Rapid changes in data collection lead to more regulation across the globe
By Al Hornsby, Senior Vice President, Legal Affairs
Legal obligations regarding the collection, transfer and use of student diver and customer information are not new. These obligations are inherent not only in the diver certification and registration process, but also in your day-to- day business activities. What is new, and still expanding, is the rapid evolution of far- more-stringent approaches to data collection and use showing up across the globe.
The most publicized, and perhaps the most specific, is the General Data Protection Regulation (GDPR) – a regulation under European Union (EU) law regarding data protection and privacy for all individuals within the EU and the European Economic Area (EEA). However, this is not the only one. Canada’s Anti-Spam Law (CASL), which has been in place since 2014, is similar. Australia has introduced policies reportedly based upon CASL. Japan and China are developing guidelines, and California, in the United States, is also developing more intensive regulations. The simple fact is that given the nature of today’s world and its ever-more extensive collection and use of personal data, it’s fairly inevitable to expect that data governance through legally obligated guidelines will continually increase both in location and stringency.
Generally speaking, privacy laws and guidelines have been established for the purposes of protecting a consumer’s private information, such as name, birthdate, mailing address, email address, etc. While these guidelines may differ from country to country, they typically state that a business collecting such information should:
- Have a secure data system that can reasonably protect the information from improper access by others.
- Provide consumers the ability to determine how their personal information may or may not be used, and if it may be shared with others.
As you may have heard, PADI’s data collection, use and storage protocols have been going through changes as a result of GDPR. There have been revisions to PADI® and EFR® privacy policies, along with changes to PIC and Online Processing Center language regarding opt-in/opt-out and disclosures about how data will be used and administered. Behind the scenes, there have been upgrades in the security involved in storing and transferring data. Also, new consumer and member rights will provide for individuals within the GDPR- regulated countries to “be forgotten,” meaning that upon request their data will effectively be “disconnected” from access/ use, and retained only to meet specific legal and business obligations. All of this is to provide consumers and members more clarity, self- determination and security regarding how/why their personal data will be used, and by whom.
As a PADI Dive Center or Resort, and also as an individual PADI Member, it’s important to understand the direction the world is rapidly heading regarding these issues. Even if you reside or do business in a locale that has not yet instituted stronger privacy regulations, the time is undoubtedly coming. The guidelines in place in significant portions of the world have simple, good practices at heart and reflect what we all expect regarding our personal data.
For your customers and student divers, there is both value and risk in providing personal data for the purpose of buying a product, joining a program, receiving training and so on. As service and product providers, you should begin looking closely at your practices and security to make sure that customers’ data are protected and used with their best interests in mind. You want your customers to trust that they understand and get to determine if, how and by whom their personal data may be used.
For More Information: