A Practical Implementation GDPR Guide for Self-Employed Health & Wellness Practitioners and Coaches
This article is aimed at professionals working in health & wellness fields, such as fitness, acupuncture, massage and coaching, who are self-employed. As you collect sensitive personal data, it is important to protect yourself and your clients, and this article will guide you on how to prepare yourself.
We look at the steps involved in the implementation and the areas you need to consider, such as reviewing the information required on your intake assessment form, storing client notes, securing email and laptops, and we provide a sample data protection policy that you can use.
Although the new General Data Protection Regulation (GDPR) is mainly aimed at companies with more than 250 employees or high volumes of data processing, anyone who engages in business and collects sensitive personal data will need to be compliant to a certain extent, and it is important to demonstrate that you have taken steps to address this as significant fines may apply, arising from audits, inspections or reported data breaches.
It’s not as complicated as it might seem, and here are some steps to follow to get yourself compliant:
1. Map the Current Flow of Personal Data
Review and document all data processing activities and security processes in relation to:
Personal Data – identifying information such as name, address and email address.
Sensitive Personal Data – special categories requiring strong protection including data containing health, sex life or sexual orientation, religious beliefs, race and genetic data.
For an independent health & wellness practitioners and coaches, sources of personal data could include:
An email seeking a session with detail of the persons health or mental state
The intake assessment form
If you conducted a session online, there could be chat notes in the system you were using such as Skype
Client session notes
If you ask people to sign up to your online newsletter via a webform on your website
If you collect names & emails at a holistic fair
2. Assess Risks
You should review the risk of all personal data, asking questions such as:
Where is the data being stored?
Is the data safe?
Who has access to the data?
How is the data transferred?
Examples of Changes You Might Implement
Ensure you are using email that is encrypted
Delete all client emails once you have set up the appointment
Delete all chat notes in Skype after an online session
After a session, scan the intake assessment form and client notes and save them to encrypted storage area. Shred the paper copies.
Change your webform to make it clear what they are signing up to (see example below).
_______________________________________________________________________________
Example:– How to Secure Your Laptop
A stolen or hacked laptop can really expose you and any personal data it contains. Make sure your laptop is password protected, has up-to-date anti-virus software, has encrypted hard drives and is regularly backed up. Keep a paper trail that shows when you change your password, update your software and do your backup.
_______________________________________________________________________________
3. Changes Required
Identify any required changes required to how the data is received, processed, stored and transferred and make plan for any changes required to achieve compliance.
It’s important to note that if your work involves the processing of data from children, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians.
_______________________________________________________________________________
Example: How to Change a Webform Requesting Email Sign Up
Clearly state the purpose of requesting the personal data ‘We will send you regular updates about ……..’.
Reduce the information requested to only the first name and the email address.
Clearly state that you will not share their details with any one else – ‘We won’t add your details to any other list or share them.’
State that consent is easy to withdraw ‘You can unsubscribe at any time.’
Add in a link to your Data Protection Policy – ‘For more information, see our Data Protection Policy’.
_______________________________________________________________________________
4. External Providers
If you are sub-contracting any of the work you do, these third parties need to be given documented instructions, covering areas including confidentiality obligations, security practices, rules around the appointment of sub-processors and the return or destruction of the personal data at the end of the relationships.
5. Policy Documents
Create a publicly available data protection policy, which covers the key areas of:
Consent for personal data to be processed and shared: make sure people know what you intend to do with their data e.g. if you collect names and emails at an event for a competition, you must tell them if you intend to add them to your newsletter email list.
Access to personal data: your clients can ask you to share with them any personal information you have belonging to them so it is important to be organized about how you store information.
Right to be forgotten: clients can ask you to delete their data from your system.
Right to portability: clients can ask you to transfer their data to another health & wellness practitioners and coaches.
Right to rectification: clients can ask you to correct any incorrect or out-of-date information.
Breach management: data breaches must be reported within 72 hours and you must keep a log of any breaches that occur.
I have created a sample data protection policy for health & wellness practitioners and coaches. You can download here – SAMPLE_POLICY
When you download the policy, open it in Microsoft Word, select the entire document, choose Edit/Replace and replace [The Company] with your company name. You can read through the document to see if it is suitable for you. You can then save your data protection policy and have a link to it from your website.
6. Training
If you work for yourself, you don’t need to show evidence of training but it is a good idea to be able to demonstrate that you have done your data mapping, assessed the risks and put procedures in place to ensure compliance.
7. Ongoing Audits
You should create a procedure that assesses the risk when anything in your business changes which involves requesting personal data, and that the GDPR principles are always adhered to in any new development.
An annual audit would be good practice, with some basic checks being conducted to ensure consent is being requested, data is stored securely, etc.
Guest blog post by Georgina Kearney
Georgina Kearney is a qualified accountant who has also been a professional coach, working with individual clients, so she has a very good understanding of the flow of personal data that a health & wellness professionals encounter. She runs Data Protection Providers Ltd. and you can contact her at the website
You can contact Georgina via email at info@dppl.ie or by phone on 086 812 7708.