Welcome to Episode 4 of “GDPR for dive centers”!
In this episode we’ll go through some considerations related to the software that you use for your business.
I’m sure that you already have an operations manual, the document containing a written description of how you handle things in your business, maybe the same that you use to train new staff members. At this point you need to update it including how you handle your customers and your staff members’ data from the point of collection to the point of destruction (or maintenance for your records). The following questions might help you understand what kind of information you need to add to your operations manual.
- Do you use an electronic or paper form (or both?) to collect your customers data?
- Do your forms contain GDPR-compliant consents? Read more here.
- If you use a paper form, do you or one of your staff members then input the data in your CRM software?
- If you use an electronic form, does it feed data into your CRM software or you need to copy data manually? Is the form encrypted?
- In case of electronic form, how do you receive it? E.g. Google Docs, email attachment, upload to a cloud drive, other.
- What happens to the paper or electronic forms once you’ve transferred the data into your software? Aka: who has access to the forms?
- Who has access to the locked file cabinets?
- Who has access to your computers/tablets/phones? Do you instruct your staff members to lock the screen in case they leave the devices unattended?
- Who has access to your software?
- Do you restrict access to sensitive data?
- How long do you keep the data?
- Is it possible and easy to modify or delete data if your customers request it?
- What kind of data do you need to safely store for your records even if your customers request the permanent deletion? E.g. invoices, consent forms, course forms…etc.
The most important thing that you need to do now is to make a list that includes all the software, tools, programs, apps, anything that you regularly use for your daily operations.
Consider these categories of software:
- CRM – that’s where you collect and manage your customers data
- Accounting and payroll
- Website and blog
- Social media
- Dive agency software or web pages
- Communication (e.g. email, chat, messaging systems…etc.)
- Cloud storage
- Anything else that might contain your customers data?
Now go through the software categories above here and write the names of the software that you use for each category. This can help you define how personal data go through each software and what you can do to ensure protection.
GDPR makes a difference between Controller and Processor. To simplify the terms in your daily operations, you are the Controller: you collect your customers’ data, you decide which data you need to collect and the purpose of this collection. The companies that offer you a service -e.g. the software companies that offer you the tools to store your customers data- are the processors. So the software that you use in your business helps you collect, store, maintain and process your customers data. The processing part could be manual or automatic and it might involve some filters: e.g. make a list of all the customers who recently did an Open Water course with you so that you can offer them a continuing education course at a special price.
Transfer of data is another important point to check: if these software companies transfer data to a country not listed above here, you need to check if they write how they are going to ensure data protection.
Would you like to know more about Geek Divers as a software solution for your dive business? By next 25th May Geek Divers will be fully GDPR compliant and help you protect your customers’ data! Contact us at firstname.lastname@example.org!
This is the end of the fourth episode of GDPR for dive centers. Come back to blog.geekdivers.com for more episodes: we’ll dive deeper into the little practical steps that you need to take to make sure that your business is compliant. You want to be informed when a new episode is available? Join our newsletter or follow us on Facebook, Twitter and Instagram to receive real time updates. See you soon!
Go to the previous episode here.
Disclaimer: Geek Divers is not a law firm, nor is backed up by one. All the information provided above here are not intended to replace any legal advice by a professional. Please use any or all of the above information at your own risk.