GDPR for Yoga Teachers
Disclaimer: these guidelines are for information purposes only relating to GDPR and are not intended as specific legal advice. If you require any legal advice, please consult with a professional legal expert.
When you’re a yoga teacher there are usually so many different hats you have to wear - teach, marketeer, so it can feel a bit intimidating to add ‘data processor’ to the list! If you’ve heard of GDPR but don’t know what it means for you, take a look at my quick guide.
GDPR stands for General Data Protection Regulation and it’s here to ensure that we protect, respect and value and protect people’s personal data and is an opportunity to put the intentions of having an ethical and mindful business into practice.
GDPR applies to all businesses, from 1 - 10,000+ employees and will apply to you as a yoga teacher as you’ll likely be handling students, clients or suppliers personal data. Yoga teachers are classed as ‘data controllers’ under the GDPR.
GDPR doesn’t just apply to electronically held data, it also applies to anything held on data so you need to think about safeguards for both - ie. a locked cabinet that you might store client notes and password protected files on your computer.
It looks a bit intimidating, as long as you are genuinely respecting people's data by getting consent to use it, storing it safely and not keeping it for longer than you need you’ll likely be compliant with GDPR.
Where does the law come from?
From 25th May 2018, GDPR replaced the Data Protection Act 1998 with the intention to protect people's personal data, how it’s used and provide more control to people over their own data.
Whom does this law apply to?
This law applies to any businesses holding data of EU citizens - not just EU businesses. For example, if you’re teaching from Bali to students in the UK or Spain you would still need to follow these data protection guidelines. Regardless of where you’re based and whom you’re teaching it’s good to follow this data protection guideline that value and respect peoples personal data as part of having an ethical or mindful business which these guidelines do.
What is classed as ‘personal data’?
Any personal information such as names, addresses, email addresses, client notes, photographs, phone numbers, the ICO definition of personal data is below:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
What is classed as ‘processing data’
As a ‘data processor’ you’ll be processing personal data that includes (but isn’t limited to) holding, obtaining, recording and using information and personal data.
Post-Brexit
The UK government has been clear that when it leaves the EU it will not unravel The GDPR and any new laws will mirror this.
So what do I have to do?
There isn’t a ‘one size fits all’ method for making sure you’re compliant with GDPR as everyone will likely hold and use personal data differently.
Accountability and consideration are what’s important and that you’ve written down and thoroughly thought through your own processes for collecting, storing and removing personal data. This can be a few sentences or paragraphs on your procedures and policies for how you collect, store, use and share data, and how long you keep it for. Make these policies available for students or clients to read, such as on a privacy policy or terms and conditions on your website.
The best thing to do the ICO guide for small business owners and sole traders here and follow any guidance they feedback to you with https://ico.org.uk/for-organisations/business/assessment-for-small-business-owners-and-sole-traders/
General Steps to Take
Identify and document what data you hold:
e.g. Name, address, e-mail address, telephone number, emergency contact details, medical information, photographs etc.
Decide what information you should keep:
e.g. Data of students from many years ago may now be outdated.
Check you’re securely storing data:
e.g If stored electronically, is your laptop/PC/another device secure (e.g. password-protected files) If stored in paper files, who has access to that data? Is it stored in a locked drawer or cupboard?
Write your privacy notices:
e.g Do you have a website/social media page? Include a statement to let your students know how you use the information they share with you, be honest and transparent. Tell them how they can opt-out of receiving correspondence, e.g. unsubscribing to newsletters.
Do you have forms for your students to complete?
Include a sentence on these to state your intent of using their data, e.g. the information you supply will only be used for the purpose of contacting you regarding classes held by (name of your organisation).
Your terms and conditions form a lawful contract and prove a legitimate interest
E.g. a new student signs up for a ten-week block of classes at your centre. If you need to
cancel a class, using their personal details to contact them to let them know is accepted as a
legitimate interest.
Photographs
Individuals have the right to deny consent to the use of any photograph where they may be
identified. If you would like to take photographs:
Be clear about when photographs are going to be taken and
Where they are going to be used (ie. on social media for marketing purposes)
Give options before taking photographs for the student to opt-out
As a side note: if you’re spending money on a photoshoot, make sure all of the participants sign a ‘Model Release Form’. A model release form states that the model gives the photographer consent to use their likeness for commercial purposes. You can find templates of these online.
Do you need to share personal data with a third party (anyone who isn’t you)?
If so, you will need to get explicit permission before doing so.
Sharing data also extends to informal sharing; you must not pass personal data to anyone, including other students in the class, without explicit permission. This means no sharing of e-mail addresses, telephone numbers and addresses.
On a practical note; if you are emailing information to a mailing list of students always use BCC and not CC so as to avoid sharing personal email addresses with the other students. This is an easy mistake to make so please be careful when sending group e-mails!
Abbie Harris specialises in marketing & business for the holistic and wellness sector. See more of her work here.
