GDPR or General Data Protection Regulation is the European directive about personal data that will be enforced starting from next 25th May 2018. The official page of the complete regulation in all the available languages is here.
“Why am I reading this? My dive center is in Indonesia!”
Let’s see if it might make sense to go on reading! 🙂
- do you collect data of European customers?
- do you collect data of non-European customers that are resident in Europe?
- do you have European employees or collaborators?
If you answered ‘yes’ to at least one of the above questions, then you might want to go on reading because the GDPR applies to your business, even if your establishment is not in Europe.
“No, I’m not interested. And anyway I’m too busy right now.”
Sure, it’s understandable. However please consider that starting from next 25th May this regulation will be enforced and in case your business is not compliant you might have consequences. You might receive an administrative fine of up to €20 million or 4% of your annual turnover. Please let me help you understand how your business can be compliant.
The whole purpose of the GDPR is to put the ‘data subjects’ or individuals in charge of their data. They need to choose if and for which reason they want to give you their data and they can revoke their consent any time.
“Ok, wait a minute! How can I take my customers for a fun dive or teach them a course if they don’t fill out and sign the liability forms and the course enrolment forms? “
Of course! The GDPR won’t ask you to give up your paperwork, but there might be some little things that you need to change in your daily operations to make your business GDPR-compliant. These are the data protection principles that you need to observe:
Data collection purpose: you need to inform your customers of the reason why you’re asking them all these data. Is it for insurance reasons? Legal reasons? Marketing? Will you disclose their data to a third party (think of the dive agencies here)? Your customers need to understand exactly the purpose of the data collection and they can decide to give you their informed consent for one or more of the purposes.
Lawfulness of processing: you need to commit to use your customers data only for the purpose that they agreed to. E.g. If they didn’t agree to receiving emails about your future offers, then you need to remove them from your mailing list. And yes, that’s true for the birthday email as well.
Data minimisation: Do you really need to ask them all this information or you can reduce it to a minimum? If you need it and you can explain the reason why you need it, no problem! Do you ask for their T-shirt or shoe size to assign them the right BCD and fins? That’s all good, as long as you tell them the reason why you need these information.
Data accuracy: if your customer informs you of any change to their data, you must be able to update your records. Do you keep everything on paper? Then I guess that you have a very good memory and you know exactly which cupboard contains that customer’s data to update 🙂 Do you have an electronic version? I’m sure that it would be much easier to search for that customer and apply the requested changes.
Storage limitation: you need to tell your customers how long you’re going to keep their data. E.g. some dive agencies demand that you keep course records for 7 years, some countries want you to keep them for 10 years.
Integrity and confidentiality: personal data must be kept in a secure place, protected against unauthorised or unlawful access, accidental loss or destruction. If you have your records on paper, who has access to the locked cupboard/room? Is it safe in terms of flood or fire or any other accidental damage? If you have an electronic version of your records, are they password-protected and/or encrypted? Who has access? Do you do a regular (daily) backup of your data?
This is the end of the first episode of GDPR for dive centers. Come back to blog.geekdivers.com for more episodes: we’ll dive deeper into the little practical steps that you need to take to make sure that your business is compliant. You want to be informed when a new episode is available? Join our newsletter or follow us on Facebook, Twitter and Instagram to receive real time updates. See you soon!
Go to the next episode here.