What the GDPR means for your Dance School

Keep reading to learn about the General Data Protection Regulation (GDPR) and find out what steps you can take to make sure your dance school is compliant.

If you already comply with the Data Protection Act (which you do, don’t you?) then you already have the basics in place. But there is more that you must do to comply with the new law which comes in to force from 25th May 2018.

You should designate someone responsible for data protection compliance. In all practical terms, if it is your dance school, that person will be you!

So what does this mean for your dance school?

You need to have an understanding of how you collect, store, use and share data within your dance school.

Start by making a list of data you hold. This is likely to be things like registration forms, records of exams taken, teaching notes, emails, uniform orders, etc. Make a note of where the data came from (did the parent fill out the registration form, or was it the child?). Then make a note of who you share it with. This could include other teachers, suppliers and other businesses.

You might share data with more people than you think.

Take an email newsletter mailing list for example. You collect parents’ email addresses as part of the registration form. You add them to your mailing list. You use a third party like MailChimp to send out your newsletters. So you are sharing your parents data (at least their name and email address) with a third party.

If you book a theatre for your show, you might need to provide the theatre with a list of people taking part. Again, you are sharing data you collect with a third party.

Part of the GDPR regulation is that you have to show accountability. You have to be able to demonstrated that you comply. Having a list of data you collect, how you collect it and who you share it with helps with this.

But what is personal data?

Personal data is any information relating to someone who can be directly or indirectly identified by reference to an identifier.

An identifier isn’t just a name. It could be an email address, membership number, IP address, or lots of other things.

This new definition of personal data is deliberately broad and covers a lot of things that weren’t covered in the past.

Be aware of the new data protection rights.

The GDPR regulations give new rights to individuals. The following apply to both adults and children:

• The right to be informed – your customers must be told if you are collecting their data and how you are using it.;
• The right of access – an individual can ask to see the data you have collected on them;
• The right to rectification – if data is inaccurate, an individual has the right to have this data corrected;
• The right to erasure – an individual has the right to have their data deleted. This could be because they withdraw consent or the data isn’t needed for the reason it was collected any more;
• The right to restrict processing – this isn’t the same as erasing the data, but stops you processing it. Say that a member of staff leaves – you still need to keep a record of their employment (so you still need to keep certain information), but you don’t need to send them staff newsletters (although you might hold that information, you have no reason to use it in that way);
• The right to data portability – say you keep a record of exams a pupil has taken with you and they move to another school, they have the right for this information so they can share it with the new school;
• The right to object – just because you might need someone’s address to send them a bill doesn’t mean they want you to send them direct marketing. They have the right to object to this;
• The right not to be subject to automated decision-making including profiling – an individual can object to automated decision making, which is where a decision is made without any human involvement.

Although the automated decision-making rule probably won’t apply to what you do, most (if not all) the others will.

How do you collect personal data?

Consent now has to be positively agreed to. It must be prominent, freely given and informed. It can not be assumed or inferred. Gone are the days of pre-ticked boxes and lumping privacy in with general terms and conditions.

GDPR brings in special protection for children’s personal data. It means that people over the age of 16 can give their own consent. Anyone under this age needs consent from someone holding ‘parental responsibility’ (a parent, guardian, foster carer, etc.).

If you are expecting children to consent, your privacy policy must be written in language that they will understand. Even if it is just for adults, you should still be using clear and understandable wording.

People must have ‘granular’ options and be able to withdraw their consent at any time. Just because they have registered for your dance classes doesn’t mean they want newsletters emailed to them or flyers posted to them. It can’t be all or nothing – if they don’t want to receive your marketing, you can still teach them ballet, just don’t add them to your mailing list.

If you are processing personal data to fulfil a contractual obligation, then as long as you are only collecting enough personal data to fulfil that obligation, you don’t need to get further permission.

Say that you sell a parent a pair of tap shoes, and you are going to post the shoes to them when they arrive. You need their name and address to send the shoes – this is fulfilling your contractual obligation with them. If you employ someone within your dance school, HMRC require you to keep certain details like their National Insurance number. This is a legal obligation, so you don’t need their explicit consent. However you don’t need someone’s NI number to send them some shoes, so if you are asking for it, you need to clearly inform them why you need it, how you will use it and make sure they positively agree to it.

Unless you are just setting up, you will already hold a load of data on your customers. You don’t need to get people to consent again if you already hold data on them, but you must make sure all future consents and processing are compliant.

Think about how you use personal data.

The new regulation requires that personal data is processed lawfully, fairly and in a transparent manner. It must only be used for the specified purposes and not further processed.

The data collected must be relevant and limited to what is necessary. For example, if you are collecting data to add someone to an email newsletter, you can’t also ask for their phone number as this isn’t needed.

Data collected must be accurate and kept up to date. People move house, change their phone number, get married, change their name – are the details they entered on your registration form three years ago still correct? Probably not!

If data is inaccurate it must be updated or erased. Inaccurate data isn’t any use to you anyway, so why keep hold of it? Give your customers opportunities to correct data you hold on them. This could be as simple as showing them their registration form and asking if anything has changed.

One way of making sure that the data you keep is fresh is by not holding on to it for longer than necessary.

If you were collecting people’s names for a prize draw that was drawn six months ago, why have you still got that list of their names? After the draw was drawn and the prize given out, you have no further reason to keep hold of that data – so get rid of it! But get rid of it securely...

Don't forget data security.

Data must be processed in a manner that ensures appropriate security of the personal data. Leaving a list of parents contact details for your next class lying around isn’t appropriate security – anyone could pick that list up. Sharing a parent’s contact details with a colleague over Facebook Messenger isn’t appropriate security.

Most data breaches happen because of silly mistakes made by individuals. Make sure you have processes in place to lessen that chance of a silly mistake happening.

Do all your staff need access to all your data? Do you need to print everything out?
The fewer people who have access to things, the less likely someone will make a silly mistake!

Personal data can only be transferred outside of the EU in compliance with the GDPR. You need to be aware of external services that you use to store or process data (like Gmail, Dropbox or MailChimp) and ensure they are compliant and suitable. Remember that part of your decision process has to ensure that you are ensuring appropriate security of that data.

Data protection and the GDPR changes are a vast subject – much larger than a single blog post. There is a lot that hasn’t been covered here, and obviously you must do your own research (and possibly take professional advice) to make sure you are compliant. A good starting point is the Information Commissioner’s Office.

While you are here, have a look at our dance costumes for hire.