GDPR for Individual Trainers

First, a disclaimer: the content below is provided for  informational purposes only. The information shared here is not meant to  serve as legal advice. You should work closely with legal and other  professional counsel to determine precisely how the GDPR may or may not  apply to you.

As you may know, all organisations working with EU citizens’ data  should be GDPR-compliant starting 25th of May, 2018. There are many  terrific articles written about GDPR (for example, by MailChimp, FullStory or Hubspot) which we recommend reading to get more details.

At Workshop Butler, we work  with different types of customers: trainers, knowledge brands, and  training companies. After many discussions with trainers, we realised  that many of them do not fully understand how GDPR influences their  businesses. In this article, we will look at the regulation through the  lenses of solopreneurs working in training or consultancy spheres.

You are a Data Controller

The GDPR splits organisations into two categories:

  • Data Controller is a person or an organisation who determines the purpose of collecting data.
  • Data Processor is a party which uses the data on behalf of data controller.

As a data controller, it is your obligation to collect and process  the data of EU citizens lawfully. It means you have to make appropriate  changes to your business processes, websites, and third-party services  (e.g. Data Controllers).

Many business products you use daily (MailChimp, Hubspot, Google  Analytics, Workshop Butler, etc.) have already become or will become  GDPR-compliant soon. They can provide additional tools and features to  help you organise your business in GDPR-compliant manner. However, it is  up to you to make sure it follows the rules.

Collecting Personal Data

One of the areas the GPDR takes into consideration is how you collect  personal data. The regulation wants you to bring clarity to users on  why you store specific data, and how you are going to use it.

There are three main ways of collecting the data for trainers:

  • mailing list subscriptions;
  • workshop/webinar attendees;
  • business contacts at conferences.

Let’s look at each of them separately.

Mailing list subscriptions

As a trainer, you probably have a personal website with a mailing list subscription form. The form usually contains Email and Name fields. Sometimes it is only Email. In our case, it does not matter as both Email and Name are considered as personal data by the GDPR.

Under the GDPR, you need to get an explicit consent from visitors to store their data via a separate checkbox. Even more: you must be clear what they subscribe for and use their data only for the given purposes.

For example, you have two mailing lists: a monthly newsletter and an  occasional training promo. On the subscription form, you need to have  two checkboxes:

  • I agree to receive monthly newsletters
  • I agree to receive occasional training promotions.

If a visitor subscribes to a monthly newsletter only, you cannot send training promos to them.

Workshop/webinar attendees

When a person registers or attends a workshop/webinar, you use their data in several ways:

  1. Send an invoice
  2. Send additional emails before and after the workshop, related to the workshop itself
  3. Subscribe to a newsletter.

When a person registers for an event, they expect to receive both an  invoice (1) and additional information (2). As the emails related to a  workshop itself are a part of a product/service visitors purchase, you  can send them after the registration. However, you must update your Terms of Use and Privacy Policy and make visitors to accept them during the registration.

To bring even more clarity, you can add text like this: I accept  Terms of Use and read Privacy Policy. By registering for this event, I  agree the organiser may send me emails regarding invoicing, event  location, event schedule and other formalities.

If you collect a phone number, you need to get consent for reaching  an attendee via phone call or text message. This consent cannot be  bundled with consent for getting emails.

The subscription to a newsletter (3) becomes trickier with the GDPR.  As it was explained before, you cannot simply add attendees to your  mailing list, even if they participated in an event. They need to permit  you. You can do it via:

  1. an additional checkbox on a registration form, asking if they agree to subscribe to a newsletter;
  2. a separate email before or after an event, asking them to subscribe to a newsletter;
  3. a paper feedback form with an additional checkbox as in (1);
  4. asking a direct question. However, we do not recommend this one.  Under the GDPR, a person can request what information you store about  them and why you use it, meaning you need to explain why this person is  subscribed to your mailing list. Oral consent is difficult to record,  and it could easily slip through the cracks.

Business contacts at conferences

We assume you follow two basic rules:

  • you never add these contacts to your newsletter.
  • you explain how you get their email address in your first message to them.

If yes, the GDPR does not influence the processing of the contacts a  lot. Now, when you take a business card, ask, “Would you mind me  contacting you?”. It would be enough.

Ah, yeap, one more thing: all checkboxes on the forms MUST NOT be pre-selected.

Transferring Data to Knowledge Brands

There are many brands which provide licensing or certification  programs. For example, Scrum.org, Lean Kanban University, Management  3.0, Lean Change Management, and others. We call them knowledge brands.

As a trainer, you probably work with some of them, so after a  workshop, the participants can get a certification. In this case, a  knowledge brand is a Data Processor under the GDPR and should be  compliant. Ask all brands you work with if they are GDPR-compliant. If they are not, you have to deal with it somehow. Unfortunately, we cannot give any advice here.

You need to make sure the data of attendees is not used for any other purposes besides described above (generation of the certificate, sending exam info). If a knowledge  brand uses it for marketing, you have to get an additional consent for  that from participants.

You also need to notify attendees you will transfer their data to knowledge brand(s). You can do it by listing the brands in your Privacy Policy with explanation what data you transfer, and why.

Other changes

We described several cases, related to a training business which you  may not find in other places. They do not cover all the changes you need  to make your business GDPR-compliant.

For that, we recommend you a good checklist from Hubspot. Following it, you can go through all nuances of GDPR step by step.