The Global Fitness Industry Prepares for GDPR

On May 25, the new General Data Protection Regulation (GDPR) takes effect in the European Union (EU).

It is the cause of some confusion, much concern, and a fair amount of hand-wringing.

“GDPR brings the biggest change to data protection laws in Europe for 20 years,” says Alan Leach, the marketing director for the West Wood Club, a seven-facility chain based in Dublin, Ireland. “The implications for companies all over Europe are enormous.”

The raison d’etre of GDPR is to protect the privacy of citizens’ data and refine the way organizations handle data.

Although GDPR was drafted in Europe, its impact will definitely be felt in the U.S.—including at IHRSA—and in any country doing business in the EU. In December, Forbes published an article informing readers that, “Yes, The GDPR Will Affect Your U.S.-Based Business.” And, in January, The New York Times reported that, in Silicon Valley, “Tech Giants Brace for Europe’s New Data Privacy Rules.”

IHRSA is complying with GDPR by asking EU residents to opt-in to receive email communications.

“GDPR is a global game changer in privacy rules,” says Florian Cartoux, the IHRSA Europe director.

The penalties for noncompliance are impossible to ignore. Infractions can result in a fine of up to €20 million, or 4% of company’s annual revenues, whichever is higher.

International fitness industry firms headquartered in the U.S., such as Life Fitness, based in Rosemont, IL, and Anytime Fitnes, of Woodbury, MN, have taken note and are taking steps. “We’ve worked … to develop a project plan for addressing security and privacy obligations in accordance with the GDPR,” says Life Fitness.

The debut of the Internet and its subsequent explosion have helped transform data into one of the world’s most valuable commodities, and now, arguably, it’s the bedrock, the universal platform, on which modern civilization sits.

But for each and every one of the infinite uses it offers, there’s a possibility of misuse and/or abuse. When discussing GDPR, the objective is generally tied to consumers, who are at risk of such things as identity theft, financial fraud, stolen information, social-media manipulation, etc. GDPR is designed to guarantee, insofar as possible, the security of people’s personal data. But the premise driving GDPR—that data is precious, has to be safeguarded, and therefore regulated—applies equally to businesses.

Not a month goes by when we don’t learn about another huge data breach with far-reaching and, sometimes, incalculable effects. In March, when it was discovered that Cambridge Analytica may have used the data of over 50 million Facebook users for political ends, the subsequent headlines in the Times read, “Cambridge Analytica Suspends CEO” and “Facebook Data Security Chief to Leave Amid Outcry.”

Perhaps more importantly, for the very first time the development made GDPR a hot topic, and a U.S. topic—one reported on by newscasters, discussed by talk show hosts, and figuring prominently in other headlines, including: “Could GDPR Have Stopped the Cambridge Analytica Scandal?”

Devil in the Details

“Health clubs collect personal data from members and nonmembers,” says Leach. “They collect names, addresses, emails, bank details, medical information, and lots of other information. Data is critical to every aspect of our business, and we’re responsible for protecting it. … GDPR is designed to ‘strengthen and unify’ data protection for everyone within the EU.”

The reviews of the measure range from “not essential” to “the jury’s still out,” but one of the things that everyone seems to agree on is summed up by Jim Goniea, the general counsel for Anytime Fitness, which has a major international presence. “We view GDPR standards as being the wave of the future, and we intend to implement them across our international operations, even outside the EU, to the extent that they don’t conflict with local laws.”

Another conclusion reached by all, including Leach and Cartoux, is the importance of making use of attorneys or consultants with serious regulatory expertise. “I strongly recommend that any fitness club consult with their advisers about the full implications of GDPR,” says Leach.

Though the regulation’s goals appear reasonable, the challenge of translating them into action is daunting. “It’s not that the new GDPR are unnecessary, or that any individual requirement is particularly shocking; rather, most of the problem is that GDPR has come at us all at once and could potentially have an impact on nearly every organization in the world,” says Leach.

Another obstacle, he’s quick to point out, is that “GDPR is complex. Very complex!”

The most comprehensive and authoritative guide is the official GDPR website.

“Article 5 of the GDPR outlines six principles that should be applied to any collection or processing of a person’s data,” explains Leach. “These six principles are at the heart of the GDPR.” They are:

1. Personal data (PD) must be processed lawfully, fairly, and transparently.
2. PD can only be collected for specified, explicit, and legitimate purposes.
3. PD must be adequate, relevant, and limited to what is necessary for processing.
4. PD must be accurate and kept up to date.
5. PD must be kept in a form such that the data subject can be identified only “as long as is necessary” for processing.
6. PD must be processed in a manner that ensures its security.

Last month, IHRSA presented a webinar on “New European Data Protection Rules: The Impact on Your Gym,” which you can listen to at any time.

Compliance: The Costs and Rewards

Mastering the intricacy and complexity of GDPR is, in many ways, like learning an entirely new language, but from the U.S. to the EU, health clubs and other industry businesses are applying themselves diligently.

Leach and his chain’s top management have attended a CMG Professional Training in Dublin and received CMG master class certificates for GDPR. “At this stage, I’ve been to so many meetings and planning sessions, I think I could recite the whole GDPR document word for word,” he says.

West Wood Club began preparing for GDPR Day about seven months ago, and, “The first, and most important, goal was to separate the scaremongering from the facts,” says Leach, who’s also a member of IHRSA’s board of directors.

“A lot of work and effort is going to be needed to get West Wood Club fully GDPR-compliant by May 25,” he says. “Over 400 employees will have to be trained. A data protection officer will have to be recruited. All membership and sales software will have to be looked at to see if everything’s GDPR-compliant.”

Anytime Fitness, which has some 4,000 clubs in 20 countries, has realized that GDPR was coming for a while, and “put together a team composed of our technology and legal departments to evaluate the regulation’s requirements and implement the changes necessary to ensure compliance,” says Goniea.

The list of actions-to-be-taken appears monumental, but this fitness franchise seems to be taking it somewhat matter-of-fact. “Tasks we’ve had to complete include, among others, evaluating the GDPR’s requirements; mapping data flows in our system; evaluating who within our system constitutes a controller and/or a processor; reviewing and revising our privacy policy; reviewing and revising the member-facing contracts where personal history is collected; reviewing and revising EU Vendor contracts. …”

Anytime Fitness, Goniea explains, has always employed best practices with respect to data privacy issues, and, as a result, is able to contemplate GDPR with a certain professional cool, calmly accepting the additional efforts and expenses it entails.

“Complying with GDPR standards has not required significant alteration in the way we do business or handle member or employee data,” he says. “For companies already implementing best practices in the data privacy area, GDPR probably won’t wind up being a significant barrier to their expanding operations in the EU.”

The challenges, additional costs, and fleeting confusion incurred by GDPR come both with a carrot and a stick. Failure to adhere to the measure’s many stipulations triggers a penalty and could even lead to a company being unable to operate in the EU.

“The cost of noncompliance is too dangerous to ignore,” warns Cartoux. “You could face a fine of up to €20 million, or 4% of your global revenue—whichever is higher—if you’re caught mishandling the data of your European customers.” At the same time, he points out, “GDPR will offer clubs and other businesses an opportunity to take better care of their staff and customer data.

“For U.S. firms, the equation should be very simple,” he says. “You don’t want to shut yourself out of a market with 500 million consumers.”