Everything You Need To Know About GDPR For Yoga Teachers

Researching GDPR for yoga teachers allows you to take account of the data collected from your students. To help you better understand these legal guidelines, we’ll explore:

• Defining GDPR for Yoga Teachers & Professionals
• Understanding How GDPR Affects Yoga Teachers 
• Learning How to Comply With GDPR as a Yoga Teacher 
• What You Need to Do In Order to Ensure Compliance With GDPR
• How Does GDPR Affect Your Social Media Accounts?

Revolutionise your approach to a career in yoga by completing a Level 4 Yoga Teacher Course, where you'll receive unparalleled guidance on establishing and running a prosperous yoga business.

You can also download OriGym’s FREE course prospectus! 

Defining GDPR For Yoga Teachers & Professionals

Before we can begin to discuss GDPR for yoga teachers, you first need to understand what these laws are, and why they came into effect.

The General Data Protection Regulation (GDPR) is one of the strictest privacy and security laws in the world. These regulations were put into place on May 25th, 2018 by the European Union (EU), with the intent of ensuring a level of standardisation in data handling across all member countries.

With these regulations, the EU aimed to establish a firm stance on data privacy and the cyber security of its citizens. Essentially, the law outlines what businesses can do with the personal data that their customers provide them with.

There are 7 key GDPR regulations that businesses must ensure their customer’s data is processed in accordance with. Data should be:

• Used fairly, lawfully, and with full transparency.
• Used for the specified purpose.
• Only necessary information captured.
• Kept accurate and up to date.
• Kept for no longer than necessary, and must be deleted after a period of time.
• Handled in a way that ensures appropriate security, which includes protection against unlawful processing, loss, or destruction.
• Held accountable to the individual handling the information. 

We’ll highlight how each of these GDPR points relate specifically to your yoga business later in this article.

Failure to comply with any of GDPR guidelines listed above can result in major implications such as:

• Fines of up to £17.5 million
• Customers requesting legal compensation from your company
• A loss of 4% of your global revenue

To avoid any of these consequences, your business must ensure compliance with GDPR laws. 

Part of this will involve understanding the legal wording surrounding the regulations. We’ve listed out the most important terms, as defined by GDPR.eu:

• Personal Data - Any information that relates to an individual who can then be directly or indirectly identified. Examples of personal data include names, date of birth, location information and web cookies - essentially anything that can then be traced back to the person.
• Data Processing - Any action performed on this data, be it automatic or manual. This includes collecting, recording, organising and storing data.
• Data Subject - The person whose data is being processed - e.g. your yoga student
• Data Controller - The person who decides why and how the yoga students' data will be processed. If you own a studio, this duty will typically fall on you.
• Data Processor - Typically a third party who processes the data on behalf of the data controller.

With all that being said, it’s natural you’d wonder how GDPR might apply to you following Brexit in early 2021.

How Does GDPR For Yoga Teachers Work in The UK?

In short, despite Brexit happening, GDPR laws are still very much in place across the UK, entitling citizens to the same level of legal protection.

GDPR was merged with the UK’s Data Protection Act (DPA), ensuring that all the new EU regulations were met, and that data was processed fairly across all of Europe.

This formed a new, UK-specific data protection regime, which is practically identical to the existing EU laws, with the only difference being that these are governed and enforced solely by UK data protection agencies. 

These regulations are based on the same legal language and principles, but simply make reference to the UK, rather than ‘EU’ or ‘Union law’. 

There is one small technicality you should be made aware of, and that is ‘UK adequacy decisions’. In the simplest terms, this means that if an EU customer provides personal data to a UK company, they must adhere to UK GDPR laws.

For example, this could apply to instructors who make money with yoga online, such as through Zoom classes. If your students are outside of the UK, they must conform to these specific GDPR laws.

Understanding How GDPR Affects Yoga Teachers 

Now that you have a general understanding of how GDPR laws operate, you should understand that they apply to every kind of yoga instructor within the industry. This includes:

• Teachers who work at yoga studios 
• Online yoga teachers 
• Freelance instructors who work at gyms

You should therefore be making a conscious effort to consistently check that you’re complying with GDPR as a yoga teacher. 

To guarantee this you must first understand what kind of personal data yoga teachers collect and process. This can include:

• Personal information - names and date of birth
• Multiple means of contact information - phone number and email
• Payment data -  bank details or other payment methods 
• Location data - chain studios may ask for locations to recommend a branch within the students area
• Online Identifiers - IP address, cookies, and browser information
• Unique Identifying Information - such as a National Insurance number 

It’s important to note that not every exchange of personal data will require the subject to provide every example given above.

For example, when the data subject is a student interested in signing up for your class, they may only be asked to initially provide personal information and a means of contact information. An example of this can be found below from HotPod:

In other instances, when you’re a yoga teacher looking to hire another employee you may be required to process other personal data and unique identifying information, like the applicant's NI number. 

As a yoga teacher, you must ensure that all of this data is collected, handled, and processed in accordance with the 7 principles of GDPR laws in the UK.

#1 - GDPR For Yoga Teachers States Data Should Be Used Fairly, Lawfully, & With Full Transparency

With the first principle of GDPR, yoga teachers must offer complete clarity on how the subject's personal data will be collected, and what purpose it will be used for.

This information should be readily available on all platforms, especially your yoga teaching website. In doing so, potential students can feel more comfortable providing you with their personal information.

The best way to offer fairness, lawfulness and full transparency is through a privacy policy. Your business’ privacy policy should outline what kind of data you collect from your subjects, as well as your intent for its usage. 

In order to ensure that this information is as accessible as possible, the policy should:

• Use wording that simplifies the legal collection and usage of data 
• Be expansive enough to cover every aspect of your personal intent 
• Be in an accessible location that everyone can see - e.g. this example from Yogalogy has their privacy policy at the bottom of their webpage.

This information is fixed at the footer of the company site, meaning that potential yoga students will always be able to access the policy. 

#2 - Purpose Limitations of GDPR for Yoga Teachers

The usage of a subject’s personal data does have its limitations. Once collected to fulfil a purpose, this data cannot be used again to fulfil another.

For example, you may choose to run a competition that requires applicants to provide personal data (like an email address). An example of this can be found below from Yogi Bare:

The data collected from this competition will be limited to fulfil this specific purpose, meaning you will only be able to contact entrants about the results of the competition.

You will not be able to use this data for other purposes, such as to sell the competition entrants yoga classes. This will be in violation of the GDPR limitation laws, and could land you in legal trouble.

For reference, these limitations must also be clearly outlined in your privacy policy, in order to reassure data subjects that their information won’t be used to fulfil other purposes.

#3 - To Comply With GDPR, Yoga Teachers Must Minimise The Amount Of Data Collected 

Not only should you have a legitimate reason for the collection process, but you should only take the minimal amount of data to complete the process.

Since this and the previous point are linked, let’s use the same example to highlight what we mean by a ‘minimised amount of data’. 

When running the competition, Yogi Bare only asked for the entrants email address:

This is because it is the only personal data required to complete the process - e.g. telling entrants whether or not they’ve won.

Asking entrants to provide data such as personal identifying numbers is not necessary, as the purpose can be fulfilled without it. 

Therefore this excess data collection cannot be justified, and can be seen as acting in breach of GDPR laws. Conforming to this principle is simple - if you don’t need information, don’t ask for it.

#4 - Due To GDPR, Yoga Teachers Must Only Collect Accurate Data

All of the personal data you collect must be kept up to date in order to ensure accuracy. Some of the steps you can take to ensure this occurs include:

• Asking students to update their profile on your website if their contact information changes
• Requesting students confirm to you that their contact information is correct 

These steps should be taken in order to ensure that the data you’re handling is correct. Should you find any inaccuracies, these must be amended or deleted immediately to avoid confusion. 

#5 - GDPR Places Storage Limitations on a Yoga Teachers Data 

You must not store a subject’s personal data for longer than its need to complete a specific service. Once you no longer need this data, it must be deleted to comply with GDPR.

How long you store this data depends on the circumstances in which the subject provided you with it. 

For example, if a student regularly attended your yoga classes, but they’ve since moved on, the data they initially provided to sign up should now be destroyed. 

Another example of fulfilling a purpose could be collecting data in order to conduct email marketing. In this instance, a customer will knowingly consent to receiving this advertisement through ticking a box.

Look at this example below from Ekhart Yoga: 

In this instance, the subject has knowingly subscribed to a newsletter and you will therefore need to retain their data to complete the agreed upon purpose.

If the subject then unsubscribes from the newsletter, you should then delete their data permanently.

#6 - GDPR Prompts Yoga Teachers To Uphold Integrity And Confidentiality

All data collected by yoga teachers must be stored in a secure manner that guarantees the confidentiality of the subject and their data. This involves ensuring that you have appropriate security measures in place, in order to guarantee this level of protection.

There are a number of ways in which you can guarantee this as a yoga teacher, such as:

• Storing the subject’s data on paper in a locked filing cabinet
• Storing electrically on a passworded protected computer, in private files 
• Through third-party Customer Relationship Management (CRM) software - check out some of the best yoga software options with our comprehensive list.

By implementing any of these recommendations you can ensure that the data you receive is kept private, and maintain the confidentiality of your students.

#7 - GDPR Says Yoga Teachers Must Display Accountability 

As the data controller you must be able to display ‘accountability’ in all of the 6 aforementioned principles. This must be backed up with evidence, in order to highlight that you’re acting in compliance with GDPR.

There are several ways that you can can display GDPR accountability, such as:

• Adopting and implementing data protection policies listed above, ensuring that any other staff members are trained in these areas.
• Maintaining documentation of how all data is collected, how it’s used, where it’s stored, and who has access to it.
• Have a Data Processing Agreement in place with any third parties you contact to process data for you.

To assist with the process of accountability, the Information Commissioner's Office (ICO) has create this checklist for business owners to follow:

By following this checklist you can guarantee to act in compliance with GDPR laws, holding yourself and your yoga business accountable for the personal data it collects, processes and stores.

–

GDPR for yoga teachers is just one aspect of a prosperous business - check out these other OriGym articles to expand your horizons:

• Yoga Teacher Levels Explained 
• How to Write a Yoga Studio Business Plan
• 25 Ways to Make Money as a Yoga Instructor

Learning How To Comply With GDPR As A Yoga Teacher

Ensuring compliance with GDPR will be the responsibility of the data controller. This means that, if you work under contract at a gym or yoga studio, then you will need to adhere to that specific business’ data protection policies.

If you operate your own business, however, you will be regarded as the sole controller of your customers' data, and will therefore need to ensure compliance yourself. 

As we’ve already touched on, one way to do this is through the creation of a ‘privacy policy’. We’d recommend that you get the help of a third party legal advisor for this, such as LawBite.

They’ll help create a policy that clearly demonstrates how your business complies with GDPR, wording it in a way that’s easy for potential customers to understand.

This covers the actions you need to take as a data controller in order to ensure compliance with GDPR. But keep in mind that in order to process this data, you must also adhere to another set of rules.

Ensuring That Your Data Processing Works In Compliance With GDPR As A Yoga Teacher 

Even if you adhere to all of the CPDR policies to ensure compliance, you still need to provide ‘lawful bias’ in order to process the data.

This means that you need to have any one of the following legal grounds to process a customer’s data:

• Consent 
• Contractual Performance 
• Legal Obligations
• Vital Interests 
• Public Interest 
• Legitimate Interest 

The following breakdown will help you to understand how you can process data whilst still adhering to GDPR as a yoga teacher:

#1 - Gaining The Consent of Your Yoga Students

To process the data of your yoga customers, you need to get informed consent from them. Part of this is also giving them the option to refuse or withdraw this data at any given point.

Informed consent means that the subject knows exactly what their data is being used for. This can again link back to a privacy policy, where you detail this for readers.

We’ve already discussed one effective way for subjects to give consent, and that’s through tick-boxes. Take this example from Hot Yoga Hub Liverpool, in which customers can consent to receiving texts or emails for a variety of subjects.

This is considered to be ‘informed consent’, as the purpose is listed for readers to view, and subjects know exactly what their data is being used for. 

#2 - Why Data Must Be Processed To Ensure Contractual Performance 

In order to run a successful yoga business, you’re going to need students who sign up for regular sessions under contracts. 

In this instance, personal data must be processed in order to ensure that the contract is upheld. For example, you will need to process the student’s payment details in order to bill them for their classes. 

In accordance with GDPR, data that relates to contractual obligations are perfectly legal, but again the data collected from this contract must be relevant to the service you provide. 

#3 - Legal Obligations Can Prompt Yoga Instructors To Process Data 

As a controller you can also process a subject's personal data if you are under legal obligation to do so.

For example, if you’re a yoga teacher with your own studio, and you hire employees, you will be under a legal obligation to process personal data such as salary details to HMRC. 

To offer the subject reassurance that you’re compiling within these lawful bases, you can make reference to the HMRC website: 

This states that employers must provide the data of their employees in order to ensure they’re paid correctly.

#4 - Data Processing Is Needed For Vital Interests That Relate To Yoga

In this instance, data processing is perfectly legal if it acts in the subject's best interest. Typically, within the health and fitness field it’s used to gain information relating to a subject’s medical history.

For example, Bath Studios requires it’s yoga customers with ‘vital interests’ to fill in a ‘Consent and Declaration form’:

Processing this data and having it on file allows yoga instructors to take action should a medical emergency take place. 

In the worst case scenarios, instructors will be able to access this personal data in order to get the subject the right medical attention.

#5 - Data Can Be Processed If It’s In Public Interest

You can also legally process data if the need relates to areas of public interest. This rule typically applies to public authorities or bodies with ‘official authority’ - e.g. private energy or water companies. 

This point won’t typically apply to yoga teachers, so it’s very unlikely that you’ll need to process data under these legal bases.

#6 - Yoga Instructors Can Process Data If There Is A Legitimate Interest 

This is the most flexible legal basis on the list, but just because it’s flexible does not mean you can assume it applies. In most cases, this rule is applicable when you use a subject's data in ways they would reasonably expect.

The ICO clearly outlines that legitimate interest can relate to:

• Commercial Interests 
• Individual Interests 
• Broader Societal Benefits 

The process must also be absolutely necessary, and balance your own interest against that of the subject. 

If they would not reasonably expect their data to be processed, or if it can be done in another way, you must make a conscious effort to do so. 

Complying with GDPR as a yoga teacher could see you install CCTV in your studio for security purposes, and claim this data process to be a legitimate interest of your business. 

The subjects (your students) will expect your yoga studio to have some form of security measures, and as long as they’re not placed in invasive locations (e.g. changing rooms), then you’re well within your rights.

How To Comply With GDPR As A Yoga Teacher When Processing Sensitive Data

Some of the data we have made reference to when discussing these legal principles are classified as ‘sensitive data’. 

This includes information that is personal to the subject, such as:

• Ethnicity 
• Sexual Orientation
• Gender Identity 
• Religious Beliefs 
• The Subject’s Health, including Genetic or Biometric Data

You will typically handle a lot of sensitive data when processing it under the legal basis of vital interest. 

If a subject has completed a medical health form, or disclosed information to you in confidence, you must ensure to take great care when processing and storing said information.

The ICO clearly outlines that you have the legal right to process sensitive data, as long as it meets any of the following categories:

• Explicit consent
• Employment, social security and social protection (if authorised by law)
• Vital interests
• Not-for-profit bodies
• Made public by the data subject
• Legal claims or judicial acts
• Reasons of substantial public interest (with a basis in law)
• Health or social care (with a basis in law)
• Public health (with a basis in law)
• Archiving, research and statistics (with a basis in law)

Now that you know what data you can legally process in compliance with GDPR as a yoga instructor, we can now discuss methods that you can implement to assist with this.

What You Need To Do To Ensure Compliance With GDPR

From all of the information that has been shared within this article, the importance of complying with GDPR as a yoga teacher should be more than apparent. 

In order to ensure that you’re complying with these laws in every possible way, you can implement some of the following methods:

#1 - Create & Link Out To Your Yoga Business’ Privacy Policy

As we have discussed at length throughout the course of this article, creating a privacy policy is absolutely essential. This applies to all instructors, regardless of where you teach yoga and in what capacity.

Even if you just operate on a freelance basis with a handful of students, this policy will still need to be created in order to inform your students how you’re collecting, processing and storing their personal data.

As we already touched on, we’d advise seeking legal guidance when creating your own privacy policy. 

Businesses like LawBite are able to create and word your policy in a way that subjects can understand. They’ll also ensure your yoga business is GDPR compliant through:

• Providing regular health checks to see what changes you can make to improve compliance 
• Giving legal advice on specific data protection policies means for your specific yoga business. 
• Advice on what to do should a subject’s personal data ever be breached 

After this, ensure you place a link to your privacy policy in a place that is clearly visible to your subjects. Many business choose to incorporate this into the footer of their website, as Yogalogy have here:

This will ensure that, regardless of what page your customers visit, the privacy policy is always accessible to them. We would always recommend linking out to a separate webpage for your privacy policy. 

This is due to the fact these policies are quite lengthy, so having a full one on the footer of your site could make it look cluttered and unprofessional. 

For more design advice, check out our article discussing the best yoga teacher websites.

#2 - Perform Regular Audits On Any Existing Yoga Student Data

Once you have collected and processed a large quantity of personal data, it is advised to perform regular audits. This will ensure that the information you have is both useful and legally compliant with GDPR.

When conducting a data audit as the controller you should question:

• What personal data have I collected?
• Do I require more of the subject's personal data?
• Have I collected any unnecessary data?
• How long have I been storing this data?
• Where is the data being stored and does the storage meet GDPR requirements?
• Who has access to this storage?
• Am I processing data in compliance with GDPR?

You’re essentially combing through all of the information you have collected in order to determine if that data is appropriate to use. 

After conducting a detailed audit, you may find that you’re storing data for unnecessary purposes. 

For example, if a student provided you with personal information to attend classes, but has subsequently dropped out, this data no longer fulfils a purpose.

Should you find data of this nature, you must take the proper steps to delete it in an appropriate and safe manner. 

If you’ve had long-term yoga clients and stored their data prior to the 25th May 2018, you must ensure that this is in compliance with GDPR, as this data would have been collected prior to the law being implemented.

#3 - Update Any Email Marketing Campaigns

Prior to GDPR laws being implemented, data controllers could still store their subjects' personal information and use it to fulfil purposes the subject did not agree to.

For example, if you signed up for yoga classes prior to the 25th May 2018, the studio could use your information to send you promotional material for yoga equipment, something you didn’t consent to. 

Now, with the implementation of data protection laws, the same studio will only be able to contact the subject in regards to the class they signed up for. This is because it’s the only purpose they have consented to. 

This means that if you’re looking to use email marketing campaigns, your subjects must provide you with informed consent to do so.

As we have already discussed, one way to receive this in regards to email marketing is through tick boxes. But be aware, these boxes can not be pre-checked, as this isn’t legally classified as informed consent. 

Instead, it must look something like the example given from Ekhart Yoga:

This way, your subjects will knowingly check the box in order to consent to email marketing. Another way to receive informed consent for email marketing is to directly ask for a mode of contact. 

An example of this approach can be found below, from London’s Yoga on the Lane. Here you can see that the studio asks their subjects to provide an email address in order to receive a newsletter:

This again highlights the importance of providing absolute clarity on what you’re using the subject’s personal data for. In doing so, the subject can fully consent, and you can process the data legally.

How Does GDPR Affect Your Yoga Social Media Accounts?

When using any form of social media platforms to communicate with yoga customers, you will be covered by the platform's own GDPR conditions.

This means that if someone gets in touch with your professional page about becoming a student, you can communicate ways to do this without breaching any GDPR regulations. 

However, if you wish to transfer this communication to a different platform, such as email, you must do so by adhering to the legal grounds discussed earlier in the article. 

This is due to the fact that, once you leave the social media platform, you are no longer covered by its GDPR policy. Instead, you will need to adhere to the laws for your own personal business. 

For example, if you wish to process a customer’s data in order to sign them up for class, you will need to ensure that you’re meeting one of 7 processing principles. 

You could claim that processing was necessary in order to fulfil your contractual obligations to the client.

But by far the best way to ensure you’re always acting in line with GDPR laws is to get written consent from the customer in question. In doing so, you can ensure that your customers agree to the way you’re processing their personal data. 

Before You Go! 

This extensive guide into GDPR for yoga teachers has provided you with all the necessary information to ensure your business is operating in compliance with the law, as well as how you can most effectively do this. 

Additional industry-specific knowledge can be acquired on OriGym’s Level 4 yoga teacher diploma. Here you will study a business centred module that will provide you with skills and knowledge required to optimise your yoga service.  

Remember you can also download OriGym’s free course prospectus and learn more about the qualifications we provide.