Disclaimer: The contents of this guide and other related GDPR guides are for general information purposes only and do not constitute legal advice. We recommend or talking with your lawyer, or seeking legal advice, about what your business needs to do to be compliant.
The EU General Data Protection Regulation (“GDPR”) comes into effect on May 25, 2018 and will replace the existing EU data protection law.
Historically, many companies have treated personal information as a limitless resource they could tap into, with little regard for the rights of individuals involved.
GDPR gives individuals control over how their personal information is stored and used by companies.
The GDPR is an excellent starting point when it comes to reviewing privacy and security practices. It’s only the beginning of a wider conversation and commitment.
If you collect, store or otherwise manage the personal information of individuals who live in the European Union, even if you don't have an entity or presence in the EU, then the GDPR will apply to you.
Want to find out more about the GDPR? We recommend checking out the official GDPR website or the Information Commissioner's Office (ICO) website.
What is personal information
Personal information is " any data relating to an identified or identifiable natural person*". It includes information or references to an individual's name, contact details, location and IP address. This also includes less obvious things such as personal opinions, as well as preferences or factors specific to the physical, physiological, genetic, mental, economical, cultural or social identity of that person.
Sensitive personal data is a special category of personal data. This includes information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation and health information.
* These requirements around processing personal information only apply to living persons.
Controller vs Processor
It’s important to understand your role with the GDPR, as that determines what actions you need to take to be compliant. There are two key roles: Controllers and Processors.
- Controller: Is a business or entity that collects and stores personal information relating to an individual, for a specific purpose. It is the Controller’s responsibility to both obtain informed and explicit consent from the individual, and ensure that they (and any services, systems or processes that they use) comply with the regulations - this is you as the business owner and Timely customer.
- Processor: Is a third-party service or system, that operates on behalf of the Controller, to store or process personal data as part of the service delivery process - this is Timely, and any other services you share customer information with (e.g. MailChimp, Xero, Google Calendar etc.).
Your business as a Controller
To comply with GDPR, you will need to fulfil your obligations as a Controller:
- You must have a legal basis, for collecting personal information as part of your service delivery.
- You must communicate to customers how their data is being processed, why it’s being processed, from which sources that information was/is taken and under which circumstances. This must be explained in an understandable and accessible way, using simple and clear language.
- You must ensure that any services that you use as part of your service delivery (Processors) are also compliant with the regulations.
- You must collect and record explicit and informed consent from your customers, to be allowed to send them marketing messages (SMS and email).
To support you in being compliant as a Controller, we have the following functions in Timely:
If you have MailChimp connected, customers will see the option to subscribe to your email marketing when booking online. This won’t be checked by default, so customers will need to manually opt-in using the checkbox provided.
Customers won’t be automatically opted-in to your SMS marketing (bulk sms) list. If the customer consents to being opted-in, you can update their settings individually to ensure they receive those messages.
Check out our How to record marketing consent guide for more information.
Complying with personal information requests
Under GDPR, there are specific rights that customers have regarding their personal data.
These are based around some key Data Protection Principles. Find out more about the Data Protection Principles.
Some key concepts from those principles are:
- The right to be informed.
- The right of access and the right to data portability.
- The right of erasure/the right to be forgotten.
- The right to restrict processing, the right to object
Our How to manage personal information requests guide explains those rights in more detail, with some more information on how to comply with any requests from customers.
What other responsibilities do you have?
While Timely is ensuring our systems and processes are compliant with GDPR, you have a responsibility as a Controller to make sure your business practices are also compliant. This includes the way you and your staff use Timely.
For instance, if a staff member downloads or exports your customer list and contacts those clients directly, this would be viewed as a data privacy breach. The same would apply if you decided to share your customer list or client's personal information with another provider, without communicating this to the individuals involved or seeking consent.
We recommend or talking with your lawyer, or seeking legal advice about what your business needs to do to be compliant. Here are some things to think about:
- Review all of your systems and processes around personal information. Are they all necessary? Is there anything you need to stop doing, or change, to be compliant? You will need to communicate this to customers, so documenting this as you go will make that process easier.
- Make sure that all of the services you use in your business (Processors) are also GDPR compliant. Understand how they process your information, where this is stored and how you can exercise your rights e.g. where/how do you access/update information to comply with personal information requests.
- Educate your staff about GDPR, what rights individuals have and the legal basis for collecting and using personal information. Reiterate the importance of using personal information sparingly and only when necessary.
- Review your current staff access settings - what information do your staff really need access to? How to restrict staff access.
Timely as a Processor
While protecting our customer’s information has always been a high priority for us at Timely, we’ve used this opportunity to review all of our systems and processes around collecting, storing and processing personal information.
In light of this, we have made the following changes:
- Nominated a Data Protection Officer.
- Provided a Data Processing Agreement, which our EU customers can choose to sign. If you're interested in signing this, please reach out to us on [email protected].
- Ensured that all of the services we use as part of delivering Timely to you (sub-processors) are also compliant (List of Timely sub-processors).
- Made changes to the Timely product to allow you to manage consent and comply with personal information requests easily:
These changes are the beginning of an ongoing conversation and commitment around privacy and security at Timely.
If you are a business owner and need to export your data, permanently delete your account or have any questions about GDPR that aren't covered by these help guides, then please send us an email to: [email protected].