GDPR is here. It’s been a long time coming but the deadline for compliance has passed. Many businesses in the health space ignored it until the very end. It’s easy to understand why. Reading papers and regulations statements from the European Union is not something to get excited about. It’s a lot of work to get fully compliant. But if you’re worried about your business receiving a fine, here’s an overview of what you need to know.

It’s worth pointing out that the likelihood of the EU Data Protection squad knocking on your door is low. Fines (which can be up to €20 million for large businesses) will be the last resort. But you don’t want to risk ending up on the regulator’s radar. If you haven’t done so already, assign resources to the task of getting compliant. The health and fitness, wellness, and medical industries deal with sensitive customer information about health.

Not protecting your customer’s data or misusing your client’s personal information (even if it’s unintended) will eventually lead to contact by the EU regulator.

First of all, does the new General Data Protection Regulation (GDPR) apply to your business?

In short, yes. Do you have a website? Then you will need to comply with GDPR .

Do you store data such as the name, phone number and email address of your customers, members, and clients? Then your business must comply with GDPR directives.

Examples of How Health & Fitness Businesses Store and Process User Data

• Gyms that keeps records of its members’ personal details.
• Online nutrition course providers that record user details for account and login purposes.
• Physiotherapists that record sensitive data (health-related conditions, age, sex) about clients and store the information in databases or paper records.
• Fitness studios that post images and details about members on social media or their website.
• Fitness blogs that offer ebooks in return for email addresses

What is Data Protection?

The GDPR law protects personal data. The EU is serious about personal data and regulates the use of this data by businesses. It’s a good thing for consumers and businesses. The problem is that the directives are hard to understand and harder to implement. Small businesses are the ones that will suffer most due to lack of resources.

The GDPR regulation relates to data protection and privacy for European Union individuals. But the implications of this regulation reach outside of the EU. Any business that deals with Europeans or employees people in the EU is also required to comply with the new laws.

Who Does GDPR Apply To?

GDPR regulations apply to businesses that have customers in the European Union.

There are three concepts to keep in mind here. One is the concept of Controller: a business that considers the purpose and processing of personal data. The second concept is Processor: a business that stores and processes information on behalf of other organisations. And the third is the Data Subject: that’s the user, visitor, or customer.

Health and fitness businesses will almost always be considered Controller businesses.

GDPR Fundamentals for Online Businesses

You must have a valid legal basis for processing the data of your customers or visitors.
You must explicitly show why you need to process this data.
You cannot use the data for other purposes other than the explicitly stated purpose

Most health & fitness, wellness, and local businesses do not have proprietary software, apps, and website code to change apart from the text on their business websites. However, there is still some work to be done.

GDPR Checks for your Website

Does your site have HTTPS?

If so, you’re good to go. If not, your website will not only show up as “insecure” in Google Chrome (the world’s most popular web browser) but it will break GDPR guidelines.

Are you using forms on your website to gather user information?
If the answer is yes, you must try to minimise the information gathered. Only collect as much information from users as you need. Asking for their address when it doesn’t benefit your business just adds to the workload.
Do your forms have pre-checked boxes for email newsletter sign-ups or terms & conditions acceptance? With the new GDPR rules, forms must not contain pre-checked boxes

Does your website use cookies?
99% of the time websites use cookies. You might not be aware of this but Google Analytics, MailChimp, and almost every other application you have connected to your website use Cookies in some form or another. Cookies help identify users by IP address, email address, and other personal identifiers.
Conversion tracking and re-targeting in Adwords, Facebook Ads, and other advertising networks rely heavily on cookies so if you run ads for your business it’s very important that your website uses a cookie policy pop up.
To be GDPR compliant you will need to tell users what cookies your website uses and why they are used.
A cookie policy is essential and you must explicitly tell visitors how and why they will be tracked by cookies.

Use Termly to build your own cookie consent policy.

Does your hosting provider GDPR have a Data Protection Agreement?
Check that your web hosting provider is GDPR compliant. This is actually your responsibility as your hosting provider is a vendor and GDPR compliance requires your businesses vendors to be compliant too. You’re probably throwing your hands in the air at this stage. Unfortunately, the new privacy laws have created difficult challenges for small businesses. Ignoring your responsibilities will only cause problems so it’s advisable to make contact with your hosting provider. Ask your provider if their server logs (where they record IP addresses and other information about visitors to your website) are GDPR compliant.

Do you use Google Analytics?
If not, you should be as the information this free tool provides is pure gold. If you’re already using Analytics (a requirement for Fat Frog Media clients) then you need to make some adjustments in the Google Analytics administration area.

Most websites are not compliant with the EU’s new privacy laws.

Stay one step ahead of your competition and save yourself a headache. Get GDPR compliant today!

As Business Owner or Blogger, What Do You Need To Do?

1. Assign a Data Protection Officer,
2. Make all departments aware of GDPR regulations and document this.
3. Make sure all tick-boxes on forms (for opting into email newsletters for example) are not ticked.
4. Document in your privacy policy page what information you collect on customers.
5. Describe in your privacy policy details about the cookies that your organisation uses to track users on your website.
6. Explain clearly to website visitors how their personal information is used, stored, and shared. If you share any personally identifiable information about users with third-party apps, services, or businesses, you should explicitly state this.
7. Offer a way for users to delete all of their information and accounts from your records, databases, and systems.
8. Offer a way for users to request an export of their data.
9. Review the statuses of 3rd party apps used by your business. This might include Stripe, Google (analytics, Adwords, etc), HubSpot, etc.
10. Describe how users data is stored and protected. Explain how users will be notified in the case of a data security breach.
11. Give contact details of your data protection officer (Name, Address, Phone, Email).
12. Show records of when consent was given. This provides an audit trail and covers your business.

What You Can Do to Reduce the Workload and GDPR Compliancy Paperwork

If you don’t need the user’s details, don’t take them. If you already have information about visitors and users that you no longer need, delete it from your system. The fewer data your business processes or stores the easier it is to comply with GDPR regulation.

For a handy checklist of GDPR tasks, this website is a good start.

For a more comprehensive GDPR compliance solution, try eComply.