Keep reading to learn about the General Data Protection Regulation (GDPR) and find out what steps you can take to make sure your dance school is compliant.
If you already comply with the Data Protection Act (which you do, don’t you?) then you already have the basics in place. But there is more that you must do to comply with the new law which comes in to force from 25th May 2018.
You should designate someone responsible for data protection compliance. In all practical terms, if it is your dance school, that person will be you!
You need to have an understanding of how you collect, store, use and share data within your dance school.
Start by making a list of data you hold. This is likely to be things like registration forms, records of exams taken, teaching notes, emails, uniform orders, etc. Make a note of where the data came from (did the parent fill out the registration form, or was it the child?). Then make a note of who you share it with. This could include other teachers, suppliers and other businesses.
You might share data with more people than you think.
Take an email newsletter mailing list for example. You collect parents’ email addresses as part of the registration form. You add them to your mailing list. You use a third party like MailChimp to send out your newsletters. So you are sharing your parents data (at least their name and email address) with a third party.
If you book a theatre for your show, you might need to provide the theatre with a list of people taking part. Again, you are sharing data you collect with a third party.
Part of the GDPR regulation is that you have to show accountability. You have to be able to demonstrated that you comply. Having a list of data you collect, how you collect it and who you share it with helps with this.
Personal data is any information relating to someone who can be directly or indirectly identified by reference to an identifier.
An identifier isn’t just a name. It could be an email address, membership number, IP address, or lots of other things.
This new definition of personal data is deliberately broad and covers a lot of things that weren’t covered in the past.
The GDPR regulations give new rights to individuals. The following apply to both adults and children:
Although the automated decision-making rule probably won’t apply to what you do, most (if not all) the others will.
Consent now has to be positively agreed to. It must be prominent, freely given and informed. It can not be assumed or inferred. Gone are the days of pre-ticked boxes and lumping privacy in with general terms and conditions.
GDPR brings in special protection for children’s personal data. It means that people over the age of 16 can give their own consent. Anyone under this age needs consent from someone holding ‘parental responsibility’ (a parent, guardian, foster carer, etc.).
People must have ‘granular’ options and be able to withdraw their consent at any time. Just because they have registered for your dance classes doesn’t mean they want newsletters emailed to them or flyers posted to them. It can’t be all or nothing – if they don’t want to receive your marketing, you can still teach them ballet, just don’t add them to your mailing list.
If you are processing personal data to fulfil a contractual obligation, then as long as you are only collecting enough personal data to fulfil that obligation, you don’t need to get further permission.
Say that you sell a parent a pair of tap shoes, and you are going to post the shoes to them when they arrive. You need their name and address to send the shoes – this is fulfilling your contractual obligation with them. If you employ someone within your dance school, HMRC require you to keep certain details like their National Insurance number. This is a legal obligation, so you don’t need their explicit consent. However you don’t need someone’s NI number to send them some shoes, so if you are asking for it, you need to clearly inform them why you need it, how you will use it and make sure they positively agree to it.
Unless you are just setting up, you will already hold a load of data on your customers. You don’t need to get people to consent again if you already hold data on them, but you must make sure all future consents and processing are compliant.
The new regulation requires that personal data is processed lawfully, fairly and in a transparent manner. It must only be used for the specified purposes and not further processed.
The data collected must be relevant and limited to what is necessary. For example, if you are collecting data to add someone to an email newsletter, you can’t also ask for their phone number as this isn’t needed.
Data collected must be accurate and kept up to date. People move house, change their phone number, get married, change their name – are the details they entered on your registration form three years ago still correct? Probably not!
If data is inaccurate it must be updated or erased. Inaccurate data isn’t any use to you anyway, so why keep hold of it? Give your customers opportunities to correct data you hold on them. This could be as simple as showing them their registration form and asking if anything has changed.
One way of making sure that the data you keep is fresh is by not holding on to it for longer than necessary.
If you were collecting people’s names for a prize draw that was drawn six months ago, why have you still got that list of their names? After the draw was drawn and the prize given out, you have no further reason to keep hold of that data – so get rid of it! But get rid of it securely...
Data must be processed in a manner that ensures appropriate security of the personal data. Leaving a list of parents contact details for your next class lying around isn’t appropriate security – anyone could pick that list up. Sharing a parent’s contact details with a colleague over Facebook Messenger isn’t appropriate security.
Most data breaches happen because of silly mistakes made by individuals. Make sure you have processes in place to lessen that chance of a silly mistake happening.
Do all your staff need access to all your data? Do you need to print everything out?
The fewer people who have access to things, the less likely someone will make a silly mistake!
Personal data can only be transferred outside of the EU in compliance with the GDPR. You need to be aware of external services that you use to store or process data (like Gmail, Dropbox or MailChimp) and ensure they are compliant and suitable. Remember that part of your decision process has to ensure that you are ensuring appropriate security of that data.
Data protection and the GDPR changes are a vast subject – much larger than a single blog post. There is a lot that hasn’t been covered here, and obviously you must do your own research (and possibly take professional advice) to make sure you are compliant. A good starting point is the Information Commissioner’s Office.
While you are here, have a look at our dance costumes for hire.
|Extra Small||Small||Medium||Large||Extra Large|