GDPR policy

To comply with General Data Protection Regulation (GDPR) I must demonstrate fair, lawful and transparent processing of a client’s data. It should therefore be easy for clients to find out about where I store data, what I do with it, how to get a record of this data or ask to have their data deleted. Personal data refers to any information that can be used to identify a particular living individual, including your name, address, date of birth and financial information. 

For the coaching process the data I collect might include:

  • Client’s name

  • Client’s email address

  • Client’s home address (does not apply to corporate clients)

  • Client’s mobile phone number

The data I might collect needs to be for a purpose that is specific, explicit and legitimate to the coaching process. The reason I would collect this data is to:

  • Email invitations for coaching sessions.

  • Email exercises and actions to undertake between sessions.

  • Send invoices via Xero financial software (does not apply to corporate clients).

  • Post items, as and when necessary (e.g. Swim Jump Fly book).

I must only keep data for as long as is needed to complete coaching. I will keep client’s data for 3 years after we stop working together; this is in case a client decides to return for further coaching sessions. After this point I will erase their personal data, with the exception of the signed contract which I will retain with all contact information redacted.

Data minimisation requires that a client’s data must be adequate, relevant and limited only to what is necessary. The data I keep must be accurate and up to date and all my clients have the right to request any inaccurate, or incomplete, data is erased or rectified within 30 days. They also have the right to raise a complaint about the personal data I hold – this would be via the supervisory authority where they live or work. For the UK this is the ICO.

GDPR also covers data security, which means I must ensure I have appropriate security measures in place to protect a client’s data. All the data I hold is digital. I have a password protected laptop and all passwords are kept in specialised software system called 1Password, which requires a further password to access this information. I also use antivirus and malware protection software.

In terms of GDPR terminology I am the ‘Data Controller’ – i.e., the person who, alone or with others, determines the purposes and means of the processing of personal data. I back-up all my data using Carbonite, an automatic, safe and secure online system. I will not share data with any third party without gaining consent, however, if I do have a minor personal data breach, then I will inform anyone involved of the situation. If there is a major breach, I will report it within 72 hours. It is good practice to keep a log or record of any near misses that may happen, to help me prevent it from happening in the future. 

I compile all the data I hold about clients via a spreadsheet which contains the client’s name, a summary of the types of information I hold on my clients (e.g email address, mobile number etc). This helps me to record the processing activity I undertake and how I handle this data. This spreadsheet is protected by a password and is entirely for my own administration purposes (i.e., no-one else has access to this). 

To comply with GDPR I am registered with the Information Commissioner’s Office (ICO) and pay an annual fee for registration. Before we start working together, I need to gain a client’s consent for holding their personal data so that coaching can take place. I seek consent via the coaching contract and will ask a new client to sign this before we start working together. If you have questions about this policy please get in touch at ch@charlottehousden.com

Back to Coaching page