Skip to main content

Data protection. Probably not something you give much thought to, but whether you store your clients’ personal details in folders, spreadsheets or don’t really have a system, data protection is something every PT needs to understand.

The General Data Protection Regulation (GDPR) is a new piece of European legislation that comes into force on 25 May and affects personal data and how it’s collected and stored. It will mean big changes to the way PTs protect their clients’ data.

Why bother?

Failing to notify a breach when required to do so, could result in a significant fine of up to £8.8m or 2% of your global turnover, according to the Information Commissioner’s Office (ICO). The fine can be combined with the ICO’s other corrective powers under Article 58. So, it’s important to make sure you have a robust breach-reporting process in place to ensure you can detect and notify a breach on time, and provide the necessary details.

Thanks to smartphones, computers, the Net and social media, we accumulate data at an alarming rate. Our lives will be increasingly determined by data held on us, yet it’s more open to compromise than ever – just ask MyFitnessPal, Yahoo! or Uber. “The GDPR brings data protection bang up to date, giving us greater control of our personal data – how it’s collected and held, by whom, and for how long,” explains Raoul Lumb, data protection associate at law firm SM&B.

Where do I start?

Begin by getting organised. Think about what clients’ data you store, why you’re keeping it, whether you have permission to do so, how you manage it, where it’s kept, who has access to it and for how long. “Map it out so there’s no confusion, then work out what’s compliant and what you don’t have consent for,” advises Lumb.

Taking ‘before and after’ pictures, storing client measurements and personal health information – all day-to-day occurrences for PTs and all fine under the news rules, as long as you’ve validly obtained consent. Even if a client specifically asks for, say, performance monitoring, it’s best to ensure you have written consent.

And sweating the details can be significant.  For example, Pre-screening participants and clients is an integral part of the health and safety procedure, therefore the fundamental principles of the GDPR also apply to the provision of PAR-Q forms.”

The main aim of the GDPR is to provide more control over how organisations use data. Companies have an obligation to securely store customer data, be transparent about any data held when asking new and existing participants to supply details, and also to delete any data once expired or when asked to do so by its clients.

Article 5 of the GDPR outlines six principles that should be applied to any collection or processing of a person’s data, which are as follows:


  1. Personal data (PD) must be processed lawfully, fairly and transparently
  2. PD can only be collected for specified, explicit and legitimate purposes
  3. PD must be adequate, relevant and limited to what is necessary for processing
  4. PD must be adequate and kept up to date
  5. PD must be kept in a form such that the data subject can be identified only ‘as long as necessary’ for processing
  6. PD must be processed in a manner that ensures its security

Here’s the legal blurb: consent must be explicit, rather than implied, and freely given after a request in clear, plain language. You must be able to explain why you’re collecting personal data, how you’ll use it, and have records proving consent was given. Under the GDPR, a client can also ask to be ‘forgotten’ and all their data must be immediately removed from your system and records – both paper and digital.

Advancements in tech

Software could make the process a whole lot easier. For example, the fibodo booking management platform offers a live planner, real-time booking with secure payment processing, and allows for storage of client data while creating and sending booking emails. “It’s completely GDPR compliant and sets the PT up for the future, so no more haphazard bundles of client paperwork,” explains Anthony Franklin, CEO and founder of fibodo.

Keep it safe

Once the GDPR goes live, adopting strong passwords and encryption is an absolute must. “If you are hacked, but have proper data encryption, that data is useless to a hacker,” says Lumb. “We all expect businesses to keep our details safe. Get this right and your clients will know you respect them and be more loyal.”

 Find out more

Where next?  Check out these box jump variations from Human Kinetics  HERE