When the General Data Protection Regulation (GDPR) was first introduced in Europe in 2016, much focus was placed on data privacy worldwide, and similar regulations are slowly being put in place all over the world. As a result, many operators need to prepare compliance with various regulations.
When working over your compliance with some of the most common points of data regulations across the world, here are three tips on how to strike a balance between compliance and usability:
Design Around Encryption
Regulations mention encryption as one method to protect data from getting into the wrong hands. Data encryption is indeed the IT industry standard for keeping data private. By translating data to code and protecting it with passwords and keys, operators can ensure only relevant individuals have access. Even better is two-layer security, which encrypts both the server and individual pieces of data.
However, while encryption is seen as the best practice solution for sensitive data like social security numbers and bank account info, it comes at a cost. Once data is encrypted, it’s hard to use it for data reporting or trend analysis, since everything must be decrypted as part of the process.
When operators start encrypting all their data, they should consider the design of their reporting functionality. Sometimes less sensitive data can be used for reporting instead.
Remember Data Access and Portability
Amongst others, regulations give individuals the right to data access and portability. From an industry standpoint, members must be allowed insight into their data and the option to take their data with them if they decide to move to another gym. This includes all information about the member, communication about them, and internal notes and memos where they are mentioned.
Training schedules, training programs, notes, records of payments and more might be split across many systems. Make clear processes or consolidate where possible — the fewer systems, the easier the task.
One single member management system is especially useful for data requests, eliminating the need to go through many systems to find all the necessary data.
Think About Anonymizing Versus Pausing Memberships
Once members stop their memberships, operators are required to delete or anonymize member data. Automated anonymization features in member management systems make this process easier. All personal information like name, address, birthday and credit card information is automatically deleted, while details like gender and training times are anonymized and still available for reporting.
Data deletion and anonymization hit operators especially hard when it comes to reporting. It’s difficult to encourage members to rejoin when you can no longer be in touch with them. Some users aren’t entirely satisfied with their data removal either. They may need to leave the gym for an extended time due to surgery or a move, and they want to access their training schedules when they get back.
Instead of automatically deleting a user’s data when they quit, give those members the option of a low-fee “membership pause.” This lets you keep them in your system and allows for future engagement. Alternately, give members a copy of their training schedule for when they return.
Jesper Witt is the compliance and operations lead at Exerp. He can be reached at sales@exerp.com.
