5 Things Gym Operators Need to Know About GDPR

The new European Data Protection Regulation, going into effect on May 25, will impact more gyms than you might think.

With the new European Data Protection Regulation going into effect on May 25, businesses are working feverishly to understand what is required to be in compliance.

Containing 99 articles, the comprehensive regulation “was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy,” explained Roman Spitko in a special session at IHRSA 2018 in San Diego, CA. Spitko also hosted an IHRSA webinar about GDPR, which is available now.

(Live in the EU? Verify your identity to continue receiving communications from IHRSA.)

Legal Laptop With Data Column

Spitko, who is the head of faculty business administration and economics at German University for Prevention & Healthcare Management, advised attendees about how to comply with the new regulation and the risks for failing to do so.

Here are five takeaways from his session.

1. GDPR Applies to Everyone Doing Business in the EU

The new regulations are relevant for every fitness club, and therefore for every club operator, who is doing business within the European Union.

2. Noncompliance Comes with a Price

Noncompliance will cost you up to 4% of your annual turnover or €20-million—whichever is greater.

3. Consider Appointing a Data Protection Officer

You may need to appoint a Data Protection Officer (DPO). There are many business models in the fitness industry that process biometric data or data concerning health. If processing this kind of data is qualified as core activity, then it could be mandatory for these clubs to appoint a DPO.

“Noncompliance will cost you up to 4% of your annual turnover or €20-million—whichever is greater.”

4. Requirements Differ Depending on Size

Requirements are different for organizations with fewer than 250 employees. A business in this category is not required to maintain a record of processing activities under its responsibility unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offenses” (Article 30, Number 5).

5. Outsource Cautiously

Outsourcing data processing to another company that says it is in compliance does not release your club from liability. If your chosen company is found not to be compliant, then your company will be liable as well.

Learn More About GDPR

For more advice about GDPR from Roman Spitko, watch his IHRSA webinar, "New European Protection Rules: The Impact on Your Gym" (free for IHRSA members).

Author avatar

Cathy McNeil

Cathy McNeil previously served as IHRSA's Vice President of International Operations—a position that built strong relationships with industry professionals worldwide and connected them with people and resources to help them solve business problems and grow.