The GDPR (General Data Protection Regulation) is one of those unusual legal beasts that everyone is aware of, scared of and uses, often without a true understanding of what it is and does.
GDPR definitions.
personal data.
GDPR regulates the way that businesses handle personal data.
“Personal data” is the term used to describe any piece of information that can be used to identify somebody. This could be your name, email address, postcode, age, or gender… along with lots of other things.
This is often where people go wrong with GDPR. It doesn’t cover all data. As a professional coach, you will have access to personal data. You will know your coachee’s name and have their email address, phone number, as well as knowing their gender and possibly also their age. You will also have access to confidential information. Most of what will be shared with you in a coaching session will be confidential. This information needs to be handled sensitively, with care, under the terms of your contractual arrangements with your coachee, BUT it is not covered by GDPR.
data subject.
A data subject is the person that the data refers to or originates from. As a professional coach, the data subject is likely going to be the coachee.
data controller.
A data controller is a person, company, or other body that determines the purpose and means of personal data processing. This can be determined alone, or jointly with another. You are likely to be the data controller for the information you hold on your coachees.
data processor.
A data processor is the person, company, or body that carries out operations on the data.
controllers and processors – an example.
For example, if you collect data from your coachees and send it to another company that uses that data for something, you are the controller and they are the processor.
If a social media company collects your data and then sends it to a company that analyse your data and uses it to target you with adverts, the social media company is the controller and the receiving company is the processor.
four top tips for GDPR.
Just because you are a small coaching business, or operating as a sole trader, doesn’t mean that you can ignore GDPR. There are some minimum steps that you should do to make sure that you don’t fall foul of the legislation.
- Conduct a GDPR audit. Think about what personal data you hold and what you do with it.
- Where you are working for corporates, they will expect that you have a Privacy Policy in place. They will be sharing personal data with you (the names and contact details of the employees that are to be coached). The policy can be housed on your website and you can refer your corporate clients there in your terms and conditions.
- Terms and conditions. Your terms and conditions should reference the GDPR.
- Your processes. A lot of the GDPR is common sense. What data do you have and where are you storing it? Are you storing it because you need it or just in case? How are you protecting it?
key GDPR pitfalls.
Here are some things that you should definitely not be doing with the personal data you have:
- Sharing it without good reason/permission
- Storing it somewhere without protection (think passwords and how easily accessible is it. Could it fall into the wrong hands?)
- Selling it on to third parties
- Retain data for an indefinite period
- Retain data after receiving a deletion request
… the list goes on!
what we can help you with.
At Lawbox Design we are more than comfortable with helping our clients to navigate the tricky areas of GDPR, we can:
- Conduct an audit checklist – a GDPR healthcheck if you will.
- Advise you on data protection addendums or clauses to include in your t’s and c’s.
- Offer assistance with developing your privacy and cookie policies.
If you’d like to find out more about how we can help you then get in touch.