Disclaimer: We are not a law firm, and nor are we the UK Government (though perhaps we should be?). This article should not be taken as legal advice; for that, you’ll want to get in touch with a registered GDPR professional and/or a lawyer.
GDPR compliance was the buzzword of 2018. When new EU guidelines were announced in May of that year, companies had to evaluate their data management, clean lists, and add a double opt-in to sign-up processes.
The problem is that GDPR was not a one-time box-checking exercise. After the initial rush to make sure a given business was compliant, many have forgotten to keep up with data regulations and returned to their old ways of thinking.
In a post-Brexit UK, the EU GDPR guidance no longer applies in the same way. However, the UK has incorporated EU GDPR into its UK Data Protection law, so you should continue to use the guidance in a UK business context. The new UK-GDPR took effect on January 31 2020.
It is worth noting that if you have clients in both the EU and the UK, you will have to follow the GDPR laws and the UK-GDPR laws.
Managing your database maintains good business ethics and can have brilliant benefits for your marketing campaigns. We’ll talk about that later on, but first, let’s take a quick recap...
What is GDPR?
In the UK, GDPR falls under the Data Protection Act 2018. It states that everyone responsible for using personal data has to follow a set of rules called the data protection principles to make sure data is used fairly, lawfully, and transparently.
There are seven principles of GDPR. They aren’t exactly hard rules, but instead act as a framework to state the purpose of data protection.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
- Accountability (new to the UK law)
You can find out more about each of these areas under Article 5 of the legislation. In short, you (as a company or a freelancer) should be responsible and thoughtful about how you collect and use data. You should also regularly check and clean data and choose only to collect what you need.
For example, you can hold (data control) the personal information of an ex-member or ex-client for up to seven years after termination of the contract. It would, however, be unethical to market to that contact after contract termination.
Who does it affect?
GDPR legislation affects anybody who handles personal data, no matter the context. For the fitness industry this means gyms, personal trainers, and physical or online shops that sell products or services.
The aim of the Data Protection Act is to hold the data handler responsible for safekeeping personal information and also to give a customer the right to find out what information a business or organisation is storing about them.
There are two key roles to remember when reading about GDPR policy: the ‘data controller’ and the ‘data processor’. A ‘data controller’ will be the one who collects and controls the information, whilst a ‘data processor’ will be the one who uses the information. A company can act as both simultaneously, or else just one or the other.
Okay, so how does GDPR apply to the fitness industry?
With any of the following business models, it is important to first ensure that you have legal grounds to hold the information and data.
How gyms collect data
As a member-based business model, gyms will store personal and sensitive information about their members such as name, email address, home address, phone number, age, gender, and payment details.
Third parties should not gain access to this information unless you have explicitly stated to your members that this would be the case upon sign-up.
How PTs collect data
As a personal trainer, you may collect and keep on file sensitive data about clients similar to what we mentioned above. We recommend that you keep this information in a structured format (e.g., a database), in a safe system to which only you and any relevant employees have access.
How online service or product-based businesses collect data
Fitness coaches or businesses that sell products or services online will collect data through cookies, sales, and newsletter sign-ups. You should provide an opt-in to receive marketing information and you can use this process to your advantage (we’ll talk about this more below).
In all of the cases mentioned above, if a customer asks you to remove their details from your database / stop contacting them, you are required to remove their data completely.
Where do I need to implement UK-GDPR?
In short, UK-GDPR needs to be implemented anywhere data is collected, even verbally.
Click on the items below to see what GDPR guidelines could look like for each area:
- Customer database / email list
- Your website
- Promotions or competitions run on social media or website
Customer database / email list
We’d suggest starting with a database clean to ensure you’re on the right track - making sure to carry this out at least every six months to a year. This includes:
- Removing unsubscribed customers from your database
- Clean out duplicate addresses
- Bounced contacts
- ‘Spammy’ email addresses like ‘info@’
You might also want to segment your database so that you can send out more effective email campaigns. You can do this in whichever way benefits your business - by interest or location for example. If you’re starting out with segmentation or trying to re-engage contacts, we’d recommend segmenting customers by their activity level to keep track of their customer journey and campaign success.
If it’s been a long time since you cleaned a list and you’re not sure who is a warm contact, send out a re-engagement email asking them what news they’d like to opt-in to. This might even re-engage some conversations you’ve been meaning to pick up!
For email campaigns, you always need to include an unsubscribe option, which most email software builds in as standard nowadays.
On your website, ensure opt-ins are included anywhere you collect data and maybe even ask customers what kind of information they would like to see from you, whether that be marketing information, offers, products, or top tips.
Make sure that you’re only collecting the data that you need from customers - remember, one of the seven principles of GDPR is data minimisation - and be clear about why the customer is giving you their information.
If you have multiple employees across the business, provide them with up-to-date training and information on how to handle data. It’s also a good idea to review who has access to documents containing sensitive or personal information.
Promotions or competitions
Running competitions or promotions are a great way to engage customers and gain sign-ups or your email list. But you don’t want to be caught out by GDPR here.
Make it clear what information you’re collecting and why. If you plan to contact them in the future, ask them to opt in to updates.
What are the benefits of being GDPR compliant?
First of all, being transparent and honest with customers or clients showcases that you care about their safety and privacy. Customers will be aware of how their data is being used and have a level of trust - and you don’t need us to tell you that clients’ trust is crucial for building a business!
For example, if a customer has opted in to receive news on new products or services, they’re less likely to be annoyed about receiving marketing emails and more likely to engage with it.
Database management improves your marketing impact over time. When you send emails to lists of inactive customers, you’re actually harming your online reputation and more than likely sending your emails to people’s spam.
We recommend creating segmented lists of customers, including warm and cool contacts so you can get the best results from your campaigns and be GDPR compliant. You need to clean your lists of unsubscribed contacts (usually email software does this for you, but it’s always worth double checking) and ensure you’re not holding this data unnecessarily.
Last but not least, a major benefit of being GDPR compliant is simply not getting fined. Companies and individuals can face a fine if they are found to be in breach of data protection. In the UK, the maximum fine is £17.5 million, or 4 percent of annual global turnover, whichever is greater. While you may think “it won’t happen to me” - prevention is better than neglect.
If you have any questions on managing your data or putting GDPR practices in place, reach out to us for a free, no-obligation call over at www.fitmedia.net/apply. Our team will be happy to help!