There’s no doubt you’ve heard of GDPR by now - the General Data Protection Regulation. It replaces the Data Protection Directive (the Data Protection Act) in order to strengthen people’s rights to data privacy and will come into effect on May 25th 2018.
This article does not constitute legal advice. Its contents are based on our own research, information received during a workshop with a commercial lawyer, conversations with the Information Commissioner’s Office as well as distilling some of the information available on ico.org.uk.
We’ve had dozens of emails and phone calls from our dance school customers about the GDPR and clearly there is a lot of confusion about the impact the GDPR will have on their businesses.
In this article I will outline our take on how the GDPR will impact small businesses and dance schools in particular (spoiler alert: it’s not as serious as you may think), what membermeister is doing to help you become GDPR compliant and what other steps you may have to consider in order to avoid getting onto the wrong site of this new regulation.
The role of the Information Commissioner’s Office
In the UK it is the Information Commissioner’s Office (ICO) that upholds information rights in the public interest. They cover legislation such as, amongst other things, The Data Protection Act, The Freedom of Information Act as well as the upcoming GDPR.
Data processors and data controllers
The ICO also takes care of registering so called data processors. These are organisations that process personal information as required by the Data Protection Act 1998, unless they are exempt. Membermeister is registered as a data processor because we handle, store and process data on behalf of our customers. Membermeister’s ICO registration can be found here and it contains details on what data we process and why.
Then there’s the concept of data controllers. Data controllers are those who decide what happens with someone’s personal data. In the example of a dance school customer that is using membermeister for their dance school admin tasks, the dance school (or a person appointed by them) is the data controller, membermeister being the data processor.
Both controller and processor have certain roles, tasks and obligations they need to fulfil.
Besides being a processor, membermeister is also a data controller as we handle details of our own customers directly for our own purposes such as invoicing, keeping track of new enquiries and handle our own email lists.
Take a common sense approach to handling personal data
Rather than getting worried about GDPR you can treat it as an opportunity to re-engage with your customers and ensure that the data that you hold is relevant, up to date and necessary.
Here are some examples.
- Store only what is necessary
While personal data is treated as an asset by many large organisations - see the recent scandal around Facebook and Cambridge Analytica - this is not the case for most small businesses with a (shall we call it old fashioned and honest?) business model. Clearly as a dance school it is necessary that you to process personal data, however you should ask yourself how much of it you really need. Don’t store unnecessary information about individuals and treat the data you do store as a liability, not as an asset.
- Clean up and delete what you don’t need
Of course it is great to re-engage a student that has left your school or to market your dance lessons to a new audience but if that person has not shown any interest in the last however many years then do you really need to hold onto their home address and next of kin when all you are doing is send an occasional email? You probably don’t.
- Tell people the why and how you store their data
Great customer service is a fantastic marketing tool - just be open and honest with your customers. While the GDPR puts obligations on you to update your privacy notice and to inform people how and where you store their details and what you do with it this also makes a lot of sense from a business point of view. Wouldn’t you much rather deal with a company that’s open and honest than with one that hides behind small print?
- Gather explicit consent for sensitive details
Some data is more sensitive than say someone’s phone number. You may need to store details about ethnicity, health or medical details (dance schools often need this) as well as details of third parties such as emergency contact details. Specific advice on this is available from the ICO but broadly speaking we recommend that you obtain specific consent before you process what is classed as sensitive data.
How to become GDPR compliant
Here’s a surprising fact: nobody can currently certify your compliance with GDPR. So how do you become compliant? How do you know you’re compliant?
While you won’t be able to get a ‘Certificate of GDPR compliance’ from anyone right now (beware of scammers that pretend they can do this), this actually presents an opportunity for you to carry out the necessary actions to ‘be ready’ - after all, a lack of GDPR certification also means that it is tricky (although admittedly somewhat easier) to claim that someone is not compliant.
Let’s face it, the Information Commissioner is unlikely to come knocking on the door of a dance school, let alone go around fining them. Quite the opposite, the ICO is taking a very sensitive approach and would much rather advise you on best practices than to make your life difficult. They’ll be using the carrot and not the stick - just remember they do have a stick though!
But wouldn’t it be handy to be able to demonstrate that you are GDPR aware, have prepared for it and are compliant to the best of your knowledge? There are many businesses that are ignoring the GDPR, be it out of complacency or maybe due to a lack of knowledge, and this makes it even easier to position yourself above the competition and use your awareness about GDPR as a competitive advantage.
Moreover your customers may rightfully ask what information you hold about them, how you store it and what you do with it. Having your answers ready can save you a lot of time and potential hassle in the long run.
Using a service like membermeister doesn’t in itself make you GDPR compliant - no software does - but it will help you on your way and cover at least some aspects of GDPR.
Consider for example having an up to date IT and data security policy. It is convenient to have a modern system at your disposal that takes at least some of the GDPR burdens off your plate.
But besides IT and data security, here are some tasks that we recommend you carry out and more importantly document so that you have an evidence trail of what you have done and when.
- Become aware of the GDPR - ✅ you’re reading this article which is a great start!
- Keep an evidence trail: create a folder somewhere on your computer, ideally amongst your business related roles, name it GDPR and start gathering materials. Save anything GDPR related into his folder. You can start by putting the following documents in it and don’t forget to read them:
- Preparing for the GDPR
- Children and the GDPR (draft guidance)
- 12 point GDPR checklist
- GoCardless and GDPR
(interesting if you’re using GoCardless with membermeister)
- a PDF version of the very article you're reading right now
- Map your data: write a simple document that details what data you are storing, how you are storing it and why. Do you clean up or delete data regularly? If so then document it.
- Do you require consent (more on this below)? If so what consent was given and when? Document it.
- Do you work with 3rd party processors such as membermeister? If so ask them the question about their GDPR compliance and record the response. An email reply is usually sufficient.
The ICO does not expect you to visit your suppliers one by one and check up their processes so you have to rely on their word. The key is to record the response and have evidence that you have done your bit. If you receive unsatisfactory answers that leave you with reasons for concern then maybe it is time to reconsider working with that particular 3rd party supplier.
What is your lawful basis for data processing?
There are several ways for being legally above board when it comes to handling personal data under the GDPR. Broadly speaking you can do so if there is a contractual basis, you have explicit consent or another ‘legitimate reason’.
The ‘legitimate reason’ is a difficult one to handle and we will not cover it here and there are a few other more obscure edge cases which are outside of the scope of this article so we will focus on the two most common ones here.
You should decide what your lawful basis is for handling personal details and your best and most straight forward option is a contractual basis. As a dance school you have a services contract with your students (even if it is verbal) or their appointed guardians. As such you do not normally need their consent to email them, send them invoices and so on. Of course you still need to delete or anonymise their details if asked to do so unless other legal obligations (VAT, record keeping etc) prevent you.
To be clear, the GDPR does not take precedence over other lawful reasons or requirements to process data, in fact there are many reasons why the GDPR may not apply. HMRC for example will not be happy if you cannot show who a certain invoice was made out to, especially if you are VAT registered. Such records must be kept for several years and the GDPR doesn't simply overrule other applicable legislation.
Of course it is perfectly fine to split your data up into several groups and you may have one group for which a contractual basis applies (such as customers and ex-customers) and you may have another group where consent is needed (such as those who only enquired about your services). In other cases you may need to send one piece of information using a contractual basis and use consent for another. It can be tricky to get this right but once again you are covering yourself to an almost full extent by being aware of the concept of a lawful basis and evaluating it for your business.
Again make sure you document your thought process and data the document. It can serve as the evidence you need if someone asks.
Remember though that it is a myth that you need to ask each and every person for their explicit written consent in order to process their details. For example if I give you my business card then I am giving you implicit consent for you to store my details and to contact me.
Comply with the spirit of the GDPR
As a small business you’re unlikely to have your own legal counsel that you can consult on GDPR matters. So what can be reasonably expected from you?
I would argue that doing your part to comply with the spirit of the GDPR rather than the exact letter (all 250 pages!) of it will get you a long way and should keep you out of trouble.
Let’s face it, will an additional check box on some web form really help customers to take back control of their data? What will help though is that more businesses become aware that processing and storing personal data can be a liability and that they will treat it with the respect it deserves, delete personal data when asked (and where possible) and more generally be a reliable and trustworthy partner to their customers.
Looking over the hundreds of dance schools, performing arts school, music schools, language schools, gymnastics clubs, yoga and pilates teachers as well as the ones I have inevitably missed in this list I cannot think of a single one that isn’t already doing this.
And there lies a big clue. This new legislation was arguably not designed to target the the small businesses that go about their day to day activities in a legitimate way but rather at large scale data harvesting, companies that treat personal data with contempt or see it as an asset to be financially exploited. This of course doesn’t mean that small businesses can ignore the GDPR, far from it, but in our opinion there is very little that small businesses which are GDPR-aware and are doing their part to adhere to its spirit have to worry about.
No doubt there will be a version 2 of the GDPR before too long where many of the flaws and oversights, edge cases and misinterpretations will be ironed out - and we all get to update our policies once more :-)
At membermeister we will keep a close eye on the GDPR and will be rolling out new features to increase compliance with it throughout our product.
You can email us on [email protected] with your feedback or questions.