What Coaches need to know about Data Protection
What is GDPR?
General Data Protection Regulation (GDPR) is the European Unions data protection law that came into effect in May 2018 to safeguard personal data in all EU member states. In the UK, the Data Protection Act 2018 was updated following GDPR in 2018.
The main principles of GDPR and the Data Protection Act are:
- Fair, lawful, and transparent processing
- Purpose limitation
- Data minimization
- Storage limitation/ Data retention periods
- Data security
If you would like to learn more about data protection as a coach you can watch our webinar with our Delenta Insider, Coach and Data Protection Officer, Lisa Tyler and visit the ICO website.
Purpose limitation is a requirement that personal data be collected for specific, explicit and legitimate purposes. You must clearly state the purpose and only keep data for as long as necessary to complete that purpose, it must not be used for a new, incompatible purpose.
Data minimisation requires that personal data be adequate, relevant and limited to what is necessary, concerning the purposes it is being processed.
Data must be accurate and where necessary, kept up to date. Steps must be taken to erase or rectify data that is inaccurate or incomplete. Individuals also have the right to request that any inaccurate or incomplete data be erased or rectified within 30 days.
Personal data must not be kept for longer than needed. Although GDPR does not give a set or specific time limit for keeping data, you must ensure you do no keep data past your specified purposes. Ensuring that you erase or anonymise personal data when no longer needed reduces the risk that it becomes irrelevant, excessive, inaccurate or out of date.
The data security principle, which covers integrity and confidentiality means that you must ensure that you have appropriate security measures in place to protect the personal data you hold. It also requires you to consider things like risk analysis, organisational policies, and physical and technical measures.
The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to demonstrate your compliance.
How does GDPR apply to coaching?
Coaches need to have a good understanding of GDPR as they must ensure that they are handling others personal data appropriately. Individuals must have a valid, lawful basis to process personal data. Personal data refers to any information that can be used to identify a particular living individual, this includes name, address, date of birth and financial information. You may also wish to collect other information including someone’s physical or mental health, race or ethnic origin, this is classed as special category data and requires an extra level of security. Your lawful basis must be determined before you begin processing data and you should also document it.
The lawful bases include:
- Consent - The individual has given clear consent for their personal data to be processed for a specific purpose
- Contract - processing is necessary for a contract your have with the individual
- Legal obligation - it is necessary for you to comply with the law
- Vital interests
- Public task
- Legitimate interests
GDPR is for protecting the rights of the individual. Data subjects have the right to be informed, the right to access, the right to rectification, erasure, restrict processing, data portability and the right to object. They also have rights concerning automated decision making and profiling. As a lot of coaches work with clients from all over the world it is important to understand data protection laws and guidelines and to be compliant.
Coaches need to understand their role concerning the personal data they are processing. This is crucial in ensuring compliance with GDPR and the rights. Obligations vary depending on the role for example whether a coach is a data controller or data processor. Understanding your obligations and responsibilities is important as individuals can bring claims for compensation and damages.
As a coach, you should take time to access, document all the personal data and processing activities you carry out as part of your business. Whether you are a data controller or data processor comes down to what happens to the data and who makes the decisions on what happens to the data.
A data controller is a person who, alone or with others, determines the purposes and means of the processing of personal data.
A data processor is a person who processes data on behalf of the controller.
Data controllers have the highest level of compliance responsibility. As a controller, you must comply with, and demonstrate compliance with, all the data protection principles and are also responsible for the compliance of your processor. Unless exempt, data controllers in the UK must pay the data protection fee.
Privacy and Electronic Communications Regulations - what is it?
Privacy and Electronic Communications Regulations (PECR) sits alongside GDPR and the Data Protection Act, giving individuals specific privacy rights concerning electronic communications.
There are rules regarding:
- Marketing calls, emails and texts
- Cookies and similar technologies that track information about those accessing a website or electronic service
- Security of communications services
- Customer privacy (traffic and location data, directory listings, itemized billing etc)
Under PECR there are specific rules regarding marketing and you will often need to have specific consent to send unsolicited direct marketing. Consent must be freely given, informed and unambiguous. To obtain valid consent, the best way would be to ask your customers or clients to tick opt-in boxes confirming they are happy to receive marketing calls, texts or emails from you. Individuals should still be able to unsubscribe from receiving any marketing materials at any time. According to GDPR laws, it must be simple, transparent and fast for people to be able to unsubscribe at any time.
What does compliance look like?
A privacy notice is a way of providing information about the personal data held and its use. Within a privacy notice, it is important to identify and state who the data controller is and the necessary contact information. The notice should explain the purposes for which personal data is collected and used, how data is disclosed, stored, how long for and the controller’s legal basis for processing. Privacy notices need to have certain basic elements to ensure that they are compliant with the law. Once you have your privacy notice, be sure to get it checked by a lawyer and or professional.
You can visit the Information Commissioner’s Office’s website for guidelines and a checklist of what you need to include in your privacy notice.
Keeping a record of your processing activity is a simple and helpful way to build your privacy notice. You should think about and make a note of the following: where your data is coming from, what your data is capturing, why you need to use it and how long it is behind kept, if anybody processing data on your behalf, is the data being shared with others, and do you need to collect this personal data. Considering if the data is necessary is important as you should only be storing data based on necessity and should keep data limited to what you need. Creating a GDPR or data compliance folder is an easy way to store and organise everything in an accessible place. If you need to document proof of the steps you’re taking to comply with data protection you will have all the information ready and at hand.
As a coach, a simple way to ensure that you are following regulations would be to conduct an audit of any personal data and information you currently hold, identify where it came from, who you share it with and delete any personal data that you don’t need.
How to keep personal data safe
To keep personal data safe you should have physical and technical measures in place, you should also conduct a risk analysis. To keep data safe you should not keep any data for longer than you need to and should stay on top of the data you hold. Simple steps like being cautious when receiving weblinks, backing up data, using strong and secure passwords, antivirus or malware protection software, restricting and protecting files as well as using secure networks can help protect you from cyber-attacks and phishing scams.
If you do have a minor personal data breach then it is good practice to be open and inform those individuals involved of the situation. If there is a major breach you must report it within 72 hours. It is good practice to keep a log or record of any near misses that may happen, this can help you to prevent it from happening in the future. This log is also useful to keep for training and information purposes to improve your systems and processes.
Join our community today and subscribe to our newsletter to be notified about future events!
Learn more about the Speaker: https://app.delenta.com/ta/@CoachingBeacon
THE ELEVATE YOUR COACHING BUSINESS Workshop series is targeted at ambitious coaches. It will provide you with the tools and give you insight on how to build a sustainable coaching business. You will also learn about some of the best practices and find out how to strategically grow your client base. This workshop series is a unique opportunity to get inspired and learn from some of our renowned Delenta Innovative coaching community members.