This article aims to provide support for dive centres in understanding GDPR and being compliant with the new rules. It is not a legal document and is NOT intended as a substitute for professional advice from experts.
New data protection laws are coming into place across the EU from 25th May 2018. These rules apply to all EU citizens regardless of the country they are in as well as every business in Europe. Every business is different and every business owner must take personal responsibility for understanding the new regulations and ensuring their compliance. If you are unsure how it affects you and your business we have some links in this article that should help you, if not please seek professional advice.
WHAT IS GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC, currently in place in the UK, and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
WHAT INFORMATION DOES GDPR APPLY TO?
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
SENSITIVE PERSONAL DATA
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
YOUR BUSINESS & GDPR
By law and to be compliant with HSE regulations your dive centre will hold student data. You need to ensure you are collecting and storing this data in compliance with the new GDPR regulations.
Some points to consider when it comes to storing and collecting personal data from students:
- How are you storing your students’ data?
- Are physical copies secure?
- Are digital copies secure?
- Are you ensuring that you only maintain documents for the prescribed period of time (seven years?)
- Do you have a mechanism to safely destroy records after this time?
- Who has access to this data?
- How do you document who has access to these records?
- Do you have a system whereby a student can be ‘forgotten’ if they request this?
- How are you storing your students’ data?
- Do you have someone in your business nominated as a Data Protection Officer, who is taking responsibility for data protection compliance?
- Are students aware that you have to keep their documents for the prescribed period of time?
The new regulations are a great opportunity to re-organise your marketing and data systems. If you have an email newsletter you will need to send out an “opt-in” email. Mailchimp has some great advice on how to do this. Remember after 25th May 2018 you can only use the “opt-in” list of subscribers to maintain compliance.
RAID & GDPR
The latest version of the RAID General Diving Standards (RGDS), v55, explain how RAID is compliant with GDPR. If you would like further information on this, please contact the RAID UK office on 0191 4324644 or email firstname.lastname@example.org.
The following links can be used for further information on compliance or please seek professional advice: