GDPR and the business of coaching
With the rapid growth in e-commerce and social media, we are asked almost daily to provide our personal details to a wide variety of businesses and organisations. We provide our names, email addresses, telephone and bank details, as a necessary part of online transactions in exchange for information, goods or services.
For coaches, and other sole traders the requirements of GDPR may appear confusing and disconnected from day to day practice. There are many good reasons you need to retain the personal information of clients; to deliver your service, to send invoices and receive payment, to verify hours in pursuit of accreditation, and to market your experience, brand and values, and by doing so differentiate yourself from similar services.
There are 3 key roles in respect of GDPR – it's unlikely that coaches will be called upon to act as Data Protection Officer if running their business alone, but will most likely perform the roles of both Data Controller and Data Processor, so it’s important to understand the distinctions.
A Data Controller decides the purposes and means of processing personal data. For example, by making the decision to complete and send a log of your hours containing the personal data of your clients to the ICF in order to become accredited, you are acting as a Data Controller.
A Data Processor is responsible for processing personal data on behalf of a controller. They may collate and send personal data to the ICF, but they don’t make the initial decision.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR. When you have both roles, you are responsible for ensuring the decision and the execution are compliant with the regulations.
Take the ICO assessment to see if you should register as a Data Controller here.
The main principles of GDPR are:
Lawful basis – you must have a lawful basis for obtaining and processing data (for example, the legitimate activity of engaging in your business; arranging meetings or calls, providing feedback, business development, invoicing, etc., or consent).
Consent – the consent of your clients must be sought to their personal data being recorded, and the specific way it will be used and/or shared.
Data Accuracy – the personal data of clients you hold must be accurate.
The rights of the individual – Individuals have the following rights under the new law (for a detailed explanation on each of these click here).
The right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Right not to be subject to automatic decision-making, including profiling
Requesting access – individuals have the right to access the data you hold on them. You must respond to requests within 30 days.
Data breaches – you should have procedures in place to detect and report any breach of security within 72 hours to those affected.
Protection by design – this is a risk-assessment type approach, ensuring the administrative systems you have in place have the protection of personal data embedded, rather than tacked on.
These principles will be manifest in how you think about your back-office procedures and processes, and the policies you share with your clients. Companies need to keep internal records of data processing (such as consent agreements) and must be able to provide an audit if requested. When considering Consent, think about how you will store and update these records.
It’s common at the start of the client/coach relationship to set out a contractual relationship in relation to scheduling, payment, confidentiality etc. This can be a verbal agreement, supported by confirmation in writing, and sets out the assumptions under which the client/coach working relationship is founded. In terms of GDPR, this forms the legal basis on which you hold the data necessary for you to deliver your service. You do not need to seek consent to use contact details to deliver coaching or supervision activity.
You need to be transparent about how you store the data, how long you will retain their data after the business relationship has ended, and how you will dispose of data should the client request it. This should be outlined in a Data Policy which is accessible to both old and new clients.
Examples of activities for which coaches may use client data outside of delivering coaching or supervision, and which require consent/opt-in are:
Validation of hours for accreditation
Marketing (professional updates – social media or website, sharing community information, social media)
For consent to be ‘informed’, you need to be explicit as to how you intend to collect, use and eventually destroy that data. More on this shortly.
You should inform your client if you keep session notes, and how long you will retain them for. Consider where these are retained, and if they are safe. Consider what you would do if a client requested copies of their notes from you (Right of Access). Create a policy for your records as to how you would deal with this request.
If they can be linked by an identifier (such as name, or email address), they fall under GDPR, if they are anonymised, they don’t, however, your notes may be requested by a court of law or be required to be produced in the event of a complaint in relation to a breach of ethics (for information on the ICF code of ethics Section 4, click here).
“Complaints made under the ICF Ethical Conduct Review Process must be filed with ICF within one (1) year of the date of the conduct complained of, or within one (1) year of the date of discovery of the conduct complained of, as long as reasonable diligence was used.”
This doesn’t provide a definitive timeline in relation to the retention and destruction of client notes– the date of discovery of conduct could be years after the conduct actually occurred, so you will need to use your judgement in relation to this.
Invoices contain names and addresses, so the responsibility here falls under the principle of data security and managing data breaches - you do not need consent to send invoices. HMRC requires VAT records to be retained for 7 years, so if you are VAT registered you will need to keep invoices issued to clients secure and that records are destroyed after this period. If you are not VAT registered, you must keep your records for at least 5 years. Security of this data is your responsibility. You can ensure that devices and electronic/cloud storage methods used are password protected.
If you use bulk email, social media and/or a website to promote your brand, professional or community activities, you are in data processing territory. You must explicitly ask permission to use personal details clients (old and new) have provided you with for this specific purpose. The period for which you retain contact details in respect of this activity can differ from the retention period for invoices, or for delivering your service. If someone has opted in, you can continue to market to them until they unsubscribe.
If you share data with other organisations for marketing purposes, you must also be explicit about this. Remember, clients have the right to object, the right to be forgotten, the right to not be subject to automated decision-making, and you must make it as easy as possible for them to assert these rights.
The biggest change in the legislation is that clients must ‘opt in’, and you must be able to provide records of this, and the date on which they did. A spreadsheet of names and dates is a way of monitoring this, and keeping a folder of the email confirmations if you don’t have an automated system via your website.
For Europe-based coaches, seeking accreditation with international organisations based outside Europe, there is a challenge to negotiate the transfer of personal data under the terms of the new regulations which prohibits sharing of personal data outside the EU. Many organisations in the US have signed up to the US Data Privacy Shield, which offers the same level of data protection to individuals, as GDPR. If the organisation to which you are transferring data is not signed up, I suggest you carry out a risk assessment in relation to the sensitivity of the data, based upon the potential harm which could be caused to the individual.
Where do you store client contact information?
Safety of individual's personal data is very important, so where and how you store client data also falls under the new regulations.
You are not allowed to store the personal data of EU/UK citizens, outside of the EU/UK, unless the companies you use are compliant with GDPR. With the explosion of the use of cloud storage, many of us have been using Dropbox/iCloud/Googledrive regardless of where the servers are located. It is now illegal to store personal data of EU citizens outside the EU. Many cloud storage providers have responded and have servers located in specific regions. It’s important that if you store client personal data with a cloud provider, you understand the security policy of the company you are storing it with, and how they meet the criteria.
Many large companies have signed up to the US Security Shield. Search for Privacy in their websites, and check for yourself, then build this into your policy and review it annually to make sure it fully reflects your practices.
Under the regulations, data breaches must be reported, so consider what would happen if your phone or laptop were to be stolen. The chances are that your mobile phone and laptop are mixed business/personal use. All the more reason for you to take the security of your devices seriously. Every app you download may present a risk to your contacts, and the personal data of your clients. Have you a process to ensure data can be recovered, and the lost devices locked down?
What should you do now?
Firstly, create a client-facing Privacy or Data Policy, which you share on your website (if you have one), at the point of contracting for future clients, or make available, to current and past clients.
Secondly, create internal step by step procedures to deal with Data Processing eventualities. They don’t have to be long-winded or complicated.
My storage devices – mobile phone/laptop
Is it password protected?
Where is it backed up? How do I recover from back up if my device is lost or stolen?
Creating a back up
Opt-in (for specific data processing activities)
Policy for Accreditation/Marketing
Erasing client data
Data Storage (cloud/solutions)
Procedure for communicating with clients
Here is a list of questions you can use to self-check how compliant you are as a starting point. For more detailed information, go to www.ico.org.uk.
Do my clients know how know how and where I save their data?
Did clients actively consent to my using their data for each purpose I am using it? Do I have a record of this consent?
Where do I keep the personal information of my clients? Do I have a policy? Is the data I store on my clients safe?
Have I considered what a data breach might look like in relation to my business equipment and data storage? If my data is breached, do I have a process for managing it, and informing clients?
Am I satisfied that I understand how the accrediting body I share client details with handles their data? Do I know their retention period? Is the process for my clients to opt out of this easily understood?
How do I process client data?
Do I send bulk mailouts?
Do I gather and analyse website traffic information, such as IP addresses?
Can my clients/contacts ask for their personal details to be erased? Can clients easily find the information they need to do this in my privacy statement?
Do I have a process for erasing client personal details? Is it manual or automated? Where have I recorded it?
Have I a written process for responding to requests from clients to see the data I hold on them? Can clients easily find this information in my privacy statement? Can I retrieve and provide this information to clients within 30 days, if necessary – and how would I do that?
While there is lots in the news about large data breaches, affecting thousands of people, and headline-grabbing fines meeted out to companies who mistreat personal data, our response should be realistic and appropriate.
By taking the time to examine your relationship with your client’s data and noting how you can meet the meet the regulations, you will be compliant. Meeting the needs of GDPR can only strengthen your own internal governance and increase confidence that you are running your business in a professional manner. Setting a reminder in your calendar to review your public and private policies annually (and those who provide you with data storage or with whom you share data), should after this point be a quick and easy process.
A template GDPR policy for coaches is available for purchase for £80+VAT. if this is of interest to you, email me at firstname.lastname@example.org.
This article is not to be considered legal advice and should be used for information purposes only.