Skip to main content
English (US)
Share Feedback gettimely.com

GDPR: how to manage personal information requests

  • Updated

In this guide you will learn how to manage personal information requests from your clients, as part of GDPR (General Data Protection Regulation) requirements. This set of regulations have come into effect as of May 25th, 2018 and will replace the existing EU data protection laws.

To further your knowledge on GDPR and other compliance best practices, such as PCI DSS, you can see the range of help guides available to you in our Privacy & Security section here.

 

 

Important disclaimer: the contents of this guide and other related GDPR guides are for general information purposes only and do not constitute legal advice. We recommend or talking with your lawyer, or seeking legal advice, about what your business needs to do to be compliant.

 

 

What constitutes as personal information?

Personal information is "any data relating to an identified or identifiable natural person". This can include information or references to:

  • Name
  • Contact details
  • Location and IP address
  • Information pertaining to physical, physiological, genetic, mental, economical, cultural or social identity. 

Sensitive personal data is a special category of personal data. This includes information such as: racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation and health information.

 

 

Why do I need to manage personal information requests?

Under GDPR, individuals have a number of rights pertaining to how their information is used by organisations; such as being able to exercise said rights by making requests regarding their personal information. These requests can be made both verbally and/or in written form, and as a business owner you have one month (or 30 days) to respond to these requests. 
 

We cover more insight into your roles and responsibilities as a business owner (and data controller) in this help guide: GDPR: keeping your clients information secure

 

 

Best practices for communicating how information is used

In Timely, you will be able add your own Privacy policy, which your clients can view and accept when booking online. We will record in their customer profile if they have accepted the privacy policy, as well as showing the date and time this is recorded in the Customer’s Log. This field can be updated by the business owner, if the client agrees to this policy in person, or wishes to revoke their consent.  
 

In our help guide regarding the creation and maintenance of your privacy policy, we recommend communicating the following, to help bolster trust in your business and it's security practices:
 

  •  Transparency into what personal information you collect, and why you collect it
  •  Transparency into how you ensure data collected remains secure
  • Transparency into who is responsible for maintaining data security
  • Transparency into the retention period of data collected
  • Transparency into your process for redacting and purging data that is collected

 

 

Best practices for exporting and sharing personal information

Individuals, in this case, your clients - are able to request any information that a business (you) stores or processes on their behalf. This must be provided at no charge to the requester. Individuals must also be able to export their data in an open format, such as a CSV. This ensures compliance with: The right of access and The right to data portability.

In Timely, you can export specific reports based on an individual client's information. These can be exported in a number of open formats, but we’d recommend CSV as the most versatile format. 

 

1 From the appointments section in the customer's record, click the print appointments button to view a list of all bookings

 

2 You can select the date range, format, and status at this point

 

3 From the sales section in the customer's record, click the print statement button to print a list of their invoices and payments (you can view specific services and products using the service sales report or the product sales report

 

4 From the notes section in the customer's record, click the print notes button.

 

 

Best practices for deleting or updating identifiable information

Individuals, in this case, your clients - are able to request any identifiable information that a business (you) stores or processes on their behalf is able to be deleted or updated. This must be completed at no charge to the requester. This ensures compliance with The right to erasure/to be forgotten and The right of rectification
 

  • If a customer requests that any of their details be updated, these changes can be made directly to their customer record in Timely, you can see our help guide on How to add or edit customers for more information.
     
  • If a customer requests to be removed from your database, you can archive their customer record, which will remove them from your list of customers, you can see our help guide on How to archive and restore customers for more information.
     

Important note: under some circumstances, the right to erasure won’t apply. In these circumstances, any identifiable information can be removed/redacted at our end to protect the customer’s privacy, while keeping the integrity of your historical records intact. If a customer requests to have their full details and history removed completely, then you can contact us directly on  privacy@gettimely.com.

 

 

Providing your clients the ability to opt out of marketing messages

Individuals, in this case, your clients - should be able to easily opt out of marketing messages. This ensures compliance with The right to restrict processing and The right to object. For more information on how to record and manage marketing consent in Timely, see our help guide here

 

Timely tip: if you are using MailChimp, then you will be able to manage a client's subscription in MailChimp directly. The following are resources to support you in doing so:

Related articles