Podcast

General Data Protection Regulation (GDPR) is here! Run for the hills! Not quite. While GDPR is causing a few headaches for businesses, it also has some upsides. So what do massage therapists need to know?

Resources referenced in this episode:

• How to write a GDPR privacy notice – with documentation template example
• GDPR Privacy Policy Generator
• Preparing for the General Data Protection Regulation (GDPR)
• Lawful basis for processing data

Sponsors:

• Pure Pro Massage Products
• The Jojoba Company

Transcript:

Sponsor message For over 24 years, Pure Pro has been making extraordinary products for extraordinary practitioners who care about what touches their body and their client’s bodies. From their hypoallergenic lotion, which is ideal for oncology massage and safe for sensitive skin; to peppermint pedango foot cream, perfect for easing varicose veins and tired feet; to arnica relief lotion that knocks out muscle soreness stat, Pure Pro has products for every kind of massage. Pure Pro never uses chemically derived water dispersing agents or artificial fragrances. You’ll find all the ingredients for each product on the website as well as the patented Glide-o-meter rating that will help you determine which product’s slip, grip, glide, and weight is right for the work you do. And all Pure Pro products are vegan, cruelty-free, and nut free, making your job as a safe, mindful practitioner that much easier. You can trust Pure Pro because it’s made by massage therapists for massage therapists. For $10 off your next order, go to massagebusinessblueprint.com/purepro and use the one-time discount code BLUEPRINT at checkout. That’s $10 off your next order by going to massagebusinessblueprint.com/purepro and using the one-time discount code BLUEPRINT at checkout.

Allissa Haines Hello, everyone. Welcome to the Massage Business Blueprint podcast, where we discuss the business side of massage therapy. I am Allissa Haines.

Michael Reynolds And I’m Michael Reynolds, and I love how you say the word “business.”

AH Business.

MR It’s just like, boom, business.

AH Because today it’s like super-business. Today is another exciting episode that Michael is in charge of. Again, my favorite episodes. But before we do that, Michael, did you do anything fun this weekend with the kiddo?

MR Oh yeah, it was a holiday weekend, wasn’t it?

AH It was.

MR Yeah, we did. We went to a — let’s see, was it Memorial Day last weekend?

AH Uh-huh.

MR Or was it the weekend before? I’ve totally lost track of —

AH Oh, yeah, no. It was totally the weekend before. I don’t know anymore.

MR Really? [Laughs]

AH I’m completely burnt. It was.

MR I think it was the weekend before. Okay.

AH It was.

MR Last weekend was a regular weekend. Oh, okay.

AH What’d you do?

MR Yeah, actually we went to the grandparents’ house and played in the sprinkler. Eli loves to run through the water and the hose and grandpa chases him with the hose around the yard, and he has a blast. That was the highlight of our weekend. How about you?

AH Nice. We took the kids to — there’s one of the Audubon sites around me has this — it’s called the Trailside Museum. They’ve got this great indoor nature-y museum thing with a barn owl that will jump at you. It’s a rescued barn owl; it looks like it’s got glaucoma in one eye. It’s got all these cool nature things including a honeybee nest thing you can look inside as bees are doing it — making all their honey and stuff, and totally the words came out wrong on that. You do not watch bees doing it. I’m sorry. This is not a —

MR If you’re into that sort of thing.

AH They’re not — you watch bees making their honey; doing their thing is what I’m trying to say. And this really cool milk snake that was kind of climbing up the glass as we were looking at it, and it was very Harry Potter-ish. It was really — of course, like the kid was Slytherin — or speaking Slytherin at it — okay, I was the one speaking Slytherin at it, okay? And I had a blast and then we played outside a little bit and that was really nice. Yeah, that’s the story of our weekends, but I think it’s important — I asked, I brought it up because, people, recreational time, down time, is like super duper important. Take a little time for yourselves this week is all I’m saying. Now, Michael, we have a slightly technical and business-y business kind of podcast topic today. Bring it in. What do we got?

MR We even have an acronym. We’re starting off with acronyms.

AH So done with acronyms.

MR Right off the bat. [Laughs] So today, we’re going to discuss GDPR, specifically, what massage therapists need to know about GDPR.

AH Pray tell, what is GDPR?

MR What is GDPR, you may ask. [Laughs] So GDPR stands for the General Data Protection Regulation. That probably did not tell you a whole lot. So some of you may have heard about this. Some of you may be aware of this because you’re probably getting a gazillion emails from all the software providers that you sign up with saying hey, here’s our new privacy policy, blargedy blarg. And you’re probably ignoring them all now because you’ve gotten a thousand of them. That’s probably your most obvious indication of GDPR. Some of you may have already heard about it; some of you may not be aware of it.

I got to start with some disclaimers first off. My disclaimers are one, this podcast episode is not legal advice; this should not be taken as legal advice; we are not attorneys. So getting that out of the way. And two, GDPR is fairly new in terms of its implementation, so there are people out there that are probably experts, but many people are not, including us. We are not experts in GDPR, but we do spend — Allissa and I both spend enough time in our business world and different companies and technologies that we work in that we have an awareness of GDPR and have done the research and the steps to get our arms wrapped around it. Again, we’re not experts, per se; we are not attorneys. But I would like to pinpoint and highlight some specific things to be aware of when it comes to GDPR, and as a massage business and a massage practice, what you need to know and how you may or may not need to respond to it, specifically, with the technology you use. So how’s that for a mouthful of disclaimers? Whoo, I’m tired already.

AH I’m completely exhausted.

MR [laughs] So let’s first — if nothing else, we’ve at least gotten people to Google GDPR. That’s a win. So go Google it. GDPR is — let me actually just kind of — I’ve got a million tabs open here, and I want to kind of go through a process, but first explaining what it is, and then after halftime, we’ll talk about what you need to know about it. So GDPR came into effect May of 2018. It’s regulation that is set up to protect the privacy of individuals in the European Union, the EU. More specifically, to give them control over how their personal data is processed including how it’s collected, how it’s stored, how it’s used, and it affects every business in the world that processes personal information about people in the EU.

Right off the bat, it sounds like it may not be important to the majority of our audience, which the majority of our audience is in the US. I know we have some listeners in the UK, in Australia, various other countries. But the majority of our audience is in the US. You might be thinking well, that doesn’t apply to me. Well, it can actually apply to you. Here is why. Any business that has a website that collects information could, in theory, be subject to GDPR because, in theory, someone from other countries, specifically countries in EU, could fill out a form on your website, subscribe to your email newsletter, subscribe to your blog, fill out your contact form. This could happen, and people all over the world can do that because of the nature of the web being global and open to anybody. So it can actually apply. It is actually important to pay attention to this because there are some pretty stiff penalties for non-compliance, in the millions. It is also set up in such a way that authorities prosecuting from the EU can enlist the help of authorities in the US to prosecute US-based businesses for not complying. That is kind of a scary concept to think about. That being said, my expectation is that most massage therapy practices will probably never have to worry about it. Usually in cases like this, again, this is not legal advice; don’t forget that. But in cases like this, you normally see larger targets being the issue. You know, a GDPR issue could happen to a large bank or a large consumer products company or a huge brand that has a gazillion employees and thousands of locations and all sorts of data they’re managing, so that is usually the end of the spectrum that has to worry about it. The solo massage practice operating in individual pockets all around the country that sees clients in their geographic area and has an email newsletter, probably never going to have to worry about it. But the consequences are significant enough and the fact that it’s just the right thing to do is compelling enough for me to recommend that we pay attention and adopt compliance with GDPR.

Again, GDPR — I’ll kind of state it one more time: General Data Protection Regulation. It’s designed to protect the data of people that you have in your database. What does this include? This includes all information about people. It includes information about your clients, employees, suppliers or partners, any individual that you collect personal data from. It includes name, contact information, medical information, any credit card or bank account details, any information at all counts. There are some steps that GDPR takes us through that we have to pay attention to. I’m going to kind of go through — actually, I’m going to pause there, and I’m going to go through the steps and the remedies after halftime because I’ve already laid out the concept in enough detail, I think.

But I want to say that the crux of it is, it’s designed to empower individuals to have control of their data. If you think about this, I actually think it’s a good thing because how often do we put information into a website, and before we know it, we’re getting spammed by 30 different companies that they’ve sold the data to; we don’t know how to get access to the data; we don’t have a clear remedy or a clear path to ask them to delete our information; we may try to unsubscribe and it doesn’t work. All these are symptoms of the problem that GDPR is meant to address. And these are all symptoms of a problem that I would love to see solved, and GDPR is a step towards that. It’s putting the onus on businesses that collect information to treat that data, that information, with respect and to empower people to have more control of the data. I feel like got super nerdy so far here, Allissa. Does that make sense so far here, the way I’ve described it?

AH Yes.

MR Okay. Awesome.

AH I’m getting it. I’m getting it. And I’ve read a handful of really useful posts about it, too, so we’ll have a ton of resources in the — I guess we’ll have a ton of links in the resources of this podcast episode.

MR We will, yeah.

AH So that’s coming. Do you want me to do the halftime sponsor?

MR Yeah, let’s pause there and go to halftime, and then we’ll do the second half after that. So go for it.

AH Let’s take a moment to appreciate the generosity of The Jojoba Company.

MR Jojoba! Thank you. Just had to.

AH He always does, folks. Always does.

Sponsor message This episode is sponsored by The Jojoba Company. I firmly believe that massage therapists should only be using the highest quality products, because our clients deserve it, and we deserve it; we’re soaking this stuff in for hours upon hours every week. I’ve been using jojoba for years, and here is why: it is nonallergenic; I can use it on any client and every client without fear of an allergic reaction. Jojoba won’t clog pores, so it’s great for acne-prone clients if you see a lot of adolescents like I do. Jojoba does not go rancid so it’s a great carrier for essential oils and it will not stain your cotton sheets. The Jojoba Company is the only company in the world that carries 100% pure, first-pressed, quality jojoba. You can get your jojoba and learn more at massagebusinessblueprint.com/jojoba, that’s J-O-J-O-B-A.

AH Bring it around, Michael. Tell us what to do about this GDPR situation.

MR Ooh, I can’t wait. As if you weren’t exhausted enough already. As you might expect with regulations, there’s a whole bunch of stuff in it. It’s a very long document; it’s a whole bunch of stuff. But, again, there are a few key elements that are going to be important to massage therapists. And, by the way, right now it’s regulation based in the EU, or it’s from the EU. Most people that are looking at GDPR and saying oh, this is happening and it’s going to be a logical evolution toward other countries as well, everyone is kind of of the opinion — well, not everyone, I can’t say that. But a lot of people are of the opinion that this is an indication of a more global trend. We are probably going to see regulations in the US follow suit and do something similar. Again, being ahead of the game is not bad. Again, it applies to massage therapists because if we have a website that collects information — for example, the most legitimate example I can think of is an email newsletter. I mean, yeah, for the most part, you’re probably going to get subscribers from your geographic area. But, you know, someone from the EU might come on to your website by Googling something, they might enjoy the content you have because it’s about wellness, they might subscribe, and they might enjoy getting your newsletter. At that point, you are subject to GDPR. So just knowing that can happen means it’s important.

So GDPR is based on a number of components. And I’m not going to read them all. I’m actually on ico.org.uk, which is a UK-based site that has a really good resource on GDPR and the 12 steps on data protection you have to follow. I’m going to hit just a few of them here that you probably need to be aware of.

So first of all, some of it is just awareness. In fact, Step 1 that they state is awareness. Awareness is simply being aware of how you’re storing data, understanding the implications that we’ve just talked about, understanding exactly what systems you are using to store data so that you can intelligently understand and communicate those systems to people that may ask. That is Number 1.

Number 2 is the information you hold has to be documented including where it came from, who you share it with, and how it is stored. So the information, an email address, for example, or a name or a phone number — this information is usually stored in either your email system like MailChimp, or maybe your online booking system like Acuity or Artichoke. All this information got there somehow. You have to be able to document where it came from and what you’re doing with it. Now for the most part, it’s pretty easy for us to do. We would say well, it came because someone booked online and put it in themselves. Or they signed up for my email newsletter or they came in for a massage, and I entered their information in as an intake process. You have to be able to document that. And by document that, again, I don’t presume to be the expert on what document it means. Some might say that you might need to verbally be able to communicate that. Some might say you have to have it written down somewhere. For the most part, knowing your systems, you should be able to say, well, I can write a quick document that says these subscribers came from a sign-up on my website. That would be a documentation example.

Number 3 is probably one of the most significant you have to worry about and that is communicating privacy information. You need to have a privacy policy on your website that communicates what you are doing with personal information. I’ve seen a lot of massage therapist websites and most of them do not have privacy policies, I will say. So this is going to be a big step for a lot of people. I know a lot of us will need to create a privacy policy that is GDPR-friendly, so to speak, or follows GDPR principles. We’re going to put a link in the show notes to this site. There’s a site itgovernance.co.uk, which has a template on how to write a GDPR privacy notice with a template example. They give you an example you can download and use to fill in the blanks and post a simple privacy policy on your website. That would be a great step toward compliance. Grab that template or update your existing privacy policy. If you want some other examples, you can actually pay a hundred bucks for some services that will automate the process. Just Google “GDPR privacy policy template,” and you’ll find a bunch of examples. But you need to have one. You need to have one one your website that clearly states what you do with the data. Most of these temples will walk you through a question/answer process that says hey, what do you do with the data? We’ll spit out the template that makes sense for you.

You have to — Number 4 — I said I wouldn’t go through all these, but it sounds like I kind of am. [Laughs] So Number 4, you should check the procedures to ensure that you’re covering the rights individuals have. Some of those rights include the right to be informed about how you’re using their data, the right of access, the right of rectification and erasure, restrictive processing, portability. Basically, you have to give the people that you have data on lots of control over that data. If they ask you to delete their information from their system, you have to be able to comply. You have to delete that information. And that goes back to unsubscribing, for example. It’s not just a matter of unsubscribing. If someone says hey, delete me from your database, you’ve got to do it. I forget the time frame. I think you’ve got 40 days to delete their data, which is plenty of time, obviously, but you need to have, in a timely fashion, you need to delete their information from your email list or your database. If someone wants to update their information, they have to be able to do that whether automatically or by informing you. They have to be able to access the information. If they request the information you have on them, to see it, you have to be able to show them the data you have on them. You have to really be clear about how you are able to manage their data and give people access to updating it, seeing it, or deleting it.

Now, I’ll have a little sidebar here and say that this is a really good reason to, if you’re not already, to adopt mature cloud-based systems for your practice. Some examples would be MailChimp. If you’re using MailChimp or Constant Contact or a normal email marketing system that is a mainstream, mature, respected product like that, you’re good to go because they have all the technology you need to do this. You can pull up your information, you can delete people, you can update people, you can give them information, they have the opt-in stuff taken care of. You’re probably good to go. If you’re storing your email list on a Word document on your laptop, that might not be as easy to manage. You want to make sure that you are, as much as possible, adopting mature, cloud-based systems for things like online booking, client notes, email marketing, blogging. Everything that stores data really should be a mature, cloud-based system that makes data management easy. I’m going to skip a couple here. Again, I’m only going to highlight the ones that apply. I encourage you to read the whole thing in the show notes, but I’m going to skip over a couple things that doesn’t apply as much.

Now, the crux of this is Number 6, which is lawful basis. This is really the crux of GDPR and that is lawful basis for collecting data. What that means is you have to have a legal and compelling reason for collecting data. And there are nine different examples of — I’m sorry, not quite nine, but there are a number of different examples of legal basis and only a couple of them are going to apply for the most part. The one that applies to most of us is going to be consent. So consent means you have to be able to prove that someone gave you consent to have their information. So an example would be an email newsletter. Again, the example is going to be pretty generalized across massage therapists. Email newsletter, someone comes to your website, they type in their information, they can quick subscribe, there’s a double opt-in process where they have to confirm the email that gets sent to them to actually subscribe, and they have consented to putting their information in your database. That is an example of consent. Consent could also be someone says hey, sign me up for your newsletter, and you manually do it. Again, you have to be able to be able to document that. This is where it’s a little bit of a gray area on understanding of this, I think. But if it were me, I would probably put a note in their file saying hey, they asked me to subscribe them on this date, just so you have it documented.

Another example of legal basis for storing information would be a contract. What that means is processing is necessary due to the fulfillment of a contract. What that means is if they have to have information on file with you to do business with you, then that’s a legitimate basis. And that’s true for most massage therapists. If they do business with you and want to pay you, they’re going to have to give you some information. The other examples are legal obligation, probably not applicable here; vital interest in which case having data is necessary to save or protect individual’s life, probably not applicable here. Public tasks, which is really applicable only to government entities. Legitimate interests could apply. And that means that storing data is necessary to the legitimate interest of an organization or a third-party affiliate. So if you have partners you would with, if you have suppliers, maybe you’re storing data on them. Yeah, that could be a legitimate interest and that could be argued as complying with GDPR because it’s a legitimate interest. Again, consent is the big one. Most people rely on consent. If you’re running a regular business with marketing, consent is kind of the top. Also, the contract and legitimate interest clauses are going to apply here.

There’s a couple of other things. This one is not as applicable: Data breaches. Again, if you’re using mature, third-party, cloud apps, this is not going to apply too much. But you need to have procedures in place to detect, report, and investigate a personal data breach. Now this could be a rabbit hole. I’ll be honest. Again, if you’re storing client information on your laptop with no password on it that is sitting in your office, and you have no backups of it, then someone could walk in your office while you’re doing massage, open your laptop or just steal it, grab all the information, and you’ve got a data breach. And you really have no way of investigating it or tracking it down or really remedying it at all. So that’s obviously an issue. If you’re using third-party cloud systems that are secure — MailChimp, Artichoke, Acuity, Healing Hands, SOAP Vault, anything that is a secure online system that takes information off of your local machine and onto the cloud in a secure data center — that is going to go a long way toward protecting you from the data breach issue.

I don’t want to scare you, but I kind of want to scare you. I want to encourage you to not store sensitive data where it shouldn’t be stored. So data breaches is a big component of GDPR. You have to be able to detect them, meaning be aware of the data breach, and report and investigate. What that mean is, MailChimp for example, if they have a data breach, they’re going to tell their customers and that way you have the ability to know what happened and they’re, for the most part, going to handle the heavy lifting of here’s what happened, here’s the implications, here’s how we’re investigating, and they’re going to take the brunt of that responsibility. Data breach is an issue. Be aware of it. Get your stuff in the cloud, pronto. That is my takeaway from that one.

Really, those are the key issues. Those are really the key highlights that are going to apply to most massage therapy practices. Make sure you have content, make sure that you have systems that are secure and help you with procedures for data breach and reporting and investigation, make sure that you have your privacy policy in place that is compliant with GDPR using a template probably found on one of these links we’re giving you. Just be aware of these things, and it won’t take a whole lot of effort to get your website and your online presence in compliance. But A, it’s the right thing to do, and B, the consequences of not doing so, no matter how remote, could still be very scary for a lot of us. I will pause there. If you’re still awake, Allissa, I would certainly love to hear your feedback on anything that maybe you’d fill in some gaps or or that maybe you’d like further discussion on.

AH I’m mildly overwhelmed. And I’ve kind of known that I would be — and I’ve started to glance at the information about it. And knowing that my massage practice website doesn’t do much with people from the European Union, I have not in any way rushed to make this all happen. But I do know it’s something I need to do. As you went through your list, I kind of thought about what I already have in place, and I don’t think I’ve got to do too much more, but I will be consulting some of the resources that we share with people and going through point by point to make sure I’m updated, and I’ll probably be consulting you in the process.

MR Yeah —

AH It’s a bit thick.

MR [laughs] It is a bit thick. And in general, for the most part, if you have — again, if you’re using normal software that is secure, if you’ve got a privacy policy on your website, and you are using highly ethical marketing opt-in procedures, for the most part you’re probably okay. That’s the gist of it. I don’t want to overwhelm anybody. I do want to say that’s kind of a “tip of the iceberg” way to boil it down. If that helps.

AH I think this is all doable. And I think, if nothing else, it’s going to make all of us be a little more aware of how the moving parts work together and how we need to adjust them. This was a meaty episode. I think the last episode you did, too, and it was super meaty. Oh, that was the podcast one —

MR Oh yeah.

AH — so you’re on a roll here.

MR [laughs]

AH Bless you for handling the heavy lifting, dude. Bless you.

MR I do what I can here and there.

AH And that’s all I have to say about that because this is something I’m going to have to look at. I’m not an auditory learner. I have to read things and look at the words. So —

MR Luckily, we have transcripts.

AH Luckily, we have transcripts, and I will be utilizing it a great deal. And that’s what I have to say.

MR And do check the show notes. We’re going to link out to all of these resources I mentioned including some templates for creating your own privacy policy and some checklists. It will help clear it up a little bit, I think, as well.

AH Sweet. Thanks, man.

MR That’s what I got. That’s what I got.

AH Whoo. Well thank you, everyone —

MR Go forth and GDPR.

AH I totally was so overwhelmed that I forgot I’m the host of this episode.

MR Bring it home. Wrap us up, Allissa.

AH My bad. Thank you, everyone, for making it this far. If you have a question you’d like us to answer or a topic you would like us to tackle, you can reach out to us at podcast@massagebusinessblueprint.com, and we will do our best to cover it. And you can also go to massagebusinessblueprint.com to check out our free resources or consider joining our premium member community. And that’s all I have to say today. Thank you, people. Catch you next week. I’ll be in charge of the topic, and I’m probably going to have a rant for you.

MR Ooh, can’t wait.

AH It’s going to be great. Until then, have a fantastic, lucrative, productive day.

MR Thanks, everyone.