10 Easy GDPR Tips for UK Coaches, Trainers, and Consultants
10 easy GDPR tips for UK coaches, trainers and consultants: as you know, I specialise in jargon-free GDPR and I now concentrate on helping UK coaches, trainers, and consultants to find their way. I’d be lying if I said there are rules for my audience that are hugely different from those everyone else has to follow. However, what I do maintain is that the way GDPR responsibilities can be met by solo practitioners does not have to involve large amounts of money or a radically different way of working.
Most coaches, trainers, and consultants I speak with are unsure how to put systems in place to help meet their GDPR responsibilities, and many don’t even know what they should consider in the first place. So, I thought I would pass on a few secrets that I share with my clients. Not really secrets but generally not well known by the people I help, I find. My clients will find some of my favourite guidance included in this article and there are some easy things you can do even if you aren’t confident of what, how, or why.
Does GDPR apply to your business?
This is ground zero and an easy question to answer – if you’ve got clients, customers, subscribers, members, employees, freelancers, contractors, or suppliers based in the UK (or EU), it does. It does because you will have their personal data in your database, financial records, and contracts at the very least.
1. Understand that GDPR matters to your business
The first one may surprise you because you’re reading this, but many coaches, trainers, and consultants don’t think GDPR is a major concern for them and their business at all. My response to that is simply that, for all of us, people are our business and main concern, which means their personal data and its protection is at the heart of how we run our businesses. Make it part of your brand.
2. Get your public-facing documents into shape – everyone can see them
It’s more than everyone, it’s the people you most care about who will take the time to see them. Your Privacy Notice and consent request statements must be your primary concern because these are your opening gambit as well as your legal obligation, and they must be clear, accurate, and easily understood by your target audience. Use plain English, break down explanations into bite-sized chunks, and when it comes to consent request statements, keep it to one tick for each option (never combine) – to give your people real choice.
3. Know what and how personal data moves through your business
You must know what personal data is handled by your business or there is no way you can demonstrate that you control or protect it, or protect it in reality. You need to have a record of this because, again, how can you demonstrate what you know without having some proof?
4. Keep the data you process to an absolute minimum
This is easy to remember in 2 steps – collect only what you need for the purpose e.g., for an email newsletter you will need a name and email address but when someone is a client and pays you will need more than that. Secondly, only keep it for as long as necessary. Delete or destroy it as soon as it’s fulfilled its purpose.
5. Get your settings and usage right on the platforms you use
- Email – use a double opt-in to give your people a choice that benefits them and you because the opening rate is better where this option has been used. Always include the choice to unsubscribe and make it easy to do that.
- Facebook Groups – if you want to offer a subscription to your email newsletter get proper consent and include the link to your Privacy Notice where people sign up.
- LinkedIn – don’t add contacts to your email list without proper consent (this is the same with all social media platforms). You can message them via LinkedIn messaging because that is the purpose of the platform and would not be considered an unusual use of it (even though it may irritate some members).
- Messenger app usage – you must have consent to send marketing messages, or you are not compliant with the Privacy in Electronic Communications Regulations (PECR).
- In-person events – the same as with social media platforms – just because someone gave you their business card, it doesn’t mean you can add them to your email list.
6. Keep the data safe at all times
- Cyber & physical security – technical security like passwords, biometric access (this always makes me think of spy movies where eyeballs or fingers get separated from their owners…) 2FA, using a VPN, firewalls, anti-virus, and encryption are examples. Physical security includes locked filing cabinets, offices, alarm systems, privacy screens on your devices, policies for you and your team, and so on.
- Check out your suppliers to make sure they meet your standards for your clients.
- Keep track of how your email address might be compromised by, for example, activating that option via your anti-virus, signing up for a Mozilla (Firefox) account or similar, or checking it directly on https://www.haveibeenpwned.com/
- Use a password manager – save your memory on having to create and remember different complex passwords for every site and account.
7. If you handle personal data in your business, register with the ICO
If you haven’t already done so, go ahead. It costs less than a 10th of the fine you will receive if you don’t and the ICO catches you in one of its small business sweeps. If you want to double-check the need for this, complete the ICO’s online interactive questionnaire. By the way, the fine for not doing so when you should have done is £400 at the date of writing this article.
8. Make sure you and your team are appropriately trained (regularly)
The requirement for training and awareness is specified in the GDPR. You and your team should have at least annual training on the basics plus any industry-specific training to match the needs of your business. There is now a specific question on the Breach Reporting form for the ICO (added in March 2022) asking when the last training took place and what was covered. Be sure to keep a record of what and when training took place for you and each member of your team. Microsoft has a (free) Training Record Excel template you could use for this.
9. Write things down!
Saying you do something without proof is useless if something goes wrong such as a complaint being made about your business, an investigation by the ICO, or a data breach it won’t protect you or your business. Keep written records of decision-making processes, policies you follow in your business, the names and details of consents given, etc.
10. Get help if you need it
The ostrich approach just won’t help at all. If you feel you only need a small amount of help there are lots of free resources to be found on the internet. Just pay attention to the source of the document to make sure it’s for the UK business market that matches your business type and style.
Here are some of the ways I can help you:
- I’ve got some giveaways you can help yourself to. They change from time to time, so it’s worth popping in for a quick look now and again!
- Here’s my contribution to your awareness efforts: my (usually) monthly Small Business Update will key you in on the important news relating to GDPR, including electronic marketing and social media regulations, and easy cyber safety awareness. Short, sweet, and targeted for coaches, trainers and consultants to save you time and stress.
- Don’t forget my Free Monthly Workshop at 11 am on the first Wednesday of every month.
If you need more specific help for you and your business, I have a range of 1-2-1 services as well as templates for your Privacy Notice and, if you want to have a framework for recording the data you process, I have a template kit for that as well. I am currently writing a GDPR course that is a combination of my DIY video tutorials, templates and materials to use at your own speed, implementation support, training, and ongoing answers for you and your business to put you in the driving seat and keep you and your business safe with an expert by your side.