GET FIT TECH
Sign up for the FREE digital edition of Fit Tech magazine and also get the Fit Tech ezine and breaking news email alerts.
Not right now, thanksclose this window I've already subscribed!
The Leisure Media Company Ltd | Fit Tech promotion
The Leisure Media Company Ltd | Fit Tech promotion
The Leisure Media Company Ltd | Fit Tech promotion
features

Data protection: Be prepared for changes to data protection laws

With the implementation of the general data protection regulation (GDPR) fast approaching, Health Club Management explores what the biggest shake up of data protection laws for 25 years means for health and fitness businesses across the UK and Europe

Published in Health Club Management 2017 issue 10

Once the preserve of lawyers, data protection is about to become something business owners and their employees need to understand. The GDPR is a new piece of European legislation, which comes into force on 25 May 2018. Designed to address the sheer volume of data created and collected today, the GDPR will oblige every leisure operator to overhaul the way it handles data.

“Every two days, we create as much data as we did from the beginning of time until 2003,” says analyst and author Bernard Marr in his book Data Strategy: How to Profit from a World of Big Data, Analytics and the Internet of Things. “Then we do it again. Every two days. Today we have five zettabytes of digital information; by 2020 it’s expected to grow to 50.”

With this in mind, one thing has become impossible to ignore: the Data Protection Act, which was implemented in 1998, is vastly out of date and is unable to fully address the issues raised by the amount of data generated in society today.

Getting ready
The GDPR has been in development since 2012, yet a vast number of organisations still aren’t ready for the change. One survey by IT company Ipswitch found that 52 per cent of firms admit they’re not prepared for the changes that the regulations will bring, and 44 per cent of IT professionals are struggling to grasp the new rules. Yet the GDPR will apply to all UK companies, regardless of Brexit. Some additional legislation will be required, but the bottom line is that the nation will be affected, even after leaving the union.

Getting on board is vital, as financial penalties will be high. “If you fail to comply, supervisory authorities like the Information Commissioner’s Office (ICO) can issue fines of up to 4 per cent of annual global turnover or €20 million, whichever is higher,” explains Raoul Lumb, data protection associate at law firm SM&B. “Previously, the maximum fine was £500,000, which demonstrates just how serious the EU is about instigating an attitude shift.”

But is getting on board easier said than done? Paul Simpson, Legend Club Management Systems’ chief operating officer says that as safeguarding valuable information is key to the new legislation, organisations must begin by thinking about their information assets. “Operators must be sure about the information their business holds, where this information is located, how up to date it is, if it's still required and if it's in digital or paper format,” Simpson explains.

“They should also make sure they know the extent to which employees are accessing this information using their own devices,” he adds.

“By considering every piece of information in line with the three guiding principles of security – confidentiality, availability and integrity – organisations can begin to understand how to best protect their data assets.”

The expected changes
Particularly relevant for the leisure sector will be changes to what is classified as ‘personal data’. Online identifiers like IP addresses and cookies, for example, will now be considered personal data, which means that a vast amount of data that most operators currently capture as a matter of routine will be subject to specific GDPR stipulations. Secondly, an additional definition has been added to data that falls under the ‘special category of personal data’ classification. Genetic and biometric data is now included, and as such, any data used to measure athletic performance and/or health must be treated according to the rules of this category.

In both instances, the most important factor will be ensuring valid consent is obtained from the owner of the data. A member specifically asking for performance monitoring is likely to be lawful, but operators should stop and question wholesale monitoring, especially if it’s carried out without the knowledge of club members.

Also relevant is the ‘right to be forgotten’. Operators will be obliged to erase data if a member exercises this right and withdraws consent to the storage or use of their personal data.

According to Joanne Barton, product design analyst at Gladstone, software suppliers are already implementing measures to anonymise this type of dataset so they can be validly stored and used after the GDPR’s implementation. She says: “We're instigating changes to make adherence as straightforward as possible.

“Compliance with this and many other aspects of the GDPR will be made easier by having a robust software system that’s ready for the change. We’re adapting our user interfaces to support changes affecting consent rules and anonymisation of data, so all personal data is removed from a database but transactional details remain.”

The marketing minefield
Current laws ensure marketers only email people who’ve ‘opted in’ to receive correspondence from them. The GDPR toughens this process up considerably.

Consent must be explicit, rather than implied, and freely given after a request has been made in clear and plain language. Hiding consent within small print or bundling it up in terms and conditions that must be accepted to become a member or buy a product will no longer be allowed. Operators will need to explain clearly why they’re collecting personal data and how they intend to use it, and as a final hurdle, hold records that prove consent was given.

“The safest option will be to actively seek consent before sending marketing emails and similar,” says Lumb. “Tick boxes will need to be presented separately, with their own wording, and a member shouldn’t be forced to tick that box in order to purchase services. You must also make it clear that consent can be withdrawn at any time.”

Email marketing is an area that companies will need to scrutinise closely to ensure they are operating within the boundaries of the new legislation, and this extends beyond the consent process. Sharing of data obtained with other related services will no longer be acceptable unless the data owner expressly agrees to this.

On the record
A clean-up of membership databases will also be important, assessing what data has been collected, how long it has – and will be – stored for and whether it’s accurate.

Utku Toprakseven is the director of sports intelligence at 4 global, which runs the DataHub Club – a data sharing community for sport and leisure sector organisations. He says: “Data takes numerous journeys through organisations. It can generate intelligence and inform operational solutions that produce commercial returns, participation outcomes and social value. The GDPR is a hot topic for all DataHub Club members, from operators to data controllers, processors and users. The GDPR makes it vital to know where data will add the most value to your business upfront, as this will inform requirements at the point of capture.”

Just complying with the GDPR won’t be enough. Operators must also prove they are compliant by keeping a full audit trail, which the ICO can ask for at any time. Most organisations will need someone who owns the data role and is answerable to all data requirements. As such, companies should consider appointing a dedicated data protection officer (DPO). “Getting GDPR-ready isn’t a one-off project, it requires rolling management and record-keeping. You wouldn’t run your business without an accountant; the same applies to data protection,” explains Toprakseven.

Barton advises: “Speak with your software provider about what changes they're making internally. If consent and audit trails aren’t captured within your software applications, the onus will still be on your business to put manual processes in place to ensure compliance. But of course, if your processes are manual, then they’re open to error.”

The road ahead
Don’t panic and conclude it’s better to take no action, says Lumb. “Start by working out what personal data your organisation collects and how – remember it applies to electronic records and paper records, too.” Next, create a list of what you do with that data and, if it leaves your organisation, how it does so. Lumb advises contacting a specialist lawyer to establish what’s compliant, what isn’t and what steps you’ll need to take to make your systems GDPR-ready. He warns, however, that “lots of companies have seen a business opportunity in the GDPR and are trying to turn themselves into experts. Just be wary.”

The new rules aren’t designed to put operators out of business. “The GDPR will curb invasive uses of personal data by organisations that have no business dealing with that data in the first place,” says Toprakseven. “Lots of people think the GDPR will bind us with red tape. It won’t. It’s simply making sure things aren’t happening to people’s data without them knowing about it.”

The truth is that it’s too early to say exactly how this will affect the health and fitness industry, but what is certain is that it will affect the whole sector.

“Despite the lack of clear security guidelines in the industry, GDPR casts a clear spotlight on our legal and moral duty to take a proactive approach to protect and secure customer data,” Simpson says. “This is a real opportunity for businesses to embrace the new regulation, to expand our current view of information beyond that held electronically to include all information assets in the business, and to embed best practice within our daily operations. This will ensure that both business and customer data are protected for a very long time.”

Sign up here to get Fit Tech's weekly ezine and every issue of Fit Tech magazine free on digital.
Gallery
More features
Editor's letter

Into the fitaverse

Fitness is already among the top three markets in the metaverse, with new technology and partnerships driving real growth and consumer engagement that looks likely to spill over into health clubs, gyms and studios
Fit Tech people

Ali Jawad

Paralympic powerlifter and founder, Accessercise
Users can easily identify which facilities in the UK are accessible to the disabled community
Fit Tech people

Hannes Sjöblad

MD, DSruptive
We want to give our users an implantable tool that allows them to collect their health data at any time and in any setting
Fit Tech people

Jamie Buck

Co-founder, Active in Time
We created a solution called AiT Voice, which turns digital data into a spoken audio timetable that connects to phone systems
Profile

Fahad Alhagbani: reinventing fitness

The team is young and ambitious, and the awareness of technology is very high. We share trends and out-of-the-box ideas almost every day
Opinion

Building on the blockchain

For small sports teams looking to compete with giants, blockchain can be a secret weapon explains Lars Rensing, CEO of Protokol
Innovation

Bold move

We ended up raising US$7m in venture capital from incredible investors, including Andreessen Horowitz, Khosla Ventures, Primetime Partners, and GingerBread Capital
App analysis

Check your form

Sency’s motion analysis technology is allowing users to check their technique as they exercise. Co-founder and CEO Gal Rotman explains how
Profile

New reality

Sam Cole, CEO of FitXR, talks to Fit Tech about taking digital workouts to the next level, with an immersive, virtual reality fitness club
Profile

Sohail Rashid

My vision was to create a platform that could improve the sport for lifters at all levels and attract more people, similar to how Strava, Peloton and Zwift have in other sports
Ageing

Reverse Ageing

Many apps help people track their health, but Humanity founders Peter Ward and Michael Geer have put the focus on ageing, to help users to see the direct repercussions of their habits. They talk to Steph Eaves
App analysis

Going hybrid

Workout Anytime created its app in partnership with Virtuagym. Workout Anytime’s Greg Maurer and Virtuagym’s Hugo Braam explain the process behind its creation
Research

Physical activity monitors boost activity levels

Researchers at the University of Copenhagen have conducted a meta analysis of all relevant research and found that the body of evidence shows an impact
Editor's letter

Two-way coaching

Content providers have been hugely active in the fit tech market since the start of the pandemic. We expect the industry to move on from delivering these services on a ‘broadcast-only’ basis as two-way coaching becomes the new USP
Fit Tech People

Laurent Petit

Co-founder, Active Giving
The future of sports and fitness are dependent on the climate. Our goal is to positively influence the future of our planet by instilling a global vision of wellbeing and a sense of collective action
Fit Tech People

Adam Zeitsiff

CEO, Intelivideo
We don’t just create the technology and bail – we support our clients’ ongoing hybridisation efforts
Fit Tech People

Anantharaman Pattabiraman

CEO and co-founder, Auro
When you’re undertaking fitness activities, unless you’re on a stationary bike, in most cases it’s not safe or necessary to be tied to a screen, especially a small screen
Fit Tech People

Mike Hansen

Managing partner, Endorphinz
We noticed a big gap in the market – customers needed better insights but also recommendations on what to do, whether that be customer acquisition, content creation, marketing and more
More features
Study Active is a UK leading provider of health & fitness qualifications including Gym Instructing ...
Keepme is the industry innovator delivering AI-integrated sales and membership solutions to fitness operators globally....
Lockers
Flooring
Digital
Salt therapy products
Cryotherapy
08-10 Oct 2024
Malaga - FYCMA, Malaga, Spain
Study Active is a UK leading provider of health & fitness qualifications including Gym Instructing ...
Keepme is the industry innovator delivering AI-integrated sales and membership solutions to fitness operators globally....
Get Fit Tech
Sign up for the free Fit Tech ezine and breaking news alerts
Sign up
Lockers
Flooring
Digital
Salt therapy products
Cryotherapy
08-10 Oct 2024
Malaga - FYCMA, Malaga, Spain

latest fit tech news

Apple has previewed the upcoming watchOS 11, which has more health and fitness insights and offers more personalisation than ever ...
news • 12 Jun 2024
Noraxon’s next-generation motion capture system, MyoMotion, can be used by PTs to enable custom training programmes, minimise injuries and help ...
news • 11 Jun 2024
New research shows that following social media health influencers motivates young people to exercise more vigorously and eat more fruit ...
news • 28 May 2024
Peloton has secured a critical US$1bn five-year loan to shore up its finances. The loan has repayment terms which are ...
news • 24 May 2024
Peloton Interactive Inc is believed to be working to get its costs under control in a bid to align with ...
news • 08 May 2024
HoloBike, a holographic training bike that simulates trail rides in lifelike 3D, is aiming to push indoor cycling technology up ...
news • 08 May 2024
Xplor Technologies has unveiled a financing solution for small businesses, which aims to counter the traditional lending process and help ...
news • 08 May 2024
Moonbird is a tactile breathing coach, which provides real-time biofeedback, measuring heart rate and heart rate variability. Studies show it ...
news • 02 May 2024
Atlanta-based boutique fitness software company, Xplor Mariana Tek, has kicked off a push for international expansion. Shannon Tracey, VP of ...
news • 18 Apr 2024
Portugese footballer, Cristiano Ronaldo, has launched a health and wellness app that harmonises advice on fitness, nutrition and mental wellness ...
news • 05 Apr 2024
More fit tech news
features

Data protection: Be prepared for changes to data protection laws

With the implementation of the general data protection regulation (GDPR) fast approaching, Health Club Management explores what the biggest shake up of data protection laws for 25 years means for health and fitness businesses across the UK and Europe

Published in Health Club Management 2017 issue 10

Once the preserve of lawyers, data protection is about to become something business owners and their employees need to understand. The GDPR is a new piece of European legislation, which comes into force on 25 May 2018. Designed to address the sheer volume of data created and collected today, the GDPR will oblige every leisure operator to overhaul the way it handles data.

“Every two days, we create as much data as we did from the beginning of time until 2003,” says analyst and author Bernard Marr in his book Data Strategy: How to Profit from a World of Big Data, Analytics and the Internet of Things. “Then we do it again. Every two days. Today we have five zettabytes of digital information; by 2020 it’s expected to grow to 50.”

With this in mind, one thing has become impossible to ignore: the Data Protection Act, which was implemented in 1998, is vastly out of date and is unable to fully address the issues raised by the amount of data generated in society today.

Getting ready
The GDPR has been in development since 2012, yet a vast number of organisations still aren’t ready for the change. One survey by IT company Ipswitch found that 52 per cent of firms admit they’re not prepared for the changes that the regulations will bring, and 44 per cent of IT professionals are struggling to grasp the new rules. Yet the GDPR will apply to all UK companies, regardless of Brexit. Some additional legislation will be required, but the bottom line is that the nation will be affected, even after leaving the union.

Getting on board is vital, as financial penalties will be high. “If you fail to comply, supervisory authorities like the Information Commissioner’s Office (ICO) can issue fines of up to 4 per cent of annual global turnover or €20 million, whichever is higher,” explains Raoul Lumb, data protection associate at law firm SM&B. “Previously, the maximum fine was £500,000, which demonstrates just how serious the EU is about instigating an attitude shift.”

But is getting on board easier said than done? Paul Simpson, Legend Club Management Systems’ chief operating officer says that as safeguarding valuable information is key to the new legislation, organisations must begin by thinking about their information assets. “Operators must be sure about the information their business holds, where this information is located, how up to date it is, if it's still required and if it's in digital or paper format,” Simpson explains.

“They should also make sure they know the extent to which employees are accessing this information using their own devices,” he adds.

“By considering every piece of information in line with the three guiding principles of security – confidentiality, availability and integrity – organisations can begin to understand how to best protect their data assets.”

The expected changes
Particularly relevant for the leisure sector will be changes to what is classified as ‘personal data’. Online identifiers like IP addresses and cookies, for example, will now be considered personal data, which means that a vast amount of data that most operators currently capture as a matter of routine will be subject to specific GDPR stipulations. Secondly, an additional definition has been added to data that falls under the ‘special category of personal data’ classification. Genetic and biometric data is now included, and as such, any data used to measure athletic performance and/or health must be treated according to the rules of this category.

In both instances, the most important factor will be ensuring valid consent is obtained from the owner of the data. A member specifically asking for performance monitoring is likely to be lawful, but operators should stop and question wholesale monitoring, especially if it’s carried out without the knowledge of club members.

Also relevant is the ‘right to be forgotten’. Operators will be obliged to erase data if a member exercises this right and withdraws consent to the storage or use of their personal data.

According to Joanne Barton, product design analyst at Gladstone, software suppliers are already implementing measures to anonymise this type of dataset so they can be validly stored and used after the GDPR’s implementation. She says: “We're instigating changes to make adherence as straightforward as possible.

“Compliance with this and many other aspects of the GDPR will be made easier by having a robust software system that’s ready for the change. We’re adapting our user interfaces to support changes affecting consent rules and anonymisation of data, so all personal data is removed from a database but transactional details remain.”

The marketing minefield
Current laws ensure marketers only email people who’ve ‘opted in’ to receive correspondence from them. The GDPR toughens this process up considerably.

Consent must be explicit, rather than implied, and freely given after a request has been made in clear and plain language. Hiding consent within small print or bundling it up in terms and conditions that must be accepted to become a member or buy a product will no longer be allowed. Operators will need to explain clearly why they’re collecting personal data and how they intend to use it, and as a final hurdle, hold records that prove consent was given.

“The safest option will be to actively seek consent before sending marketing emails and similar,” says Lumb. “Tick boxes will need to be presented separately, with their own wording, and a member shouldn’t be forced to tick that box in order to purchase services. You must also make it clear that consent can be withdrawn at any time.”

Email marketing is an area that companies will need to scrutinise closely to ensure they are operating within the boundaries of the new legislation, and this extends beyond the consent process. Sharing of data obtained with other related services will no longer be acceptable unless the data owner expressly agrees to this.

On the record
A clean-up of membership databases will also be important, assessing what data has been collected, how long it has – and will be – stored for and whether it’s accurate.

Utku Toprakseven is the director of sports intelligence at 4 global, which runs the DataHub Club – a data sharing community for sport and leisure sector organisations. He says: “Data takes numerous journeys through organisations. It can generate intelligence and inform operational solutions that produce commercial returns, participation outcomes and social value. The GDPR is a hot topic for all DataHub Club members, from operators to data controllers, processors and users. The GDPR makes it vital to know where data will add the most value to your business upfront, as this will inform requirements at the point of capture.”

Just complying with the GDPR won’t be enough. Operators must also prove they are compliant by keeping a full audit trail, which the ICO can ask for at any time. Most organisations will need someone who owns the data role and is answerable to all data requirements. As such, companies should consider appointing a dedicated data protection officer (DPO). “Getting GDPR-ready isn’t a one-off project, it requires rolling management and record-keeping. You wouldn’t run your business without an accountant; the same applies to data protection,” explains Toprakseven.

Barton advises: “Speak with your software provider about what changes they're making internally. If consent and audit trails aren’t captured within your software applications, the onus will still be on your business to put manual processes in place to ensure compliance. But of course, if your processes are manual, then they’re open to error.”

The road ahead
Don’t panic and conclude it’s better to take no action, says Lumb. “Start by working out what personal data your organisation collects and how – remember it applies to electronic records and paper records, too.” Next, create a list of what you do with that data and, if it leaves your organisation, how it does so. Lumb advises contacting a specialist lawyer to establish what’s compliant, what isn’t and what steps you’ll need to take to make your systems GDPR-ready. He warns, however, that “lots of companies have seen a business opportunity in the GDPR and are trying to turn themselves into experts. Just be wary.”

The new rules aren’t designed to put operators out of business. “The GDPR will curb invasive uses of personal data by organisations that have no business dealing with that data in the first place,” says Toprakseven. “Lots of people think the GDPR will bind us with red tape. It won’t. It’s simply making sure things aren’t happening to people’s data without them knowing about it.”

The truth is that it’s too early to say exactly how this will affect the health and fitness industry, but what is certain is that it will affect the whole sector.

“Despite the lack of clear security guidelines in the industry, GDPR casts a clear spotlight on our legal and moral duty to take a proactive approach to protect and secure customer data,” Simpson says. “This is a real opportunity for businesses to embrace the new regulation, to expand our current view of information beyond that held electronically to include all information assets in the business, and to embed best practice within our daily operations. This will ensure that both business and customer data are protected for a very long time.”

Sign up here to get Fit Tech's weekly ezine and every issue of Fit Tech magazine free on digital.
Gallery
More features
Editor's letter

Into the fitaverse

Fitness is already among the top three markets in the metaverse, with new technology and partnerships driving real growth and consumer engagement that looks likely to spill over into health clubs, gyms and studios
Fit Tech people

Ali Jawad

Paralympic powerlifter and founder, Accessercise
Users can easily identify which facilities in the UK are accessible to the disabled community
Fit Tech people

Hannes Sjöblad

MD, DSruptive
We want to give our users an implantable tool that allows them to collect their health data at any time and in any setting
Fit Tech people

Jamie Buck

Co-founder, Active in Time
We created a solution called AiT Voice, which turns digital data into a spoken audio timetable that connects to phone systems
Profile

Fahad Alhagbani: reinventing fitness

The team is young and ambitious, and the awareness of technology is very high. We share trends and out-of-the-box ideas almost every day
Opinion

Building on the blockchain

For small sports teams looking to compete with giants, blockchain can be a secret weapon explains Lars Rensing, CEO of Protokol
Innovation

Bold move

We ended up raising US$7m in venture capital from incredible investors, including Andreessen Horowitz, Khosla Ventures, Primetime Partners, and GingerBread Capital
App analysis

Check your form

Sency’s motion analysis technology is allowing users to check their technique as they exercise. Co-founder and CEO Gal Rotman explains how
Profile

New reality

Sam Cole, CEO of FitXR, talks to Fit Tech about taking digital workouts to the next level, with an immersive, virtual reality fitness club
Profile

Sohail Rashid

My vision was to create a platform that could improve the sport for lifters at all levels and attract more people, similar to how Strava, Peloton and Zwift have in other sports
Ageing

Reverse Ageing

Many apps help people track their health, but Humanity founders Peter Ward and Michael Geer have put the focus on ageing, to help users to see the direct repercussions of their habits. They talk to Steph Eaves
App analysis

Going hybrid

Workout Anytime created its app in partnership with Virtuagym. Workout Anytime’s Greg Maurer and Virtuagym’s Hugo Braam explain the process behind its creation
Research

Physical activity monitors boost activity levels

Researchers at the University of Copenhagen have conducted a meta analysis of all relevant research and found that the body of evidence shows an impact
Editor's letter

Two-way coaching

Content providers have been hugely active in the fit tech market since the start of the pandemic. We expect the industry to move on from delivering these services on a ‘broadcast-only’ basis as two-way coaching becomes the new USP
Fit Tech People

Laurent Petit

Co-founder, Active Giving
The future of sports and fitness are dependent on the climate. Our goal is to positively influence the future of our planet by instilling a global vision of wellbeing and a sense of collective action
Fit Tech People

Adam Zeitsiff

CEO, Intelivideo
We don’t just create the technology and bail – we support our clients’ ongoing hybridisation efforts
Fit Tech People

Anantharaman Pattabiraman

CEO and co-founder, Auro
When you’re undertaking fitness activities, unless you’re on a stationary bike, in most cases it’s not safe or necessary to be tied to a screen, especially a small screen
Fit Tech People

Mike Hansen

Managing partner, Endorphinz
We noticed a big gap in the market – customers needed better insights but also recommendations on what to do, whether that be customer acquisition, content creation, marketing and more
More features