GDPR: keeping your clients information secure – Timely

In this guide you will learn about privacy at Timely, specifically pertaining to GDPR requirements, The EU GDPR stands for General Data Protection Regulation, and they have come into effect as of May 25th, 2018 and will replace the existing EU data protection laws.

Important disclaimer: The contents of this guide and other related GDPR guides are for general information purposes only and do not constitute legal advice. We recommend or talking with your lawyer, or seeking legal advice, about what your business needs to do to be compliant.

What is GDPR and why does it exist?

Historically, many companies have treated personal information as a limitless resource that they were able to access for personal benefit, this came with little regard for privacy of individuals involved. To combat this, GDPR was introduced as a means to return control over personal information to individuals; and open the conversation to further security and privacy reviews.

If you collect, store or otherwise manage the personal information of individuals who live in the European Union, even if you don't have an entity or presence in the EU, then the GDPR will apply to you. If you want to find out more about the GDPR, we recommend checking out the official GDPR website or the Information Commissioner's Office (ICO) resource.

What constitutes as personal information?

Personal information is "any data relating to an identified or identifiable natural person". This can include information or references to:

Name
Contact details
Location and IP address
Information pertaining to physical, physiological, genetic, mental, economical, cultural or social identity.

Sensitive personal data is a special category of personal data. This includes information such as: racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation and health information.

What is a controller vs a processor?

It’s important to understand your role with the GDPR, as that determines what actions you need to take to be compliant. There are two key roles: controllers and processors.

Controller:
Is a business or entity that collects and stores personal information relating to an individual, for a specific purpose. It is the controller’s responsibility to both obtain informed and explicit consent from the individual, and ensure that they (and any services, systems or processes that they use) comply with the regulations - this is you as the business owner and Timely customer.
Processor:
Is a third-party service or system, that operates on behalf of the controller, to store or process personal data as part of the service delivery process - this is Timely, and any other services you share customer information with (e.g. MailChimp, Xero, Google Calendar etc).

What are my responsibilities as a controller?

While Timely is ensuring our systems and processes are compliant with GDPR, you have a responsibility as a controller to make sure your business practices are also compliant. This includes the way you and your staff use Timely.

To comply with GDPR, you will need to fulfil your obligations as a controller, which include:

You must have a legal basis, for collecting personal information as part of your service delivery.
You must communicate to customers how their data is being processed, why it is being processed, from which sources that information was/is taken and under which circumstances. This must be explained in an understandable and accessible way, using simple and clear language.
You must ensure that any services that you use as part of your service delivery (processors) are also compliant with the regulations.
You must collect and record explicit and informed consent from your customers, to be allowed to send them marketing messages (SMS and email).

What else should I consider or talk with a lawyer about?

Review all of your systems and processes around personal information. Are they all necessary? Is there anything you need to stop doing, or change, to be compliant? You will need to communicate this to customers, so documenting this as you go will make that process easier.
Make sure that all of the services you use in your business (processors) are also GDPR compliant. Understand how they process your information, where this is stored and how you can exercise your rights e.g. where/how do you access/update information to comply with personal information requests.
Educate your staff about GDPR, what rights individuals have and the legal basis for collecting and using personal information. Reiterate the importance of using personal information sparingly and only when necessary.
Review your current staff access settings - what information do your staff really need access to? How to restrict staff access.

How does Timely support my business in being compliant as a controller?

Privacy policy

We have a dedicated field in your account for you to enter your Privacy policy. This is shown to customers during the online booking process. They can consent to opting-in by checking the box provided. We have put together an outline and some tips for writing a privacy policy in the guide below.

As a privacy policy is a legal document, we would advise consulting with a lawyer as part of the drafting process. While we are happy to help with any questions about adding a privacy policy to your Timely account, we aren't able to provide any legal advice or guidance. See our How to add or update your privacy policy guide for more information.

Marketing Consent

Customers won’t be automatically opted-in to your SMS marketing (bulk sms) list. If the customer consents to being opted-in, you can update their settings individually to ensure they receive those messages. See our help guide on How to best record marketing consent for more information.

Complying with personal information requests

Under GDPR, there are specific rights that customers have regarding their personal data. These are based around a series of key Data Protection Principles, which you can find out more about here: Data Protection Principles. To learn in further depth about managing personal information requests, you can see our guide on How to manage personal information requests.

Key Concepts:

A The right to be informed.

B The right of access and the right to data portability.

C The right of erasure/the right to be forgotten.

D The right to restrict processing, the right to object

What is Timely's role as a processor?

While protecting our customer’s information has always been a high priority for us at Timely, we’ve used this opportunity to review all of our systems and processes around collecting, storing and processing personal information. In light of this, we have made the following changes:

Nominated a Data Protection Officer.
Reviewed and updated our Privacy Policy.
Provided a Data Processing Agreement, which our EU customers can choose to sign. If you're interested in signing this, please reach out to us on privacy@gettimely.com.
Ensured that all of the services we use as part of delivering Timely to you (sub-processors) are also compliant (List of Timely sub-processors).
Made changes to the Timely product and help centre resources to allow you to manage consent and comply with personal information requests easily, such as: How to record marketing consent, How to manage personal information requests, and How to add or update your privacy policy.

Important note: these changes are the beginning of an ongoing conversation and commitment around privacy and security at Timely. If you are a business owner and need to export your data, permanently delete your account, or have any questions about GDPR that aren't covered by these help guides, then please send us an email to: privacy@gettimely.com.