Data Protection, Privacy, & GDPR

Booking Online Ltd's guidance RE data protection and privacy

Short Version: You should read this entire document. You should also consider browsing the Information Commissioner’s Office’s Guide to GDPR.

Long Version: This document covers how we handle sensitive data (such as data about you or customer data we host for you) at Booking Online Ltd (also known as Bouncy Castle Network / Sizzle). It also covers the things you should be aware of when dealing with your customers’ data. Ignoring the advice in this document could land you in legal trouble so we advise all Booking Online customers to read it thoroughly.

Contents:

  1. What is GDPR?
  2. How we handle your PERSONAL data
  3. How we handle your CUSTOMER data
  4. How YOU should handle your customer data
  5. Writing Your Privacy Policy
  6. Securing your devices
  7. Newsletters and marketing

1. What is GDPR?

Short Version: You have to store each customer’s data securely and you cannot use it for any reasons other than ones they explictly agreed to.

Long Version: ‘General Data Protection Regulation’ is a new EU regulation, created in 2016 and in force from Friday May 25th 2018 which builds upon the current ‘Data Protection Act’ laws. Being compliant to current DPA regulations means that you may already have a head start on preparing for GDPR, but it is unlikely that you are fully compliant yet.

The new regulations have been bought in to protect consumers and their data, including how the data is handled and used by companies that they provide it to, whether at point of sale, hire, or in any other business agreement.

GDPR affects ANY organisation that collects personal data from customers. You collect personal data whenever someone buys from you or makes an enquiry. Some of this data (such as the customer’s name, address, phone numbers or email addresses) is classed as ‘sensitive’ because it can be used to identify an individual. Collecting or using this data requires businesses to take measures to ensure its security and to ensure that you do not use it incorrectly.

Failure to prepare for GDPR or failing to look after customer data properly can result in serious fines & penalties – serious enough to bankrupt many small businesses. It is very important that you comply as best as you can, and pay close attention to this document.

You can read a comprehensive guide to GDPR on the Information Commissioner’s Office’s website (click here) - it’s an authoritative (in the UK) guide to the intention of the legislation, but it is not an easy read.

Booking Online Ltd is not responsible for customers failing to uphold their end of the GDPR regulations – you are solely responsible for ensuring your compliance. This document has been written by Booking Online Ltd as a guide, to offer free advice to our customers and to explain our own use of data, but if you have concerns we advise speaking to a legal specialist – we are not one.

2. How we handle your PERSONAL data

Short Version: Your data is stored with a number of tech companies we use to provide our services. We take every possible action to keep it secure.

Long Version: Our data protection officer is Eddie Daniels - you can contact him by emailing [email protected]. He will answer any questions you have about how your data is used, and will respond to any requests to exercise your rights.

If you’re a customer of ours we need to store some of your personal data (such as your name and contact details) in order to carry out our duties as a website / software provider and to fulfil orders from our shop. We’ll keep your details for as long as you remain a customer, and for six years afterwards as required by HMRC (the UK’s tax office).

If you’re not a customer but you’ve opted in to receive marketing emails from us, we’ll store your email address but nothing else. If you opt out we’ll delete your records immediately. You can opt out whenever you like, by clicking the link in the footer of our marketing messages.

We regularly delete old messages from our email accounts, chat programs and social media accounts in order to avoid storing personal data for longer than needed.

We store personal data about our customers, and email addresses of ‘opted in’ non-customers on our internal CRM (Customer Relationships Manager) system, which is hosted with Rackspace. Booking Online staff have individual logins to this CRM, protected via authenticator apps on their mobile devices. Their level of access to your data depends on their role in the business.

Customer data might also be provided to the third parties below, and is protected by the privacy policies you can read on their websites. Booking Online staff only have access to third party systems relevant to their role in the business. Booking Online reserves the right to provide your data to other third parties if required for the continuous operation of your website, if you request it, or if needed for fraud prevention, insurance claims, or tax reporting purposes. Booking Online Ltd will never give or sell your details to any third party for their marketing purposes.

Some of your contact details are used for your domain name registration, which is usually with Fasthosts. We also use and provide email accounts through Fastmail. We occasionally send newsletters through Campaign Monitor and need to use your email address to do so. You might sign up for an account with Worldpay to allow online transactions through your site. If you instigate a ‘live chat’ with us, that data is stored with Jivo. Some of your data is replicated to our internal support system, provided by Freshdesk, and to our address lookup provider (for Postcode or Eircode lookups) Allies Computing Ltd. We use a few providers to collect payments from customers - EazyCollect, Stripe, Worldpay and Paypal.

Your rights under GDPR:

3. How we handle your CUSTOMER data

Short Version: Booking Online staff only access your customer data when needed to help you use the system or to fix bugs. Third parties involved with hosting your website or emails can also access the data.

Long Version: Your customers’ data is held on a database specific to your site, hosted with Rackspace. You create your own usernames and passwords for your site, which we cannot retrieve, and you can control access to your customer data this way. It is your responsibility to protect your username and password. Booking Online staff may also access your customer data, in the following circumstances:

If we create your Fastmail email account, we also have access to its messages by default. We can lock ourselves out, if requested, but will be unable to help diagnose any email issues until you unlock it.

Some third party providers might also have copies of your customer data. For example, you might have live chats with Jivo, accept payments with Paypal or Worldpay, or use any number of other third party systems (including social media, email hosts, website widgets, etc). It is your responsibility to be aware of the other third parties who might have access to your customers’ data.

Once you are no longer our customer we will keep your data (your database and uploaded files) for one year, unless you ask us to delete it earlier. If you want to keep the booking data after you close your website (and you should, for tax and insurance reasons) you should export them from our system and back the file up securely. We will delete any email accounts we host for you within one week.

4. How YOU should handle your customer data

*Short Version: Keeping your customer data safe is your responsibility. You need to keep records of who can access the data, and you need to make it very clear to your customers. Your customers can ask you to remove their data (but you might not have to) or stop marketing to them (which you do).

Long Version: Company owners are responsible for ensuring they are prepared for GDPR regulations – Charities, non-profit, SMEs and sole traders must all prepare for GDPR, not just large companies.

Although your customer data is held on third party servers it still falls to you, the business owner, to keep the data safe. This is because you are obtaining, processing & storing the data for your own purposes. Rackspace, Fastmail, Booking Online and similar are ‘Data Processors’, while you are the ‘Data Controller’.

If you hire extra staff who can also access your system:

You MUST state in your privacy policy that employees are granted access to the system (if this is the case) and therefore, have access to customer data that you hold. You should keep a concise record of the names & details of any member of staff granted access to your system.

YOU MUST ENSURE YOUR DEVICES & SYSTEMS ARE SECURE AND UNDERSTAND WHO HAS ACCESS TO THEM

Right to be forgotten (or ‘Right to erasure’):

The right to be forgotten, or right to erasure, is a new right under GDPR which details an individual’s ability to request to be ‘forgotten’ - to be removed from a company’s database entirely - once the company no longer needs to keep their details.

However, you need to store your customer details for tax and insurance purposes. This conflicts with the ‘right to be forgotten’ because you are legally required to keep the data for at least some period - six years for the UK’s tax office. If a customer asks you to delete their data, but you need to keep it for a non-marketing reason, you can refuse - make sure to explain the reason behind your refusal. If you’re in any doubt you should contact the ICO.

Your Booking Online system has the ability to automatically wipe private data from bookings over a certain age. This will remove all personally-identifying information from the booking, as well as all correspondence, any scheduled emails, and any log entries. This lets you automatically purge sensitive data from the system once you no longer need it. For UK businesses we advise setting this to anonymise bookings older than seven years old, one year longer than required for the tax office. You might want to ask your insurance providers how long they require you to keep data.

You may wish to add a note to your calendar to delete old emails and social media conversations on a regular basis.

Subject Access Requests:

Any customer has the right to view / understand the data you hold about them, and this can be made using a ‘subject access request’.

SARs must be made in writing - email, social media or pen and paper are all fine. You need to be sure that you’re talking to the right person, but you cannot ask them a large amount of questions to make sure they are. For example, you might ask them to email from a known address, or call from a known number.

Once confirmed you can give them any details you hold about them in your system.

5. Writing Your Privacy Policy:

A privacy policy needs to be included on your website to make sure that your customers understand what data you store, where it is kept, who can access it, and how it is used.

It should cover each of the following topics:

Click here to read a more detailed version of this list on the ICO website.

Your site contains an example Privacy Policy which contains most of the important points you need to cover - you can create it automatically from the ‘Settings > GDPR / Data Protection’ page.

Do not just copy and paste the policy onto your website without reading and understanding it. It contains example data you will need to change.

6. Securing your devices

Securing your data and any devices you use to access the data is an important part of becoming GDPR compliant – In the case of a data breach an auditor would check your security measures FIRST.

Below is a check-list which should be followed to ensure you are doing everything you can to keep your customers data as safe as possible.

Mobile Devices / Computers & Laptops:

Your Booking Online Website / Booking System

Email Accounts, Social Media:

Printed / Written Data

Other People

7. Newsletters and Marketing

Under GDPR regulations you can only send marketing emails or text messages to individuals who have knowingly ‘opted in’. In the majority of cases this will not describe most of your customers.

If you feel like your customers have explictly ‘opted in’, you should be able to answer ‘yes’ to the following questions:

  1. Did the customer select an option to say they agreed to receive marketing emails or text messages?
  2. Was the option un-selected by default?
  3. Could the customer have continued with their order without choosing ‘yes’?

If you are 100% sure that the customer ‘opted in’, you can continue to market to them. You might want to get in touch with Booking Online so we can bulk-add your opt-ins to your website. Otherwise, you should follow the following steps to ensure your compliance with the law.

You can email your existing customer base to ask them if they’d like to opt in to your marketing. We have created a system for you to do this, under the ‘Settings’ tab of your site, then ‘GDPR / Data Protection’.

New visitors who use your Booking Online website to place an order will be given the choice to opt into marketing materials. Your site will store a list of ‘opted in’ customers and will not let you send marketing material to addresses not found on that list.

Once a customer has opted in, you can send marketing materials to them. If they opt out again, you must stop immediately. We advise using the ‘Bulk Email’ and ‘Newsletter’ systems on your Booking Online website, as these will automatically honour the customers’ marketing preferences.

Just because a customer opts out of marketing does not mean you have to delete all their details.

What counts as ‘marketing’?

Any emails sent after the customers’ order has been fulfilled, for the sake of attracting more business, are marketing emails. By default, your Booking Online website will prevent you from bulk-emailing, or scheduled-emailing, any customers who have not opted in and whose booking was more than one week ago.