How to manage personal information requests (GDPR)
The EU General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018 and will replace the existing EU data protection law.
GDPR gives individuals control over how their personal information is stored and used by companies.
We recommend reading our Privacy, GDPR and Timely guide first, for more information.
Under the GDPR, individual’s also have a number of rights around how their information is used by organisations.
They are able to exercise these rights by making requests about their personal information.
These requests can be made verbally or in written form and you have one month (or 30 days) to respond to those requests.
In this guide, we’ll cover the rights that individuals have and how you can comply with those requests using Timely:
- Communicating how information is used.
- Exporting or sharing personal information.
- Deleting or updating identifiable information.
- Opting out of marketing messages.
Disclaimer: The contents of this guide and other related GDPR guides are for general information purposes only and do not constitute legal advice. We recommend or talking with your lawyer, or seeking legal advice, about what your business needs to do to be compliant.
Communicating how information is used
The right to be informed: Individuals have the right to know how their personal information is being stored and used by your business. This must be presented when they share their information and must be easy for them to understand.
For example: You require the client’s email address and phone number to send them reminders and notifications. You also make notes about the client’s previous treatments, preferences, any allergic reactions or adverse results, to make sure that you deliver a service that causes them no harm and is customised to their preferences.
This field can be updated by the business owner, if the customer agrees to this policy in person, or wishes to revoke their consent.
Exporting or sharing personal information
- From the Appointments section in the customer's record, click the Print appointments button to view a list of all that customer's bookings:
You can then select the date range, format and status further:
- From the Sales section in the customer's record, click the Print statement button to print a list of their invoices and payments (you can view specifics services and products using the Service sales report or the Product sales report:
- From the Notes section in the customer's record, click the Print notes button:
The right of access Individuals are able to request any information that a business stores or processes on their behalf. This must be provided by the organisation at no charge.
The right to data portability Individuals must be able to export their data in an open format, such as CSV.
For example: A client is moving to another city and would like a full record of their appointment history, so their provider in their new city has access to their history, preferences and other relevant information. This must be shared with the client in an open format, that doesn’t prevent them from using that information.
In Timely, you can export specific reports based on an individual customer’s information. These can be exported in a number of open formats, but we’d recommend CSV as the most versatile format.
The following reports can be exported directly from the customer’s record:
Deleting or updating identifiable information
The right to erasure/to be forgotten Individuals can request that any identifiable personal information that you have stored on them be deleted or removed.
The right of rectification If the data you hold on someone is incorrect, you must correct it and send that correction to any third parties.
For example: A client has visited your business for an initial consult and has completed a new client form that required them to share some personal information around their employment, marital status and physical/mental health. After deciding to go with an alternative provider, they request that you remove their information from your system.
If a customer requests that any of their details be updated, these changes can be made directly to their customer record in Timely: How to add or edit customers.
If a customer requests to be removed from your database, you can archive their customer record, which will remove them from your list of customers: How to archive and restore customers.
Under some circumstances, the right to erasure won’t apply. In these circumstances, any identifiable information can be removed/redacted at our end to protect the customer’s privacy, while keeping the integrity of your historical records intact.
If a customer requests to have their full details and history removed completely, then you can contact us directly on email@example.com.
Opting out of marketing messages
The right to restrict processing Individuals can control how and where organizations use their data e.g. they can choose to have their information stored, but not used or have this restricted/suppressed.
The right to object Individuals have the right to object to direct marketing purposes, their data being processed (only based on legitimate interests), or their data being processed for scientific/historical research and statistics.
For example: A client would like to visit your business and receive reminders about their appointments, but they don’t wish to be sent any marketing material about your business. This includes promotional offers, discounts and marketing campaigns, as well as general newsletters.
You have complete control over what messages a customer is sent from Timely:
You are able to edit these settings for a customer individually, if requested. Check out our How to record marketing consent guide for more information.
If you are using MailChimp, then you will be able to manage a customer’s subscription in MailChimp directly: