GDPR is Just Around the Corner – Effective 25th May 2018

In February we announced our plans to fulfill our obligations for the GDPR (General Data Protection Regulation). Since then we have been busy ensuring we’re compliant and making it easier for you to comply also.

Here’s a quick refresher on the GDPR

The General Data Protection Regulation (GDPR) is an EU privacy law that will take effect on 25th May, 2018. It replaces the current EU data protection laws and essentially provides a set of principles to ensure customer data is protected.

The Data Protection Principles include requirements such as:

• Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.
• Personal data should only be collected to fulfil a specific purpose and it should only be used for that purpose. Organisations must specify why they need the personal data when they collect it.
• Personal data should be held no longer than necessary to fulfil its purpose.
• People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organisation.

Will the GDPR apply to your business?

The GDPR applies to all EU-based businesses, as well as anyone processing the personal data of EU citizens. If your business collects, records, stores, uses, or erases personal data from customers or contacts in the EU, the GDPR should be on your radar.

There are different requirements based on what role you play in storing or using customer data.

Controller vs processor

It’s important to understand your role with the GDPR, as that determines what actions you need to take to be compliant. There are two key roles: controllers and processors.

Controller: If you use Timely software and operate within the EU or with EU citizens, then that’s you: our customer. To comply with the GDPR, you will need to fulfill your obligations as a controller.

Processor: That is wherever you decide to send your data for processing – which is Timely, and any other places you may send your data to (e.g. Mailchimp, Xero, etc). From 25th May 2018, Timely will be a compliant processor, ready to assist you with any data subject rights requests you may receive (e.g. if one of your customers ask to have their information edited or deleted).

The good news is that we’ve made it really easy, for you as a controller, to meet your obligations under the GDPR.

What should you do to ensure your business is GDPR compliant?

There are some key things you need to do to ensure you are compliant, notably capturing your clients consent to use their data, and checking that other providers you use are also compliant.

To support you in being compliant in your role as a controller, Timely have:

• Added a new section for you to add a Privacy Policy, this will appear within the online booking process and requires customers to give their consent by “opting-in” using a tick-box.
• Documented how you can export your customers data (if requested).
• Documented how you can request the permanent deletion of a customer (if requested).
• Identified improvements to other processes where customer information is involved to ensure the customer’s personal data is not unintentionally shared. For example, if your front counter PC or tablet is in sight of other customers, we recommend using the Timely ‘Blur’ function within the calendar, obscuring the customers personal details.
• Changed customer consent for email marketing from opt-out to opt-in (this only applies if you use our MailChimp integration).

What about your existing customers?

For customers that you acquired before 25th May 2018, it is worthwhile informing them that you will be GDPR compliant and to provide them with an updated privacy policy, however there is no need to retrospectively get their consent for any service-based communication that is delivered from Timely (e.g. booking reminders, notifications, etc). For email marketing, it’s best practice to ask for consent again to make sure your customers are still happy to receive messages (this only applies if you use our MailChimp integration, more on this here). Please note that as a temporary measure, we will be disabling the SMS marketing feature for EU customers from the 25th May 2018 until we have the ability for you to re-consent customers.

If you accept online bookings, then we recommend you add a privacy policy by 25th May 2018 that allows customers to consent to sharing their personal information with you. We’ve made it super easy for you to add a privacy policy and view your customers consent in our customers details screen.

Changes at Timely

Protecting our customers data has always been important to us, so we’ve used this opportunity to carry out a full review of our systems and processes:

• We are updating our privacy policy as of the 25th May 2018.
• We are providing a new GDPR Data Processing Agreement which you can opt into.
• We have reviewed our third party vendor agreements to ensure compliance on their part.
• We’ve provided a way for businesses to request a data export of their Timely account or request a permanent account deletion.
• We’ve changed our marketing messages tick box to default to ‘not-ticked’, so that customers now need to opt-in to receive marketing messages. Note: they will continue to receive service related messages.
• We’ve appointed a Data Protection Officer (DPO).
• We’ve tightened up internal access policies so the right people have the right access to customer data within Timely.
• Security is a key priority for us. We carry out regular penetration tests using trusted third party security specialists to verify our systems and processes.
• We’ve reviewed internal processes to ensure customer data is kept secure, and provide advice on how customers can keep their clients data secure. This includes the visibility of screens with personal information, and how handwritten notes, USB sticks and printed reports are stored.
• We’re ensuring that our upstream providers (sub-processors) are GDPR compliant.

Where can you find out more information?

If you need to find our more about what Timely and the GDPR then please check out updated Privacy policy, contact our Data Protection Officer, or check out our GDPR help guides.

To find out more about the GDPR we recommend you go directly to the GDPR website, or this other handy website.

*Disclaimer*

This blog post does not constitute legal advice. You should also talk with your lawyer about what your business needs to do to be GDPR compliant.