In April 2016, the European Union parliament passed a law called the European General Data Protection Regulation 2016/679 (see the full text here).
Unsurprisingly, it’s more commonly referred to as the GDPR and, despite being the most significant update to privacy regulation in two decades, it passed largely unnoticed by the general public at the time.
Two years on as the clock ticks down to 25th May 2018 when it becomes enforceable law, there’s no getting away from coverage of the GDPR and the impact it will have on businesses, professionals and consumers. And for good reason – data and how it is collected, processed and shared, lies at the heart of how the internet works, and drives the business models that made the likes of Facebook and Google into multi-billion dollar behemoths. Amongst others, the GDPR forces companies to pay more attention to what they are collecting, keep better track of the information, and notify users within 72 hours if there is a breach.
But this is not just for search engine and social media goliaths that operate on a different level to most wellness professionals. From 25th May 2018, companies all around the world – whatever their size, industry or location – have to comply with the GDPR if they want to serve any of the EU’s 500 million people, or handle data for any European companies.
Given the nature of the internet, this means the EU is more or less setting a new global standard for data and privacy. Given the deep rooted influence of the internet on our everyday lives, it’s probably about time that this is the first meaningful attempt to do so.
The GDPR comprises 99 articles and 173 recitals, whilst if you Google it, there are 18 million results to whet your appetite. We’ve included some useful links at the bottom of this page, but otherwise this blog post is intended as a handy summary of its essentials, and how they could affect you, whether you’re a user of wellness services, or a professional offering anything from acupuncture to yoga.
In the next post, we get into the detail on the practical differences between being a data controller or a data processor. Further down this post, we’ll cover the measures put in place by Keia to ensure your rights under the GDPR are fully upheld, and your usage of Keia is fully compliant.
Why is the GDPR a big deal?
The internet is notoriously hard for individual governments to enforce regulation across the borderless space of online commerce.
Furthermore, there is the notion that legal statutes have been left behind by the pace of technological progress. The nearest equivalent to the GDPR in the UK, the Data Protection Act 1995, was enacted years before the rapid change in the data landscape caused by the explosion of ubiquitous and mobile computing, and the big data era.
As mentioned, the size and reach of the EU mean that the GDPR is effectively a global standard, the first of its kind in this area. Importantly, that standard provides:
- Very specific rules companies must respect in order to obtain and process personal data.
- Maximum penalties for non-compliance on a scale never seen before in data privacy regulations.
- A specific deadline for companies to get their affairs into order.
- An obligation to disclose data breaches.
Let’s look at each area in more detail:
1. Specific rules
There are too many to list here but some of the headline regulations:
- If a company collects personal data on an EU citizen, it will need explicit and informed consent from that person (a pre-filled tick box is not enough, the user has to actively select an option to give their consent). Users must have an easy way to revoke that consent.
- Users can request all the data a company has from them, at no cost (under the Data Protection Act 1995, companies were able to charge £10 for a Subject Access Request).
- Users have the right to erasure – that their data is permanently deleted.
- Terms and conditions must be in clear and easy to understand language (transparency).
‘Data controllers’ and ‘data processors’
This is a rather nuanced part of the GDPR, but worth taking the time to get to grips with if you’re a business or professional.
- If you’re a wellness practitioner, whether an aesthetician, hairdresser, counsellor, fitpro or professional in any of the numerous therapies, then for any clients that you collect or process personal data about (for example, when booking them in for an appointment, or adding a note to their file to an online system such as Keia), you are the ‘data controller’ and in this example, Keia would be the ‘data processor’.
- For clients who make their own booking, and for professionals entering their own personal data, then Keia is the ‘data controller’’.
Please click here for a more detailed examination of the implications of each role.
This distinction is important for compliance. Generally speaking, the GDPR treats the data controller as the principal party responsible for collecting consent, managing consent-revoking, enabling right to access, etc.
2. Penalties and sanctions
A company found to be in breach could be fined up to a maximum of 4 percent of a company’s global turnover (or 20 million euros, whichever is larger).
If Facebook was to be found failing to comply, for example, it could be liable for a $1.6 billion penalty (based on its 2016 annual revenue of $40 billion).
A non-compliant company could even be banned – temporarily or definitively – from processing personal data.
3. A specific, universal deadline
Companies affected by the GDPR must be compliant with all relevant provisions by 25th May 2018. As a Regulation, it immediately becomes enforceable law (whereas a Directive must wait for individual governments to enact it into their national laws).
4. Obligations to disclose data breaches
There have been several high profile breaches in recent memory, from Sony to Barclays to the Facebook / Cambridge Analytica scandal. Had GDPR been in force at the time, all of them would have been legally obliged to inform their users within 72 hours – or be exposed to the sanctions detailed above (20 million euros or 4% of turnover, whichever is greater, and potentially a ban from processing personal data).
How does this fit into Brexit?
Many believe it will take at least two years from now for the UK’s exit from the EU to be agreed, and the GDPR will become fully enforceable from 25th May 2018.
As a Regulation, the GDPR becomes directly enforceable whilst the UK is a member of the EU. Meanwhile, the UK is introducing the Data Protection Bill (DPB), which will become its equivalent of the GDPR.
In any case, if your business deals with any of the EU’s 500 million inhabitants, then you would still be directly subject to the GDPR.
What has Keia done to prepare for the GDPR?
- Audited and documented every data collection process to ensure that there are no security gaps, and that we are entirely compliant with the GDPR.
- Provided a facility within the client account for users to download all the data we hold on them.
- Separated out consent to be contacted (by phone, by email, by text) from general acceptance of our Terms & Conditions.
- Introduced GDPR specific agreements with our users – clients and professionals.
- Client Privacy Statement
- Data Processing Agreement (professionals)
- Data Security policy
- Declared all ‘sub-processors’ that we use in order to deliver our wellness platform and functionality to professionals and clients (for example, the service that delivers text messages).
- Implemented processes for the ‘right to erasure’ so clients and professionals can request to have their profiles deleted, and all related data (for example, appointments and notes) deleted or redacted where it isn’t possible to delete it (for example, if an appointment involves another person).
- Introduced a retention policy for all personal data we hold, so that it is automatically deleted at the end of the retention period.
How will the GDPR affect how you use Keia?
The good news is that the only action required from you at the outset is a couple of clicks…
Within the next two weeks, if you’ve already got an account, you’ll be asked to re-accept Keia’s T&C. Do this and you’ll be fully up to date with regards to the GDPR and your use of Keia, whether as a client to book services, or as a professional to help run your wellness business.
If you are a professional and you add a client to your Keia calendar, then under the stipulations of the GDPR, you are the data controller for that client. This means if they wish to delete their account, then they would contact you first to initiate that request. You simply pass that request on to Keia, and hey presto, our GDPR processes take over and ensure it is deleted within 30 days.
Onwards and upwards
In summary, you can rest assured that the processes and systems making up the Keia platform are compliant. So long as you adhere to the principles of the GDPR yourself, you will be fine too. The GDPR may seem an impenetrable tangle of legalese and enough red tape to sink a battleship. However, we at Keia believe that it’s a good thing. It was designed to bring into line malicious offenders who blatantly disregard the principles of data protection and privacy. It was not meant to catch out professionals making an honest living that happens to involve data processing.
Keia’s mission is to do the heavy lifting around the nitty gritty of running a wellness business so that you can focus on treating / consulting / massaging / counselling / training / coaching / etc, and this is no different. Our internal GDPR taskforce has been exclusively focused on preparing for 25th May 2018 for months, ensuring our systems and processes are compliant, so you are too when you use them in your everyday business.
If you’re already a member, you’ll be prompted to accept our new terms and conditions when logging in, from the next week onwards. If you’re signing up for the first time, it will already be part of the terms you sign up to. Then simply use Keia per the onboarding training you will have received on signing up, and your dedicated Account Manager will always be a phone call or email away to assist with any further queries.
If you have any questions on how the GDPR could affect your wellness business, please contact our Customer Success team on 0161 826 9408, or using the contact form here (select the Business Partners option).
- What the GDPR means for wellness professionals on Keia
- The GDPR privacy principles
- Full text of the GDPR
- Guidance from the Information Commissioner’s Office
- Guidance from the Information Commissioner’s Office on data controllers vs data processors
- The GDPR vs the DPA
Editor’s Note: Please note that nothing in the Keia blog constitutes legal advice, and you should seek legal counsel for specific recommendations related to GDPR compliance.