Is your spa GDPR ready? (Spoiler: probably not)

The GDPR comes into effect on May 25, 2018. Also known as this week. Is your spa ready?

Probably not. According to a survey conducted a few weeks ago, 60% of companies were not likely to meet the compliance deadline for the new European legislation.

In fact, the study found that only 7% of surveyed organizations were in full compliance with GDPR requirements at the time, and only 33% said they are well on their way.

And another survey conducted a few months ago found that healthcare was the sector the least likely to be ready to comply.

You guys! That’s bad. As a spa/wellness business you likely collect potentially sensitive data on your guests. So, this is something to which you should be paying attention.

Here is a not-at-all exhaustive list of things you should know.

1. GDPR is a not HIPAA

Being HIPAA compliant doesn’t mean you’re GDPR compliant. The GDPR is European Union law that was approved by the EU Parliament in April 2016, and comes into effect on May 25, 2018. Unlike HIPAA, the law covers all data and not just health data. Also, the fines are way bigger.

2. GDPR fines make HIPAA fines look like small change

HIPAA violations can cost a maximum of $1.5 million per year. Under GDPR, organizations can be fined up to a maximum €20 Million ($23,570,040 USD), or 4% of annual global turnover, for the most serious breaches of GDPR. “Smaller” penalties can include fines of €10 million ($11,786,550 USD), or 2% of annual global turnover.

3. The GDPR doesn’t just apply in the EU

Any business that collects any data on any resident of the EU is subject to the law, no matter where that business operates. So, if you have even one client who resides in the EU, you’re subject to compliance.

4. The GDPR is confusing

Sorry. But it’s the truth.

Companies that employ fewer than 250 people face less stringent requirements than those that employ more than 250 people. Some people think that having fewer than 250 employees mean they are exempt altogether. This is not true. Here’s some more information on that.

The rules also differ depending on whether you are a “controller” or a “processor” of data. As a spa that collects data from clients, you might be a “controller.” You might also be a “processor.” You might be neither of these, or both.

According to the GDPR portal, “a controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”

Not clear? Consult a legal expert.

5. Some of the changes from the previous directive

Spas and related wellness and healthcare businesses hold a lot of customer data, and also often use third party processors. Here are some of the changes from the previous directive, which may mean changes for your business.

  • Consent: Customers must now give explicit consent to use their data for any purpose. “Implied” consent is not enough. Nor is lack of objection. Consent must be unambiguous and not drowned in “legalese.”
  • The Right To Erasure/Be forgotten: Under the GDPR companbies are required to erase personal data if the subject requests it. Even if consent is given, it can be revoked.
  • Breach Notification: In the event of a data breach, a controller is required to notify all affected subjects within 72 hours of detection. Relevant regulatory authorities must also be contacted.
  • Data Subject Access Request: EU residents (data subjects) have the right to request access to review all personal information data gathered by companies.
  • Appointing Data Protection Officers: Business that fall into certain categories will be required to appoint a Data Protection Officer (DPO). This includes controllers and/or processors that service more than 5000 people, and that collect “sensitive personal data.” This probably won’t apply to you. Individual spas will likely not have to worry about assigning a DPO. And spas operating out of a larger corporation such as a hotel, resort, or casino, will not have to assign a DPO because the larger corporation will be classified as the controller/processor, and that corporation will have to assign the DPO. But you should check. Basically, the more personal data possessed by a controller or processor, the more likely it is that a DPO will need to be appointed.

6. You need to keep documentation

The best way to show compliance is to make sure that all internal and external policies are updated and documented, and that all follow GDPR regulations. It is also important that all employees are aware of their compliance obligations. This can be demonstrated by updating internal training manuals, continuing education, on-boarding materials, and policies.

Again, the GDPR is not easy to understand. And the official website is almost laughably light on information. This is vaguely ironic, since clarity is one of its key mandates.

For more, visit the GDPR portal and consult a legal expert.

Good luck!