Securing Your Membership’s Personally Identifiable Data
Now might be a good time to look at Data Security and what gym businesses need to keep in mind. For example, if you take electronic payments, you have to follow the rules of the Card Payment Industry. Your business needs data about your membership, and that comes with risks.
These days, gym business owners and operators need to be acutely aware of the threats that can materialize out of left field. Now that you can keep track of so much data about your membership, you have to protect it.
Your business depends on information, so it helps if you understand the basic principles that drive privacy legislation like Europe’s General Data Protection Regulation or GDPR. Europe based this new regulation on eight sound principles that were agreed almost four decades ago. If you’ve heard of it, you’re probably wondering how it could possibly impact business owners like you in North America.
The Science of Data Compliance
While this European law probably doesn’t impact you directly, membership-based businesses are built on data. After all, what’s a membership if you can’t keep track of it? If your security is breached, it could lead to harm for your clients which is bad in itself, but that could lead to court actions against you.
Ultimately, your reputation depends on being discreet; people don’t like to find that some data breach has compromised them when more could have been done to protect it. Famous data incidents, like the Target Scandal and the Equifax consumer data breach, have put us on alert about the danger.
Guidelines for Data Controllers
It can all seem overwhelming, but there are guidelines and examples to look to that will help you do enough to be able to sleep at night. Let’s take a look at the principles of data security. There are a lot of thoughtful people contributing to the subject, so you need not feel alone.
A long time ago, the United States and Europe sat down with the thirty-two other OECD member-states and worked out some core principles for protecting personally identifiable information. Since the gym business depends on recruiting and retaining consumers as subscription members, I figure it’s good to know these basics.
The Eight Principles Issued by The OECD
In 1980, the OECD Privacy Principles defined a framework of eight fundamental principles of handling data about individuals. When you collect, store, or process data you are a Data Controller, which means you are the person or organization that is responsible for it. The person about whom you hold personally identifiable information is the Data Subject. If you follow these eight points about your membership data in mind, you’ll have a basic understanding of what’s expected.
Accountability – Accept that you could be held responsible so be proactive about your burden
Individual Participation – Your subjects should be able to find out what you know about them and correct errors
Openness – You should post your policies publicly and explain why, where, and how you use personal data
Security Safeguards – Have security in place and a plan of action if there’s a breach
Use Limitation – Keep private data protected and stick to the defined uses of your published policy
Purpose Specification – Define your purpose for collection before you capture the data, not after
Data Quality – The data should only be that which you need, and accurate
Collection Limitation – Your methods of collection should be fair and lawful and relate directly to the purpose for which it will be used
Is GDPR Something That Gym Owners Should Worry About in America?
The European Union has really set the ball rolling in data security when it put the GDPR into effect in May of 2018. The regulation applies to any organization that controls the data of EU Citizens. You may have read about worries as to what it means for US businesses.
Punishments under the GDPR include fines that could be the higher of 20 million Euros or four percent of your global revenues. While any violation would be prosecuted in European courts, international treaties mean that an American company could, theoretically, be made to pay.
Fortunately, there are limitations; a small gym business that captures protected data occasionally most likely doesn’t need to worry. The regulation does apply to all companies with more than 250 full-time employees, and any business that specializes in handling data, not fitness clubs.
Other Demands for Data Compliance
In fitness, you’re more likely to hand medical and financial data. Complying with Payment Card Industry Data Security Standards is critical if you take electronic payments. However, it’s something that your payment processor usually does for you. Gym Insight has all of the payment tools that put you in control of your cash flow and keep you in PCI compliance.
If you handle medical information about customers, HIPAA is on a whole different level of compliance, and that is beyond the scope here. The laws and regulations around data protection are only likely to get more stringent as companies continue to suffer breaches.
However, it’s possible that at some point in the near future the rules about US data subjects will become more like the GDPR, so it helps to be aware. As with any legal matter, this is not legal advice. If you think you could be liable or you plan to work with regulated data make sure you have an attorney validate your terms of service and privacy policy before you commit.
Bibliography
Economist Staff. What is the OECD? July 6, 2017. https://www.economist.com/the-economist-explains/2017/07/05/what-is-the-oecd (accessed July 1, 2018).
Fagan, Lawrence. Target’s Data Breach Impacts the Health Club Industry. May 19, 2014. https://blog.gyminsight.com/2675-targets-data-breach-impacts-the-health-club-industry/ (accessed September 16, 2015).
Fung, Brian. Equifax’s massive 2017 data breach keeps getting worse. March 1, 2018. https://www.washingtonpost.com/news/the-switch/wp/2018/03/01/equifax-keeps-finding-millions-more-people-who-were-affected-by-its-massive-data-breach/?utm_term=.a8526bd032da (accessed July 1, 2018).
Gerber, Ben. OECD Privacy Principles. August 9, 2010. https://oecdprivacy.org/ (accessed July 1, 2018).
Pickard-Whitehead, Gabrielle. What is PCI Compliance and Why MUST Small Business Owners Be Concerned? May 18, 2018. https://smallbiztrends.com/2018/05/what-is-pci-compliance-small-business.html (accessed July 1, 2018).
Scott, Jason. Improving Your Club’s Data Security. December 8, 2017. https://clubsolutionsmagazine.com/2017/12/improving-clubs-data-security/.