Hello to all! Welcome to the Music Teachers’ forum, a space to share support, network and have fun with other music teachers located across the UK and beyond.

Group Guidelines

How does GDPR affect you as a music teacher? (All Teachers)

10 replies, 2 voices Last updated by  Andrew Ford 1 year, 3 months ago
  • Creator
    Topic
  • #10436

    Matthew Rusk
    Keymaster

    How does GDPR affect you as a music teacher?

    The new GDPR EU ruling will be coming in on the 25th May. It is legislation around data protection…after the last few months of research & talks here is 5 steps to take note of as a music teacher:

    1. The GDPR applies to you, as you collect data on students. Specifically, you are likely to have names, email addresses, phone numbers. You might even have what is known as “sensitive data”, so information relating to medical conditions (for example about the voice for singing teachers), gender, sexual preferences, religious views – the last three are things a student might tell you during lessons. If you were to write it down somewhere (email, Facebook message etc.) then this is data that needs protecting. For teachers who have their own websites, you must consider the collecting of IP addresses etc. of your website users as “data”.

    2. You must ensure this data is secure. Easy tip; make sure you have a good password on your email account, 2-factor login verification if possible (Gmail allows this). Most of the above data is sitting in your emails. Delete data you don’t need. Delete accounts you don’t use.

    3. You must make sure this data is relevant. If you have information about students that is interesting but not vital to your service, you no longer have a right to collect it. You must also make sure you have the permission of a student to collect this data, doing this by a non-preselected tic box. This cannot be bundled with other agreements, for example, to pay for lessons you must accept my marketing emails. The two must be separate, opt-in only and with a chance to opt out at any point.
    4. A student can request you to delete all data you have about them. You must do this. However, you can keep data related to invoices and payments for the purpose of HMRC

    5. If you are hacked, for example, your email is compromised you must inform individuals who might be affected within 72 hours. Detailing what details might have been stolen. You must also inform the Information Commissioner’s Office of the data breach.

    I hope this post is useful for teachers worrying about this. I have been working really hard on the GDPR at my end to ensure that we comply. I am not a lawyer, so please contact relevant professional services for legal advice about the above. However, as ever I would more than happy to answer any questions I can with the knowledge I have gained by researching this topic.

    In summary, if you are sensible and secure with the data you have on students you don’t need to worry about GDPR.

Viewing 10 replies - 1 through 10 (of 10 total)
  • Author
    Replies
  • #10549

    Matthew Rusk
    Keymaster
    @Matthew-Rusk

    Interesting further reading for those of you who might be interested: https://keyquestmusic.files.wordpress.com/2018/03/gdpr-a-piano-teacher-perspective.pdf

    #10550

    Matthew Rusk
    Keymaster
    @Matthew-Rusk

    Another very good read for those of you who are interested:http://www.wpbeginner.com/beginners-guide/the-ultimate-guide-to-wordpress-and-gdpr-compliance-everything-you-need-to-know/

    #10551

    Andrew Ford
    Participant
    @Andrew-Ford
    Points: 30

    Thanks Matthew. I sent my email out using MailChimps GDPR template. It has a button to update preferences. I know at least 2 people on my list have done it because they told me. I can’t see anywhere in MailChimp to see who has updated their consent. No one seems to know. So looks like I’ll have to delete my entire list and start again with double opt in. Fun

    #10552

    Matthew Rusk
    Keymaster
    @Matthew-Rusk

    I can see your problem, there is more to it in regard to “re-consent” (https://litmus.com/blog/gdpr-re-permission-campaigns-6-tips-for-making-them-a-success). How did you collect the data originally to build up your mail list and can it be that it was GDPR compliant just in the way you had been doing it?

    #10553

    Andrew Ford
    Participant
    @Andrew-Ford
    Points: 30

    Matthew Rusk hmmm, the problem is a lot my address where collected by the old pen and paper method, so I don’t have any evidence of the consent. If MailChimp would let me know who updated their preferences I’d be covered

    #10554

    Matthew Rusk
    Keymaster
    @Matthew-Rusk

    Andrew Ford that is a pretty major screw up by MailChimp, what a nightmare!

    #10555

    Andrew Ford
    Participant
    @Andrew-Ford
    Points: 30

    Matthew Rusk I’m gonna message them and find out. Maybe I’m doing something wrong…

    #10556

    Matthew Rusk
    Keymaster
    @Matthew-Rusk

    Andrew Ford this is an interesting read: http://www.bbc.co.uk/news/technology-44240664 & what I talked about with Eliza Jane Fyfe. I am not sure you really need to re-consent users of your list to allow you to continue to send newsletters to them. The law cannot be retrospective and assuming you have collected the data in a reasonable way (sounds like you have, as you ask people if they wanted your newsletter), protect the data properly (using say a two factor authentication on your mailchimp list + strong password) and are using it to send information that is relevant to why they signed up (so about piano lesson related activities…not about cheap holiday packages to Spain) then you are still complying with GDPR. I have a feeling that many of the big companies are simply trying to cover their backs by “re-consenting” their users, however, I have now seen several articles that say this process is unnecessary if data is being reasonable handled for reasonable purposes. In addition, if the first port of call, if someone would have a complaint, would be for them to unsubscribe, contact you to highlight their displeasure at receiving it. I believe, from reading, at worst you would get a warning, however, I think you could demonstrate that this newsletter was relevant to the users subscribed and you always gave them the option to opt out.

    #10557

    Andrew Ford
    Participant
    @Andrew-Ford
    Points: 30

    Interesting reading, thanks.

    #10548

    Phil Schneider
    Participant
    @Phil_Schneider
    Points: 102

    I have been handing out similar information to all students.

    point 2. Arent the email service providers responsible for email security ? Besides not printing your password on your forehead or obvious self inflicted blunders.

    Information Commissioner’s Office 486 employees and aroud 644 million active websites in the world. cant really see them being that effective

    Legislation not clear anyway
    Guardian
    “The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week.

    Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.
    Why the GDPR email deluge, and can I ignore it?

    But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.

    “Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.

    “Even if you are relying on consent, that still does not mean you have to ask for consent again. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented.”

    In other words, if the business had consent to communicate with you before GDPR, that consent probably carries over, and even if it doesn’t carry over, there are five other reasons a company can cite for continuing to process data.

    What’s more, Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

    “In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

    The lack of understanding around when and why consent is needed under GDPR has prompted the Information Commissioner’s Office to try to resolve some of the “myths” of GDPR.

    “We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them,” Steve Wood, the deputy information commissioner, wrote in guidance for businesses. “So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

    Like Vitale, Wood emphasised that asking for marketing consent from people who had not given it initially could be illegal. “It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,” he said.

Viewing 10 replies - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.