Posted by: Yoga in Borve | May 27, 2018

You, me & the GDPR

If you’re anything like me, your email inbox will have been inundated in the last week with messages from organisations about their data/privacy policies, due to the General Data Protection Regulation (GDPR) which came into force on the 25th of May as part of the new Data Protection Act 2018. I was feeling a bit unclear about whether and how this impacted on what I do as a yoga teacher – not helped by the fact that I’ve had emails from other teachers whose courses/workshops/mailing lists I’m part of, taking several different approaches – and even organisations such as Pilates Union and Yoga Scotland sending out one type of information/consent and then realising they had made a mistake and needed to send out another!

So, following a few helpful tips from regulars in my Friday class, I spent a joyful two hours indoors on a sunny Saturday afternoon reading the Information Commissioner’s Office’s Guide to the General Data Protection Regulation. Well, it stopped me getting sunburned…

Image result for cartoon paperwork

Initially I felt pretty smug. Unlike the majority of teachers whose classes I’ve attended in the last few years, I ask everyone who comes to one of my classes to complete a registration form which explicitly states why I’m collecting personal data (on current level of experience, health, priorities, etc.) and how it will be used:

It helps me to teach you better if you answer the following questions fully. Any information given will be kept confidential.

The same form also gives people a choice about whether they wish to be emailed in future about teaching I’m offering:

I send out information emails about class changes, the next month’s timetable, weekend yoga workshops, etc. If you do NOT want to be part of the email group receiving such information, tick this box

I also felt what I read on the Guide to GDPR in general sat very comfortably with my established professional practice. You can read the whole thing at the link above, but I’ll summarise here.

It is centred round the idea of lawfulness, fairness and transparency. For example, when holding personal data, you must not breach a duty of confidence, and you must be clear, open and honest with people from the start about how you will use their data. You must not process data in detrimental, unexpected or misleading ways. Personal data kept should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. It is good practice to keep it accurate, e.g. by reviewing and updating it regularly. You should make it clear to people that they have a right to be removed from mailing lists for marketing purposes. You should not keep personal data longer than you need it. Rather, you should periodically review and erase what you no longer need or are required to keep.

I feel I have always complied with all these principles, and that those of you who do yoga with me trust that I am careful with your data and know that I don’t go sharing it or leaving it lying about for others to see. However, I could be spelling out some of the things I do more clearly. More significantly, the GDPR has a tough and high standard for consent, which I’ve not previously been meeting in full (and I’d be astonished if any yoga teachers have! I’m certainly not aware of privacy policies displayed on any of the yoga teacher websites I’ve used in the last few years). So, I’m going to set things out more clearly in this post. I’m also going to be moving later this year, which necessitates a major revamp of my contact details, website, facebook page, etc.  So as I’m doing this, I will build in a data protection policy page on the new website, and revise my registration forms to meet the new consent standards. Meanwhile, please read on to be fully aware of my data protection policy.

There are six lawful bases for processing personal data, and everyone doing so must keep a record of which basis they are relying on and a justification for why they believe it applies. This information and the intended purposes for processing personal data must be included in your privacy notice.

My lawful basis is (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose (in my case, in order to teach them yoga/pilates in an effective, safe and organised way).

My purposes for collecting the data I do are threefold:

  • the health, level of experience and particular interests data helps me to teach you better.
  • the contact details are for practicalities and emergencies (e.g. if I have to cancel a class at short notice, which has happened occasionally due to adverse weather/power cuts – or if you fell severely ill during a class and I needed to contact your ‘named person’ to let them know – which has thankfully never yet happened).
  • the email address for providing information about classes – this includes marketing (such as alerting you to new classes/workshops) and also helpful practicalities for those booked into a class (e.g. I might email you to say “next week please make sure to bring a blanket as we are doing X in class”).

I frequently remind people in emails that if they wish to be removed from my mailing lists at any point, please ask. I will additionally state this on my new website in the privacy policy page.

Other things I could be more explicit about, although I’m sure many if not most of you know these:

I don’t tell anyone information in your form, or show anyone your form. I don’t keep any forms on the computer – if I’ve downloaded a completed registration form sent to me by email, after I print it out, I delete it from the computer.

I keep all current forms in an A4 folder which I bring to class, so that I have your health and emergency contact information to hand at all times when teaching.

I keep all older forms archived in a folder in the cupboard in my home yoga studio. My professional insurance comes via my membership of Yoga Scotland, and as part of this I have an obligation to keep archived forms for several years before destroying them. It has also been my experience that many people stop coming to yoga for a year or two then resume, as their life circumstances change, so it is useful to keep the forms of those who haven’t been to classes for a while. As many of you know, when you come back to class after a break, I ask you to check and update your form. I also ask everyone once a year to check/amend/re-date and sign their forms, in case they haven’t remembered to provide me new relevant information (it also states on my form “Please remember to update me if any of the details on this form change!”). Occasionally someone asks me to remove them from the mailing list, and I have a separate section at the back of my archived forms folder for people who I never email (but whose forms I still need to keep due to the requirements of my professional insurance policy). I mostly send emails to those who are currently coming to classes, have been at classes in the last year, or have specifically asked me to keep emailing them although they’re currently unable to attend classes. Much less frequently, I send an email to a larger list (e.g. as I will do when I have to inform everyone of this post, when I am moving and what my new contact details are).

Things I need to change/improve:

  • spelling it all out, as I’ve done here – and on my new website will do in a more succinct and polished way as a fixed page on data protection policy.
  • on this page and/or on the registration form, be more clear and specific about what consent I’m asking for. I will need to provide separate statements of consent for people to sign, e.g. one which says you are willing for your data to be kept for health/emergency contact purposes (everyone who wishes to come to one of my classes will have to be willing to sign this) and a separate one saying you are willing to be contacted by email for marketing purposes (e.g. upcoming class info – and in this section I will also clarify that your email address will be visible to others, unless you specify you wish it to be in the ‘bcc’ section of the email). Under the new GDPR, pre-ticked opt-in boxes on forms are banned, and the format I have on my existing form (an opt-out box to be ticked by the person completing the form) is not banned but is mentioned as no longer acceptable.
  • be clear that consent can be withdrawn at any point, and how to do this (e.g. you can email me any time to ask to be removed from mailing lists/form to be archived).
  • keep a record of when and how I got consent from the individual and what exactly they were told at the time (this should be easily done via revised registration form).

How does this affect you? What action do you need to take?

  • keep an eye out for an email from me later this summer advising you of my new website/email/facebook details and asking if you wish to be kept on my mailing list (e.g. to be informed of future yoga workshops when I am back on Skye, and/or news of what I’m doing on the east coast – I like to think I might do some day or weekend events once I’m settled, and I already have had a few volunteers to ‘yoga bus’ folk over from Skye for a lovely yoga reunion together!)
  • let me know if you’re not happy with anything you’ve read here – for example, if you wish to be removed from the mailing list already.
  • feel free to share any ideas you have for making the revised registration form clear and manageable for us all.
  • once the revised registration form and contact details are made available (I will alert you all to this by email and on my facebook page), ensure that you have completed and returned a new form to me if you wish me to continue to contact you.

If you’re read this far – congratulations! And thank you.


Share your thoughts!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: