The Basics of the UK GDPR – Coaches, trainers, and consultants have some specific GDPR-related responsibilities…
The basics of the UK GDPR do include fundamentals for all businesses but do coaches, trainers, and consultants have some specific responsibilities? Well, yes, but surprisingly these responsibilities are BUSINESS-specific because they relate to your type of business and how you choose to run it. Regardless of that (I’ll make it the subject of another article), I want to take you through some of the regulatory fundamentals you have to know (about).
You need to know about your obligations to know what you have to deliver to your clients and others who trust you to deal with their personal data. How you do it is where the business specifics come in.
Why do you need to have GDPR built in?
The UK GDPR talks about having “data protection by design and by default” i.e., privacy by design. That is ideal but definitely not the norm. For most small coaching, training, and consultancy business owners, GDPR still isn’t part of their business at all and that’s after 4 years of it being law.
What if you don’t do anything, ever?
There are potentially crippling consequences for you and your business if you ignore or neglect your GDPR and data protection responsibilities and I’m not talking about the fines for non-compliance, which could wipe out your business.
So far, most of the financial penalties issued by the ICO have been for breaches of the Privacy and Electronic Communications Regulation (PECR). In simple terms, bad marketing practices such as spamming. All of these infractions involved the misuse of personal data – your business’s GDPR-related safeguards that you build in will pay dividends by protecting your brand, credibility and integrity.
What priorities can you work on right now?
Knowing that the UK GDPR applies to you and your business and wanting to do something about meeting your responsibilities or improving where you are now is the true starting point. You’re already ahead of the game if this is you.
The ideal would be to build in data protection from the very beginning but, with the best will in the world, most small businesses do not do that. Therefore, you are going to be playing catch-up, to begin with, but then, after you’ve got your ways of doing things to include GDPR, you won’t have to spend lots of time on it to stay on top.
What does the UK GDPR apply to?
Any organisation within the UK that processes personal data or any organisation outside of the UK that processes the personal data of UK residents.
Processing is anything you do with the data, including deleting or destroying it whether by accident or deliberately.
Personal data is a piece, pieces of information, or a context that positively identifies a living individual. Digital information is included such as IP addresses, and visual data such as photographs are all covered.
You can see why it’s unlikely you won’t be either a Data Controller, a Data Processor or both.
Your first action should be (if you haven’t already done this!)
The UK Supervisory Authority for information matters, including data protection/GDPR, etc, is the Information Commissioner’s Office. That’s where your clients and customers can make a complaint about how you handle their personal data.
You start by making sure you’ve registered with the ICO as a Data Controller and/or a Data Processor. There’s an interactive questionnaire you can take if you aren’t convinced you should register.
Checking up on your UK-based suppliers involves looking at the ICO register, and you should be quoting your Registration number on your Privacy Notice.
Next…
You need some basic training to understand what the UK GDPR says – the fundamentals of the framework. This is a requirement of the legislation but more importantly, it will help you to get your ducks in a row as far as where to concentrate your efforts. You also need to repeat this training at regular intervals.
You need to know about:
The Principles of GDPR
There are 7 Principles of GDPR and the first one I’m going to look at in the context of this article is part of the first one. You are required to process personal data lawfully, fairly, and transparently. It’s the “transparently” part we’ll look at. It means ensuring you inform the owners of the data why you are collecting their data and what you will do with it. Then doing what you say.
This is why your public documents and statements are so important – they need to be accurate and easy to understand. The most obvious of these is your Privacy Notice and any statements relating to consent.
Bear in mind these are what your customers/clients will see and, if they aren’t clear, you will be misleading your clients, which could lead to problems later down the line (and not just data protection-related problems).
Your Privacy Notice is the biggie here! There are specific content requirements in the legislation that has to be included in all versions. The ICO has the information on its website if you want to take a look at their guidance. You can either have different versions for each purpose e.g., for in-person sessions and another for online; or a combined version that uses headings (for example) to show which applies to what. You can also offer the information in a style that suits you and your brand. Twitter has just recently released their Privacy notice information in the form of an old-fashioned platform game. You can make yours match your market. It has to be understandable for YOUR people!
The 2nd Principle I’m going to very briefly touch on, which is actually the 6th as they are listed in the Regulations, is the one of Confidentiality and Integrity – the practical side of this for us is security – both physical and digital. Simply defined it would be, for example, keeping any paperwork safely locked away, securing your electronic devices physically, and access to them (physically and digitally), using firewalls, a good anti-virus, encryption, strong passwords, MFA, access by roles (if you have a team) and so forth.
Bottom-line you are the Data Controller and Accountable for everything that happens to any personal data you do anything within your business!
NUTSHELL: The less data you process the lower your risk, therefore, only collect what is truly necessary, keep it safe at all times, and only keep it for the time you need it.
Lawful Basis
To process personal data, you must have a Lawful Basis (First principle) – there are 6 you can choose from, and you shouldn’t change once you’ve decided (especially not when it comes to consent).
I’m going to quickly look at consent today because there is a misconception that it’s the best and only option. It’s not!
For example, if you use consent as your lawful basis when you are taking group photographs of an event that you will use in your publicity material or on your website:
You need everyone’s consent, in writing agreeing on how it can be used. Bear in mind that you can’t guarantee that their image will be removed completely from the internet, for example.
When one of the participants withdraws their consent, you will either have to have the photographs edited or just not use them from that point (redo your website). You have no option.
Your decision will be based on specific circumstances in most cases, although in some situations you don’t have a choice, for example when it comes to Legal Obligation relating to tax records.
The Rights of the Individual
There are 8 Rights specifically mentioned in the UK GDPR but not all of them will apply to your business. The ones that you are most likely to be required to deliver (and to know how to deliver) are:
- The right to be informed – remember the 1st Principle and the part I mentioned – transparency? This is the flip side of that i.e., make sure people know what you do with their data. The most important document is your Privacy Notice then get your consent statements right.
- The right of access – The people whose data you process (Data Subjects) have the right to have the details of their personal data you hold. They can ask for the information and you have a calendar month to provide it in a format they can open. This request mechanism is called a Data Subject Access Request. You are required to confirm the identity of the individual before sending the data but it doesn’t mean you are required to send them a copy of every email thread you have between your business and them, for example.
- The right to rectification. This means the data owners have the right to correct any of their personal data that you hold. You have the responsibility of ensuring that the data that you hold is accurate. This is the data subject side of the principle of Accuracy that applies to the Data Controller.
- The right to erasure, or as it’s commonly known, the right to be forgotten. You need to have a process in your business to fulfil such a request. And remember, it doesn’t apply to data that is held because of a legal obligation, for example – then the data can’t be erased at the data subject’s request.
Other important matters to work on over time
You’re not going to get everything done that you need to in a matter of hours. The crucial step to take is to plan what to do. You do need to know what data you hold and where it moves and is stored. This is how you can get a grip on your business and not only do your best to protect yourself and it but to do right by your clients and all those who feed into your business and whose data you process.
Having a record of this stands you in good stead for dealing with all of your data protection responsibilities.
And what about regular training?
You need an annual (or more often) training course with evidence of completion that’s required to prove you’re taking action. The Basics of the UK GDPR online course will take you around 1.5 hours to complete and you have access for 12 months after you’ve bought it. It’s all online with video tutorials, transcriptions, additional reference notes, quizzes, and a final quiz (to pass). There’s a certificate provided for your records. You can take it as many times as you want, and you can use it as a reference resource too. Updates are included. I’m going to be releasing the Basics of the UK GDPR course in the next month and I have a waiting list set up for it. Anyone who joins will get an early bird discount code to get 20% off the price.