What is GDPR?
The GDPR is the European Union’s new data privacy law. The GDPR requires companies to take steps to help secure personal data rights and more generally protect that data. The regulation also provides individuals with certain rights over their personal data, including a right to access, correct, delete, and restrict processing of their data.
When does GDPR take effect?
The GDPR takes effect on May 25, 2018.
Who does GDPR apply to?
GDPR will impact virtually any company that’s either based in Europe or has any customers in Europe.
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.
Before we get into the specifics of the GDPR, let’s go over some basic definitions.
|Data Subject||A “natural person” who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity.||Jane Doe|
|Personal Data||Any information relating to an identified or identifiable data subject.||Woman. Age 48. Ph#: 33 1 7210 940. Address: 99 Red Cedar Lane, San Diego,CA 92131.|
|Sensitive Personal Data||Personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about health, sex life and sexual orientation, and genetic or biometric data.||Broke leg last year, Catholic, Lesbian, etc|
|Processing||Anything that is done to or with personal data.||Any collection, storage, transfer, sharing, modification, use, or deletion of personal data.|
|Controller||An entity that determines the purposes and means of processing of personal data.||When Jane signs up for a membership at CrossFit ABC, CrossFit ABC becomes a controller of the personal data Jane provides.|
|Processor||An entity that processes personal data based on the instructions of a controller.||Wodify becomes a Processor of Janes data when CrossFit ABC adds her membership and personal data to Wodify|
GDPR and Wodify
How does the GDPR affect Wodify?
The General Data Protection Regulation (GDPR) requires Wodify to make the following changes to its platform and internal privacy program:
- It requires Wodify to make sure that we and our Users are able to honor the rights of European customers over their personal data.
- It requires Wodify to make certain contractual commitments to our Users, and requires us to get certain contractual commitments when we use a third-party subprocessor to provide our services.
Wodify has been preparing for GDPR in the following ways:
We appointed an experienced Data Protection Officer to oversee our data protection program and GDPR implementation plan.
We started to deliver GDPR-focused training to key teams and personnel so that they are aware of the law’s requirements and can design our products and business plans with privacy in mind.
We implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
GDPR and You
What can you do to get ready for GDPR?
GDPR gives people more rights over their personal data, and it defines what counts as personal data very broadly. You can check out a complete guide to the legislation here.
It specifically gives people the right to access, correct, delete, and restrict processing of their data, and sets out strict guidelines about how you need to get customers to agree that you can use their data (aka, consent). This is especially important if you're using your customers’ data for purposes beyond simply filling orders, like for marketing or advertising.
GDPR also makes it your responsibility to protect that data (even if you’re using a processor like Wodify to actually store that data), and to make sure that your customers and website visitors can exercise all the rights they now have.
If someone in the EU emails you and asks you to delete their personal data from your gym, for example, you’d need to be able to do that.
Collecting personal data
Personal data can be a name, address, email address, social media account, or even a digital identifier such as an IP address or a cookie ID. The GDPR protects the fundamental rights of individuals within the European Union in relation to the processing of personal data. Think about the following questions:
- Are you collecting personal data from clients in Europe?
- If your gym uses third-party apps (like Wodify), do they collect and process data in accordance with the GDPR?
Appointing a Data Protection Officer
A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. Consider whether you are required to appoint a DPO to advise on your compliance with the GDPR.
Under the GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent. For example, you might need to obtain consent from your Clients if you are sending your customers marketing messages, or if you are using online advertising or retargeting apps. Where you need to obtain consent, the GDPR says that it must be "freely given, specific, informed and unambiguous." This means that the consumer needs to be given detailed information about the particular use case, and some affirmative action needs to be taken by the consumer to show consent. Consider incorporating this into your client contracts.
Consider the following questions:
Do you need to get affirmative, opt-in consent from your customers because of the personal information that you or a third-party app processes?
Are you providing your customers enough details around your processing activities and data usage to obtain effective consent?
Does the customer need to take an affirmative act to show consent?
Is the customer’s consent recorded and stored somewhere?
The GDPR includes specific parental-consent requirements for processing the personal data of users under the age of 16 (this age can be lower in certain countries). Consider whether you need to change how you process customer data to either stop processing the data of those users under the age of 16 or get parental consent?
Processing GDPR data requests
The GDPR expands on an individual's right to access and control their personal data. You might need to update how you process customer data to respond to personal data requests protected under the GDPR.
Subject access requests and portability
The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data that is being processed by a company. The GDPR requires that you provide your customers with a copy of their personal data in a common, easily readable, and portable format, so that they can use that data with a different service provider. If you need to obtain this information to respond to a request, then Wodify can provide you with the information that it stores. In addition to the information that Wodify stores about your clients, you will also need to think about other service providers that you might use who may have access to your clients’ personal data, such as third-party apps.
Consider the following questions:
- What data would you need to provide in response to a subject access or portability request?
- Which third parties would you need to contact in order to respond to a subject access or portability request?
- In what format would you provide this data?
- Do you need to change how you process client information to provide this data?
The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data. You should consider whether you might be obligated to erase or restrict the processing of your customers' data in response to such a request. As with subject access requests, Wodify can help you delete personal data that it stores on your behalf, but you should also consider what third parties you may need to work with in order to fulfill an erasure request.
Data breach notification
If you experience a data breach and the GDPR applies to you, then you might be required to notify affected users or specific regulatory bodies. Where applicable, you're required to provide notice as quickly as 72 hours after you become aware of the breach. You should think about putting together a data breach response plan for your business so that you are prepared for such an incident.
The GDPR imposes certain requirements on a company that uses third-party vendors and service providers to process the personal data of its users. Consider reviewing the privacy practices of the vendors and service providers that you use, including Wodify, to try to make sure that they adequately protect your customers’ personal data.
The GDPR requires that you take a number of affirmative steps relating to your and your third-party service providers’ collection and use of personal data. This includes Wodify, but also any third-party apps that you might use in connection with your Wodify account. While Wodify is happy to help you to the extent it can with regards to its data practices, it is up to you to ensure that you are using third-party apps in a way that complies with the GDPR. Compliance needs will vary depending on where you are located, where your customers are located, where the app developer is located, and how you have implemented and installed the app. Wodify wants to make sure that you are well-positioned to be able to assess your compliance needs, and we are working with our app developers to make sure that they provide you more information about their data collection and processing practices.