GDPR – Software compliance

Welcome to Episode 4 of “GDPR for dive centers”! In this episode we’ll go through some considerations related to the software that you use for your business. I’m sure that you already have an operations manual, the document containing a written description of how you handle things in your business, maybe the  same that you use to train new staff members. At this point you need to update it including how you handle your customers and your staff members’ data from the point of collection to the point of destruction (or maintenance for your records). The following questions might help you understand what kind of information you need to add to your operations manual.

• Do you use an electronic or paper form (or both?) to collect your customers data?
• Do your forms contain GDPR-compliant consents? Read more here.
• If you use a paper form, do you or one of your staff members then input the data in your CRM software?
• If you use an electronic form, does it feed data into your CRM software or you need to copy data manually? Is the form encrypted?
• In case of electronic form, how do you receive it? E.g. Google Docs, email attachment, upload to a cloud drive, other.
• What happens to the paper or electronic forms once you’ve transferred the data into your software? Aka: who has access to the forms?
• Who has access to the locked file cabinets?
• Who has access to your computers/tablets/phones? Do you instruct your staff members to lock the screen in case they leave the devices unattended?
• Who has access to your software?
• Do you restrict access to sensitive data?
• How long do you keep the data?
• Is it possible and easy to modify or delete data if your customers request it?
• What kind of data do you need to safely store for your records even if your customers request the permanent deletion? E.g. invoices, consent forms, course forms…etc.

The most important thing that you need to do now is to make a list that includes all the software, tools, programs, apps, anything that you regularly use for your daily operations. Consider these categories of software:

• CRM – that’s where you collect and manage your customers data
• Booking
• Accounting and payroll
• Marketing
• Website and blog
• Social media
• Dive agency software or web pages
• Communication (e.g. email, chat, messaging systems…etc.)
• Cloud storage
• Anything else that might contain your customers data?

Now go through the software categories above here and write the names of the software that you use for each category. This can help you define how personal data go through each software and what you can do to ensure protection. Once you’ve made a list of software names, before you do anything else, you need to read their Terms & Conditions and Privacy Policy. Are they saying anything about GDPR? If they are, they might write something like “Processor Agreement”. You might need an explanation about it. GDPR makes a difference between Controller and Processor. To simplify the terms in your daily operations, you are the Controller: you collect your customers’ data, you decide which data you need to collect and the purpose of this collection. The companies that offer you a service -e.g. the software companies that offer you the tools to store your customers data- are the processors. So the software that you use in your business helps you collect, store, maintain and process your customers data. The processing part could be manual or automatic and it might involve some filters: e.g. make a list of all the customers who recently did an Open Water course with you so that you can offer them a continuing education course at a special price. Let’s go back to the Terms & Conditions and Privacy Policy (sometimes they’re called Terms of Use and Privacy Notice). These represent the contract between your company and the software company. They might be very long documents, but it’s important that you quickly go through them to find out if they guarantee data protection. Try looking for keywords: GDPR, European customers, data protection, Privacy Shield…etc. and read what they say about it. Check where these companies are based: if they are based in Europe, then it is mandatory for them to comply to the GDPR requirements. This is the list of all European countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK. GDPR extends its concepts to all the countries in EEA (European Economic Area), so you can add Iceland, Liechtenstein and Norway to the list above here.  Additionally, the European Commission has defined a ‘positive finding of adequacy’ for the following countries: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. In general, if the software company is based in one of the above countries, it is probably safe to assume that they enforce data protection (you still need to check in their Terms & Conditions and Privacy Policy to be on the safe side). If your software providers are based in the US, check if they adhere to the EU/US Privacy Shield. This is an agreement between Europe and the USA to guarantee data protection and the European Commission has accepted it. You can search for the software company in the Privacy Shield Database. Please consider that if the company is not based in the US or does not transfer data to the US, you might not find it in this database. Transfer of data is another important point to check: if these software companies transfer data to a country not listed above here, you need to check if they write how they are going to ensure data protection. Now you should have a list of all the software tools that you use, a nice green check next to those that provide their services from Europe or explicitly write how they are going to ensure data protection to GDPR standards in their Terms & Conditions and Privacy Policy and maybe a question mark or a red ‘X’ next to those that do not provide any assurance.  Now you need to make a choice: either you replace the software that doesn’t provide GDPR compliance with one that does or you need to add an extra level of consent when you collect your customers data. If you haven’t read our Episode 3 of “GDPR for dive centers” you can do it here. You will find an explanation of how to request separate consents for each purpose of data collection. Additionally you will read how to inform them about why you need their data and how you are going to protect them.  Depending on which software has a question mark or a red ‘X’ next to it in your list, you need to either inform your customers that their data might be transferred outside the EEA or ask for an explicit consent. You can see a couple of examples below here.

CRM software

This is probably the most important software that you use in your business. Here is where you collect all your customers data, their certifications, their rental equipment information and more. You might also save an electronic version of their medical statements and forms. It is very important that all these data are protected. If the Terms & Conditions and Privacy Policy of this software do not mention the GDPR or Privacy Shield or if the company is based outside of the EEA or they transfer data outside the EEA, your customers’ personal (and maybe sensitive) data may not be protected. If your choice is to continue using this software, you need to inform your customers that their data might be transferred outside the EEA for processing purposes.

Marketing software

This might be the software that you use to send your regular newsletter or a more complex tool to manage newsletters, and every click on your website. If this software is not GDPR compliant, not only you need to ask your customers for their explicit consent (an empty checkbox) to contact them, but next to the checkbox you need to write that their contact information might be transferred outside the EEA. If your customers don’t give you their consent, you cannot contact them and you cannot add their contact information to your marketing software. If you use a more complex marketing tool to monitor every click on your website and send automatic emails, among other things, you need to write in your privacy policy that your visitors contact information might be transferred outside the EEA. This should be written in the contact form and in the newsletter subscription form on your website as well. Would you like to know more about Geek Divers as a software solution for your dive business? By next 25th May Geek Divers will be fully GDPR compliant and help you protect your customers’ data! Contact us at info@geekdivers.com! This is the end of the fourth episode of GDPR for dive centers. Come back to blog.geekdivers.com for more episodes: we’ll dive deeper into the little practical steps that you need to take to make sure that your business is compliant. You want to be informed when a new episode is available? Join our newsletter or follow us on Facebook, Twitter and Instagram to receive real time updates. See you soon! Go to the previous episode here. Disclaimer: Geek Divers is not a law firm, nor is backed up by one. All the information provided above here are not intended to replace any legal advice by a professional.  Please use any or all of the above information at your own risk.