Welcome to Episode 3 of “GDPR for dive centers”!
In this episode we’ll go through some considerations related to paper and electronic forms to collect and process your customers data.
If you haven’t done it yet, please read Episode 2 of “GDPR for dive centers” to make sure that your data collection forms are GDPR compliant. Your customer data collection form, your liability form and your dive agency course forms contain your customers’ personal data. Your agency medical statement form and the doctor’s clearance form contain sensitive data. What’s the difference?
Personal data include a collection of data that identify one individual. E.g. name, last name and email address or even just the email address if it’s like [name].[lastname]@[email.com] (replace with real name, last name and email provider, of course)! Sensitive data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. According to GDPR, processing sensitive data is prohibited (GDPR – Art.9(1)), unless ‘processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity‘ (GDPR – Art.9(2)(f)). This article gives you the right to collect and process medical statements. If dealing with personal data requires you to implement an adequate system to protect them, dealing with sensitive data requires special measures. In particular, when you collect and process sensitive data, you need to request specific consent from your customers. In the consent you need to inform them of the following:
- where you are going to store these data (e.g. locked up and you are the only one with the key)
- how long you need to store these data and why
- if you are going to disclose these data, write who/which company will have access to these data and their contact information
You also need to make sure that if you need to disclose these data (personal or sensitive) the receiving end is either in the EU or, if not, that they comply with GDPR and that includes dive agencies. As you are the collector of data, you are responsible for the security of them. If you transfer personal and/or sensitive data to an organisation that is not GDPR-compliant both this organisation and your company are liable in case of a data breach investigation.
Keep all the forms and consents in a locked cabinet and in case of medical forms (or any form containing sensitive data) mark them ‘confidential’ and lock them up separately. This way, in case one of your instructors needs to check one of his/her past courses (and he/she is authorised to do so), the customer’s file does not contain sensitive data. Implement a reference system so that you can easily find the medical statements related to this customer in the other locked cabinet. The above are clearly just suggestions. The important thing is that you are responsible to keep your customers data safe, even when you’re not around. That also means that key to the locked cabinets should not be left unsupervised somewhere in the office! No keys under the flower pot! 🙂
If you collect your customers data electronically or you copy/scan the paper forms to your computer, there are some additional measures that you need to implement.
- Consent – please check Episode 2 of “GDPR for dive centers” for personal data consents and above here for sensitive data consent
- Is your computer receiving all the software updates? This is very important in order to maintain a basic level of security on your computer in case you have a data connection (who doesn’t these days!).
- Do you have an updated version of an antivirus? You don’t want to have a virus on your office computer, especially where you store your customers data! A virus can destroy your files or corrupt them in a way that is beyond repair. Some kind of malware (trojans) are very sneaky: they open a door to your computer and from there they can access all your data. And most of the times you don’t even know that your computer has any kind of malware! Do your business a favour and get a good antivirus.
- Who has access to the office computers and to the software that you use for customers data? Make a list of selected employees, including yourself.
- Is there any form of restricted access to sensitive data? For example, do you store the electronic versions of the medical statements separately? Is this storage location password-protected? Who has access?
- Is the electronic form that you send to your customers encrypted? (e.g. https in the URL)?
- If you send an email to your customers with an empty text file to fill out and your customer sends it back with personal data, who will read this email?
- Do you make regular backups of your data? If yes, are the backups on a separate encrypted hard drive? An encrypted hard drive uses a sophisticated mathematical algorithm to protect the data. You can access (or decrypt) the data only if you enter the correct key or password. If the hard drive is not encrypted, do you regularly store it together with the paper forms in a locked cabinet? In case it’s misplaced or lost, can anybody access it, including all your customers data? Aka, who has the password?
- If you offer free WiFi to your customers walking in to your dive center or dive resort, do you have a separate WiFi network for your office? If not, you need to at least have separate access points. Please check your router manual to find out how to create a guest access point and keep both your office and the guest access points password-protected. Clearly only your office staff should know the office WiFi password.
- Do you have an operations manual? This could be the document that you use to train new staff, especially administrative staff. More on this in one of the next episodes.
- Are your office computers password-protected? Do you have an automatic screen-lock after a certain period of inactivity on your office computers? Please don’t tell me that you have passwords written on post-its on your monitor! 😀
This is the end of the third episode of GDPR for dive centers. Come back to blog.geekdivers.com for more episodes: we’ll dive deeper into the little practical steps that you need to take to make sure that your business is compliant. You want to be informed when a new episode is available? Join our newsletter or follow us on Facebook, Twitter and Instagram to receive real time updates. See you soon!
Go to the previous episode here.
Disclaimer: Geek Divers is not a law firm, nor is backed up by one. All the information provided above here are not intended to replace any legal advice by a professional. Please use any or all of the above information at your own risk.