Follow

TRP Customer GDPR Guidance: General Data Protection Regulation - What You Need to Know

Version 3. (Last Updated 21-May-18). This document will be updated as and when new information becomes available.

Overview

The General Data Protection Regulation (GDPR), which will come into force on 25 May 2018, is an update to the existing data protection regulations created in the late 1990’s, aimed to better fit with how data is now processed by organisations in today’s modern world. It is designed to harmonise consumer rights and represents a key shift in the way customer data is used and managed, granting customers control over their own data and tightening the rules around its collection. 

 

GDPR – The Detail

Who Does GDPR Apply to?

The GDPR applies to all organisations operating in the EU and/or processing “personal data” of EU residents. Personal data is any information relating to an identified or identifiable person.

 

How Has TRP Been Preparing for GDPR?

TRP is part of the Jonas Group of Companies. We have been working with a team of specialist lawyers who have been supporting us to ensure compliance with the new regulations by 25 May 2018. In some cases, this has been as straightforward as updating our current policies and in others has required development work within our software.

The result is that you, our customers and partners, will be able to continue to benefit from our software, with the assurance that it is compliant and that we can support you in your role as the Data Controller.

ICO Registration Certificate

You can view our ICO Registration Certificate for 2017/2018 here.

 

How Can You Prepare for GDPR?

It should be emphasised that TRP software alone cannot make an operator compliant, as the regulation applies to all processes and practices performed by your organisation.

You should review all existing processes in place within your organisation that relate to the storage and use of casual and member data.

We have added a list of Third Party Resources at the end of this document which you may find useful when preparing your business for GDPR.

 

Key Definitions

GDPR

The General Data Protection Regulation (“GDPR”) is a new European regulation which will replace the current EU Data Protection Directive (“Directive 95/46/EC”). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonise EU data protection law.

 

Controller

A controller determines the purposes and means of processing personal data.

You as an operator are the data controller.

 

Processor

A processor is responsible for processing personal data on behalf of a controller.

TRP are the data processor for the member data that you control that is used in our software.

 

Data Subject

The Data Subject is the term for the individual to whom the data relates.

 

Personal Data

The GDPR applies to ‘personal data’ meaning any information that could be used to identify an individual.

 

Sensitive Personal Data

The GDPR refers to sensitive personal data as “special categories of personal data”.

Click here to view the ICO's guidance for special category data.

 

Changes Within Our Software

We have been working hard to ensure that we can continue to provide you with software that is not only GDPR compliant but also to ensure that the changes we make for compliance have minimal impact on the way you use our software.

As a result of this work, we are pleased to let you know that you no upgrades are required.

There are some changes that we need to draw your attention to and it is important that you read and understand this section and how it applies to your business. These changes are highlighted in the next section by the word FEATURE alongside what to expect plus an explanation of the GDPR requirement met. If you just want to see a list of the software features that will be released for GDPR you can scroll to the end of the document for a feature list table.

If you require any further support please do not hesitate to contact your account coach via coach@trpcem.comm or helpdesk@trpcem.com

 

Your Data

The security of your data has always been and remains our top priority. TRP are compliant with CASL and GDPR legislation and are registered with the ICO.


In addition we have prepared a Data Processor Addendum (DPA) for our clients which details our commitments as a Data Processor.

ICO Registration Certificate

You can view our ICO Registration Certificate for 2017/2018 here.

Data Storage

For our hosted customers our policy is to hold the data we process on your behalf in the Country in which you are based. For our UK customers all the TRP product data that we process on your behalf is stored within the EU – currently in Manchester and Reading.


You can view our Security Management and Data Protection for SaaS policy here.

The Nature and Purpose of the Processing of Personal Data

Insight Software

Data is used to decide which customers will receive NPS Surveys emails to provide feedback for analysis


Interact(inc. Process) Software

Data is used to trigger interactions to help engage members


Commit2Sucess Software

Data is used to flag specific customers who meet pre-set criteria and will then receive emails via Digital


Digital Software Software

Automated email and SMS


Nutrition Complete Software

Meal planning software to support weight management and nutrition management
Special Category Data

Fitness

Data is used to support Member Engagement and track progress on a range of fitness measures


RMemail

Automated and on-demand email communication.

 

Types of Personal Data Processed

We are keen to ensure that we only process data that is required to provide you with our services. As part of our preparation for GDPR we have reviewed the data that we collect and will continue to review it to ensure that we do not hold on to data that is not needed.


You can view a list of the types of personal data that we process here.

Sub-Processors

We always ensure that any sub-processors that we engage with on your behalf are compliant from a data protection point of view.


You can view our list of Sub Processors here.

Data Retention and Destruction

In addition to ensuring that we only process data that is necessary we can assure you that we have robust processes in place to ensure that we delete data that is no longer needed. For details of our process and timelines for data retention and deletion please read our Data Retention and Destruction Policy.

FEATURE. All products – In line with our Data Retention and Destruction Policy we will remove data for customers who have cancelled and not registered an attendance in your MMS during the last 24 months. For more details click here.

Lawful Basis for Processing

Where We Believe Legitimate Interest Applies as the Lawful Basis for Processing

Our products are designed to be used by you in a way that we believe constitutes legitimate interest, therefore we do not believe that consent is required so long as your members are aware of the processing activities and the use of an algorithm used to make decisions that we undertake on your behalf. If you are choosing to use Digital to send direct marketing emails to prospects, please see the note below 'Where We Believe Consent is Required as the Lawful Basis for Processing'.

In order to make your members aware of these activities, we recommend that you update your privacy policy to specifically mention TRP and our processing activities. We can share our Privacy Policy with you so that you can add it within your policy should you wish.

FEATURE. Insight & Digital - You are now required to ensure that your own Privacy Policy is added to the emails you send. For more details click here.

Once your privacy policy is updated, we think that you will actively need to bring this information to the attention of your members at the earliest opportunity, but we do not believe that you need to opt all of your members out of receiving TRP emails. Click here to see the ICO's guidance on privacy policies.

If you have been advised differently please do contact us to discuss how we can support you to meet your requirements. If you make changes within your member management system you do need to let us know so that we can discuss with you how you can ensure that the functionality of TRP software is not compromised.

 

Ability for Your Members to Opt Out

Our Digital and Insight products already include an unsubscribe link in surveys, emails and SMS which allows your members to opt out of receiving these specific communications from you, at any time, without your intervention.

 

Where We Believe Consent is Required as the Lawful Basis for Processing

Fitness

Our Fitness product does request some data that could be classed as sensitive. Like all data, we will ensure that it is held securely.

Click here to view the ICO’s guidance around sensitive data.

You will need to explain to your customers what the specific purpose for holding the data is and obtain explicit consent from them in order to store and use this information on their behalf. 

We will be contacting our Fitness customers directly regarding this.

We need you to advise us that you have consent to hold historical data for your customers. We are required under GDPR to delete all sensitive personal data for which we do not have confirmation from you that consent has been given.  Please contact your Retention Coach or helpdesk@trpcem.com for more details.

FEATURE. Fitness Software – A warning message will appear to remind you to ensure that you have consent to hold sensitive data for your customer. For more details click here.

Digital

If you are choosing to use Digital to send direct marketing emails to prospects (i.e. individuals who are not current customers/members of your facility), you may want to assess whether you need to seek specific, positive, opt in consent from these individuals to continue communicating with them in this manner from 25 May 2018.

FEATURE. Insight & Digital – You will see a warning selecting a list or sending mailings that reminds you to ensure you have consent. For more details click here.

Commit to Success

FEATURE. In order to ensure compliance with GDPR legislation we have had to make a change to our Commit to Success Feature.  The Refer a Friend Feature is no longer available so we have made some changes to the email text and reports. For more details click here.

Individual Rights

Right to Object: Opt-Outs

Insight & Digital

Your customers can opt out of communications from our Digital or Insight products directly through the unsubscribe link provided within your communications to them sent via these systems, without your intervention.

However, should a customer contact you directly to request to unsubscribe from these communications, as the data controller, you need to let us know so that we can help action this for you.

All you need to do is raise a support ticket to helpdesk@trpcem.com.

For more details of how to do this and the information required please read our How to Raise A GDPR Data Request guidance here.

For further information from the ICO on the right to object please click here

 

Right to Be Informed

The right to be informed encompasses your obligation to provide your members with information about what you are doing with their personal data and why.

It emphasises the need for transparency over how you use personal data.

For further information from the ICO on the right to be informed please click here

In order to make your members aware that their data is being processed by us, we recommend that you update your privacy policy (if you haven't already done so) to specifically mention TRP and our processing activities.

Once your privacy policy is updated, we think that you will actively need to bring this information to the attention of your members at the earliest opportunity. Click here to see the ICO's guidance on privacy policies.

Our legal team are currently reviewing our privacy policy and we will be updating it as required. Our current privacy policy can be found here but we will notify you when it is updated.

FEATURE. Insight & Digital - You are now required to ensure that your own Privacy Policy is added to the emails you send. For more details click here

FEATURE. Insight & Digital – You will see a warning when selecting a list or sending mailings that reminds you to ensure you have consent. For more details click here

 

Right to Erasure

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

We will, of course, ensure that we assist you with any erasure request. All you need to do is raise a support ticket to helpdesk@trpcem.com.

For more details of how to do this and the information required please read our How to Raise A GDPR Data Request guidance here.

FEATURE. Insight, Interact & Digital – When we receive a request by you for deletion or removal the data will be anonymised. You will see the word REMOVED in your MMS. For more details click here

FEATURE. Nutrition Complete – When we receive a request by you for deletion or removal the data will be anonymised You will see the word REMOVED in your MMS. For more details click here

For further information from the ICO on the right to erasure please click here

 

Right to Data Portability and Right of Access

The GDPR gives individuals the right to access the data you hold on them and request that it is provided to them in a ‘machine readable form’ to be transferred/copied to a third party at their discretion.

If you have a request from a data subject to provide them with the data that we hold, you will just need to raise a support ticket via helpdesk@trpcem.com and we will assist you.

For more details of how to do this and the information required please read our How to Raise A GDPR Data Request guidance here.

FEATURE. All products – When we receive a data subject access request data will need to be shared securely.  For more details click here

As per the ICO’s GDPR guidance, if we assess the request to be complex or numerous, it may take us slightly longer to process for you - but we will be sure to let you know as soon as possible if this is the case.

If you have a request from a data subject to provide them with the data that a member management system holds, you will need to contact the organisation that provides that software to you directly and we do not need to be informed.

For further information from the ICO on the right of access please click here

For further information from the ICO on the right to data portability please click here

 

Restriction of Processing

Where GDPR guidance advises it is not appropriate to remove/delete an individual’s personal data, restriction of processing gives them the right to request that you stop processing it – meaning that whilst you can continue to store it, you can no longer use it in any way.

If you have a request from a data subject to restrict the processing of their personal data within our software, you will just need to raise a support ticket via helpdesk@trpcem.com and we will assist you to action this.

For more details of how to do this and the information required please read our How to Raise A GDPR Data Request guidance here.

FEATURE. Insight, Interact & Digital – When we receive a request by you for deletion or removal the data will be anonymised. You will see the word REMOVED in your MMS. For more details click here

FEATURE. Nutrition Complete – When we receive a request by you for deletion or removal the data will be anonymised. You will see the word REMOVED in your MMS. For more details click here

For further information from the ICO on the right to restriction and when it may apply please click here

 

Right to Rectification

If a customer discovers that you are holding inaccurate personal data about them, they have the right to request that it is amended.

We obtain this type of data from your Member Management System, you will need to arrange for it to be updated there.

For further information from the ICO on the right to rectification please click here.

Full List of New Features Created for GDPR

GDPR Requirement Product Feature Link to Document
Data Retention Insight, Digital & Interact We will remove data for customers who have cancelled and have not returned within 2 years  Click Here
Lawful Basis PENDING ACTIONS Warning to users when selecting/list/sending mailings to capture consent if required  Click Here
Lawful Basis Fitness Handling sensitive data. If height and weight are sensitive we need explicit consent to store Click Here
Lawful Basis Commit to Success Removal of refer a friend feature Click Here
Right to be Forgotten (Right to Removal) & Right to Restriction Interact, Insight & Digital Anonymisation of members' personal data when requested via the data controller for removal request and reversible anonymisation for restriction request Click Here
Right to be Forgotten (Right to Removal) & Right to Restriction Nutrition Complete How to submit a request by a data subject to have their data removed or restricted Click Here
Right to Access Interact, Insight, Digital & Nutrition Complete How to raise a subject access request Click Here
Privacy Policy Insight & Digital Default privacy policy removed from Insight and Digital. The data controller must upload their own privacy policy. If they do not, messages will not send Click Here
Customer Guide - How to Raise a GDPR Data Request Interact, Insight & Digital Customer guide for raising GDPR support ticket covering 1) opt outs 2) right to erasure 3) portability 4) restriction of processing Click Here

 

The Legal Bits

Our Contract/Agreement With You

We will be in touch to review existing contracts to ensure we both have an agreement to become GDPR compliant within the scope of our relationship. We have a Data Processor Addendum (DPA) which we will share with our customers.

 

Contracts/Agreements With Sub-Processors

We always ensure that any sub-processors that we engage with on your behalf are compliant from a data protection point of view. We are in the process of re-reviewing this for the introduction of the GDPR on 25 May 2018.

 

Data Breaches

As your data processor, we will meet our legal obligations to provide information to you in the event of a data breach. A copy of our Data Breach Policy is available on request.

 

Privacy by Design and Default

Our development team is adopting a privacy by design approach, carrying out Privacy Impact Assessments (PIA) as part of our ongoing development of products. Designing projects, processes, products and systems with privacy in mind at the outset will be at the core of our product development going forward.

 

Our Marketing Practice

Contacting You via Email

As our customers, we believe that the content we are sharing with you via email is relevant, valuable, interesting and beneficial to you as an operator within the health and fitness industry who has invested in software to improve member engagement and experience.

We also believe that, as a customer of ours, you would reasonably expect to receive the type of content we are currently sending you as part of your relationship with us.

Therefore, our current assessment is that this is covered by the lawful basis for processing of ‘Legitimate Interest’ under the GDPR.

If you disagree, you are free to opt out of receiving our marketing emails at any time.

All our marketing emails contain an unsubscribe link in the footer which allows you to easily opt out in just a few clicks.

If you are unable to find this link or it isn’t working, please email marketing@trpcem.com and we will manually unsubscribe you from the system at our earliest reasonable convenience.

 

Third Party Resources

ICO Guide to the General Data Protection Regulation: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Getting Ready for the GDPR Checklist: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk