But for each and every one of the infinite uses it offers, there’s a possibility of misuse and/or abuse. When discussing GDPR, the objective is generally tied to consumers, who are at risk of such things as identity theft, financial fraud, stolen information, social-media manipulation, etc. GDPR is designed to guarantee, insofar as possible, the security of people’s personal data. But the premise driving GDPR—that data is precious, has to be safeguarded, and therefore regulated—applies equally to businesses.
Not a month goes by when we don’t learn about another huge data breach with far-reaching and, sometimes, incalculable effects. In March, when it was discovered that Cambridge Analytica may have used the data of over 50 million Facebook users for political ends, the subsequent headlines in the Times read, “Cambridge Analytica Suspends CEO” and “Facebook Data Security Chief to Leave Amid Outcry.”
Perhaps more importantly, for the very first time the development made GDPR a hot topic, and a U.S. topic—one reported on by newscasters, discussed by talk show hosts, and figuring prominently in other headlines, including: “Could GDPR Have Stopped the Cambridge Analytica Scandal?”
Devil in the Details
“Health clubs collect personal data from members and nonmembers,” says Leach. “They collect names, addresses, emails, bank details, medical information, and lots of other information. Data is critical to every aspect of our business, and we’re responsible for protecting it. … GDPR is designed to ‘strengthen and unify’ data protection for everyone within the EU.”
The reviews of the measure range from “not essential” to “the jury’s still out,” but one of the things that everyone seems to agree on is summed up by Jim Goniea, the general counsel for Anytime Fitness, which has a major international presence. “We view GDPR standards as being the wave of the future, and we intend to implement them across our international operations, even outside the EU, to the extent that they don’t conflict with local laws.”
Another conclusion reached by all, including Leach and Cartoux, is the importance of making use of attorneys or consultants with serious regulatory expertise. “I strongly recommend that any fitness club consult with their advisers about the full implications of GDPR,” says Leach.