The GDPR and Group Fitness

I’ve been involved with preparations for GDPR since it was first announced a few years ago. Management of the HR Systems and Reporting teams for a large corporate company means i’m heavily exposed to data security and personal data on a daily basis, and have needed to be ahead of the curve with GDPR.

I’m also co-founder of Beatz Fitness (, and have previously been a Director for a global Group Exercise brand, so have a good appreciation of both sides.

A lot of people are aware that ‘GDPR  is coming’ and there are a wide range  of resources available, but what does this actually mean to Group Exercise Instructors, what can you do to be compliant, and what are the impacts of non-compliance.

The below is a non-exhaustive breakdown, focused only on some elements of the legislation that are relevant to Group Exercise Instructors, and is not meant as legal advice.


  • GDPR stands for ”General Data Protection Regulation” and comes into effect on 25th May 2018
  • It applies to businesses of all sizes and will become one of the most robust consumer data protection initiatives in the world.
  • If you process personal data, the GDPR places specific legal obligations on you, and companies will need to switch from an ‘Opt-Out’ to ‘Opt-In’ approach.
  • Any third party processor you use (Email Marketing, CRM etc), is now directly and legally obligated to be in compliance, which you must be assured of.
  • Brexit will not affect GDPR
  • Even if you’re outside of the EU, but control or process the data of EU citizens, the GDPR will apply to you.
  • Depending on the type of violation, companies will incur fines of up to EUR20 million or 4% of their global annual revenue (whichever is greater). These penalties show that the regulators mean business and companies cannot afford to ignore the legislation.


In a nutshell, current EU data privacy regulations are still based on a document first adopted in 1980, which don’t include considerations for Social Media, Smartphones, and advanced web technology. The world is changing rapidly, and the new legislation recognises that.


Virtually all data pertaining to individuals residing in the EU will be protected by GDPR.  This includes Names, Home Addresses, Date of Birth, Email Addresses, IP Addresses, Financial Transactions, Gender, NI Number, Sexual Orientation, Religious Beliefs etc


For Group Exercise Instructors, most (if not all) customer data will be for marketing (email lists) and health & safety (Par-Q Forms). Here are a few ways that the GDPR might impact you;

Data Permission

From a Marketing perspective, this is about how you manage opt-ins – you cannot just assume that people want to be contacted, and they will need to express consent in a ‘freely given, specific, informed and unambiguous’ way, reinforced by a ‘clear affirmative action’

This will mean that any leads, customers, etc, need to physically confirm that they want to be contacted, and you must actively seek (not assume) permission that they want to be contacted.

  • Opt-ins need to be a deliberate choice, so a pre-ticked box or copying a list of contacts to an email list will not be acceptable. An un-ticked box with accompanying text is acceptable.
  • The customer (data subject) must be able to withdraw consent at any time, and it must be as easy to withdraw consent as to give it. This must be demonstrated by policy.
  • Refer-A-Friend activities can be an exception, as long as the email that’s sent to the ‘friend’ is a notification rather than promotional, and the data (the friends email address) is not stored or used for marketing communications.

Marketing Automation / CRM Systems

If you use a CRM system that automatically sends out emails, you could be in breach if an email is sent to someone who has previously opted out.

You’ll need to make sure that every customer in your CRM system has given you permission to market to them. If someone opts out, all systems must be update to ensure no further emails are sent to them. Having future-scheduled emails is not an excuse.

Data Access & Right To Be Forgotten

GDPR offers individuals the right to easily access their data and remove consent for its use, which can be as straightforward as including an unsubscribe link within your email marketing template and linking to an account or profile that allows users to manage their email preferences.

A lot of email marketing providers already offer this functionality, but it’s worth checking.

Data Focus & Security

GDPR requires you to legally justify the processing of any personal data that you collect, which means is that you need to focus on the data you need, not what may be nice to have ‘just in case’.

Data transfer outside of the EEA will need to have adequate protection in place, and data must be encrypted at every opportunity. This applies equally to public cloud storage.


Any data breach must be reported to the ICO within 72 hours, and any customers affected by a data breach must also be notified.

Companies that fail to comply with GDPR could be subject to extremely high penalties –up to £20m or 4% of global annual revenue. However unlikely it may be that you’ll face these fines, it shouldn’t deter you from doing everything possible to be compliant.


Start by auditing your data now

  • What quantity of customer data do you hold?
  • How is this data stored?
  • Have your customers all given consent to have their data stored? If you do not have a record of a customer’s opt-in, remove them.
  • Who can access the data?
  • Has the data been transferred anywhere? If so, where?
  • What procedures do you have in place to dispose of customer data?

Review the way you’re currently collecting personal data;

  • Website email signups – link to your privacy policy and apply a ‘double opt-in’ process.
  • Paper forms at classes or events – state the reason for the collection on the form, including what the data will be used for and only collect what is necessary.

Update your Privacy Policy on any websites. The GDPR states that the information you provide to people about how you process their personal data must be;

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

Get your inbound marketing nailed!! Put the customer first and attract them with valuable content and a reason to want to assertively be part of your marketing communications.


GDPR will likely cause temporary difficulties, and you may need to adjust your approach to data management and the way you communicate with your customers and market your business.

The legislation should be seen as a positive step that will give more power to consumers and make marketers get better. Anything that hastens the demise of ‘shady’ marketing tactics like buying lists, cold emailing and spam, can only be a good thing. Not only they outdated, but they provide a poor customer experience and are becoming less and less effective.

Further information can be found on the ICO website at;

By Steve Bridger