First, a disclaimer: the content below is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with legal and other professional counsel to determine precisely how the GDPR may or may not apply to you.
As you may know, all organisations working with EU citizens’ data should be GDPR-compliant starting 25th of May, 2018. There are many terrific articles written about GDPR (for example, by MailChimp, FullStory or Hubspot) which we recommend reading to get more details.
At Workshop Butler, we work with different types of customers: trainers, knowledge brands, and training companies. After many discussions with trainers, we realised that many of them do not fully understand how GDPR influences their businesses. In this article, we will look at the regulation through the lenses of solopreneurs working in training or consultancy spheres.
You are a Data Controller
The GDPR splits organisations into two categories:
- Data Controller is a person or an organisation who determines the purpose of collecting data.
- Data Processor is a party which uses the data on behalf of data controller.
As a data controller, it is your obligation to collect and process the data of EU citizens lawfully. It means you have to make appropriate changes to your business processes, websites, and third-party services (e.g. Data Controllers).
Many business products you use daily (MailChimp, Hubspot, Google Analytics, Workshop Butler, etc.) have already become or will become GDPR-compliant soon. They can provide additional tools and features to help you organise your business in GDPR-compliant manner. However, it is up to you to make sure it follows the rules.
Collecting Personal Data
One of the areas the GPDR takes into consideration is how you collect personal data. The regulation wants you to bring clarity to users on why you store specific data, and how you are going to use it.
There are three main ways of collecting the data for trainers:
- mailing list subscriptions;
- workshop/webinar attendees;
- business contacts at conferences.
Let’s look at each of them separately.
Mailing list subscriptions
As a trainer, you probably have a personal website with a mailing list subscription form. The form usually contains Email and Name fields. Sometimes it is only Email. In our case, it does not matter as both Email and Name are considered as personal data by the GDPR.
Under the GDPR, you need to get an explicit consent from visitors to store their data via a separate checkbox. Even more: you must be clear what they subscribe for and use their data only for the given purposes.
For example, you have two mailing lists: a monthly newsletter and an occasional training promo. On the subscription form, you need to have two checkboxes:
- I agree to receive monthly newsletters
- I agree to receive occasional training promotions.
If a visitor subscribes to a monthly newsletter only, you cannot send training promos to them.
When a person registers or attends a workshop/webinar, you use their data in several ways:
- Send an invoice
- Send additional emails before and after the workshop, related to the workshop itself
- Subscribe to a newsletter.
If you collect a phone number, you need to get consent for reaching an attendee via phone call or text message. This consent cannot be bundled with consent for getting emails.
The subscription to a newsletter (3) becomes trickier with the GDPR. As it was explained before, you cannot simply add attendees to your mailing list, even if they participated in an event. They need to permit you. You can do it via:
- an additional checkbox on a registration form, asking if they agree to subscribe to a newsletter;
- a separate email before or after an event, asking them to subscribe to a newsletter;
- a paper feedback form with an additional checkbox as in (1);
- asking a direct question. However, we do not recommend this one. Under the GDPR, a person can request what information you store about them and why you use it, meaning you need to explain why this person is subscribed to your mailing list. Oral consent is difficult to record, and it could easily slip through the cracks.
Business contacts at conferences
We assume you follow two basic rules:
- you never add these contacts to your newsletter.
- you explain how you get their email address in your first message to them.
If yes, the GDPR does not influence the processing of the contacts a lot. Now, when you take a business card, ask, “Would you mind me contacting you?”. It would be enough.
Ah, yeap, one more thing: all checkboxes on the forms MUST NOT be pre-selected.
Transferring Data to Knowledge Brands
There are many brands which provide licensing or certification programs. For example, Scrum.org, Lean Kanban University, Management 3.0, Lean Change Management, and others. We call them knowledge brands.
As a trainer, you probably work with some of them, so after a workshop, the participants can get a certification. In this case, a knowledge brand is a Data Processor under the GDPR and should be compliant. Ask all brands you work with if they are GDPR-compliant. If they are not, you have to deal with it somehow. Unfortunately, we cannot give any advice here.
You need to make sure the data of attendees is not used for any other purposes besides described above (generation of the certificate, sending exam info). If a knowledge brand uses it for marketing, you have to get an additional consent for that from participants.
We described several cases, related to a training business which you may not find in other places. They do not cover all the changes you need to make your business GDPR-compliant.
For that, we recommend you a good checklist from Hubspot. Following it, you can go through all nuances of GDPR step by step.