and more likely to engage with it.
Database management improves your marketing impact over time. When you send emails to lists of inactive customers, you’re actually harming your online reputation and more than likely sending your emails to people’s spam.
We recommend creating segmented lists of customers, including warm and cool contacts so you can get the best results from your campaigns and be GDPR compliant. You need to clean your lists of unsubscribed contacts (usually email software does this for you, but it’s always worth double checking) and ensure you’re not holding this data unnecessarily.
Last but not least, a benefit of being GDPR compliant is not getting a fine. Companies and individuals can face a fine if they are found to be in breach of data protection. In the UK, the maximum fine is £17.5 million, or 4 percent of annual global turnover, whichever is greater. While you may think “it won’t happen to me” - prevention is better than neglect.
If you have any questions on managing your data or putting GDPR practices in place, reach out to us for a free, no-obligation call. Our team will be happy to help.