Short Version: You should read this entire document. You should also consider browsing the Information Commissioner’s Office’s Guide to GDPR.
Long Version: This document covers how we handle sensitive data (such as data about you or customer data we host for you) at Booking Online Ltd (also known as Bouncy Castle Network / Sizzle). It also covers the things you should be aware of when dealing with your customers’ data. Ignoring the advice in this document could land you in legal trouble so we advise all Booking Online customers to read it thoroughly.
Contents:
- What is GDPR?
- How we handle your PERSONAL data
- How we handle your CUSTOMER data
- How YOU should handle your customer data
- Writing Your Privacy Policy
- Securing your devices
- Newsletters and marketing
1. What is GDPR?
Short Version: You have to store each customer’s data securely and you cannot use it for any reasons other than ones they explictly agreed to.
Long Version: ‘General Data Protection Regulation’ is a new EU regulation, created in 2016 and in force from Friday May 25th 2018 which builds upon the current ‘Data Protection Act’ laws. Being compliant to current DPA regulations means that you may already have a head start on preparing for GDPR, but it is unlikely that you are fully compliant yet.
The new regulations have been bought in to protect consumers and their data, including how the data is handled and used by companies that they provide it to, whether at point of sale, hire, or in any other business agreement.
GDPR affects ANY organisation that collects personal data from customers. You collect personal data whenever someone buys from you or makes an enquiry. Some of this data (such as the customer’s name, address, phone numbers or email addresses) is classed as ‘sensitive’ because it can be used to identify an individual. Collecting or using this data requires businesses to take measures to ensure its security and to ensure that you do not use it incorrectly.
Failure to prepare for GDPR or failing to look after customer data properly can result in serious fines & penalties – serious enough to bankrupt many small businesses. It is very important that you comply as best as you can, and pay close attention to this document.
You can read a comprehensive guide to GDPR on the Information Commissioner’s Office’s website (click here) - it’s an authoritative (in the UK) guide to the intention of the legislation, but it is not an easy read.
Booking Online Ltd is not responsible for customers failing to uphold their end of the GDPR regulations – you are solely responsible for ensuring your compliance. This document has been written by Booking Online Ltd as a guide, to offer free advice to our customers and to explain our own use of data, but if you have concerns we advise speaking to a legal specialist – we are not one.
2. How we handle your PERSONAL data
Short Version: Your data is stored with a number of tech companies we use to provide our services. We take every possible action to keep it secure.
Long Version: Our data protection officer is Eddie Daniels - you can contact him by emailing [email protected]. He will answer any questions you have about how your data is used, and will respond to any requests to exercise your rights.
If you’re a customer of ours we need to store some of your personal data (such as your name and contact details) in order to carry out our duties as a website / software provider and to fulfil orders from our shop. We’ll keep your details for as long as you remain a customer, and for six years afterwards as required by HMRC (the UK’s tax office).
If you’re not a customer but you’ve opted in to receive marketing emails from us, we’ll store your email address but nothing else. If you opt out we’ll delete your records immediately. You can opt out whenever you like, by clicking the link in the footer of our marketing messages.
We regularly delete old messages from our email accounts, chat programs and social media accounts in order to avoid storing personal data for longer than needed.
We store personal data about our customers, and email addresses of ‘opted in’ non-customers on our internal CRM (Customer Relationships Manager) system, which is hosted with Rackspace. Booking Online staff have individual logins to this CRM, protected via authenticator apps on their mobile devices. Their level of access to your data depends on their role in the business.
Customer data might also be provided to the third parties below, and is protected by the privacy policies you can read on their websites. Booking Online staff only have access to third party systems relevant to their role in the business. Booking Online reserves the right to provide your data to other third parties if required for the continuous operation of your website, if you request it, or if needed for fraud prevention, insurance claims, or tax reporting purposes. Booking Online Ltd will never give or sell your details to any third party for their marketing purposes.
Some of your contact details are used for your domain name registration, which is usually with Fasthosts. We also use and provide email accounts through Fastmail. We occasionally send newsletters through Campaign Monitor and need to use your email address to do so. You might sign up for an account with Worldpay to allow online transactions through your site. If you instigate a ‘live chat’ with us, that data is stored with Jivo. Some of your data is replicated to our internal support system, provided by Freshdesk, and to our address lookup provider (for Postcode or Eircode lookups) Allies Computing Ltd. We use a few providers to collect payments from customers - EazyCollect, Stripe, Worldpay and Paypal.
Your rights under GDPR:
- The right to be informed: The document you are reading details our use of your data. We will regularly revisit it to make sure of its accuracy. If you have any questions or suggestions, please contact us.
- Right to Erasure: We need to store your details while you’re our customer, and we need to keep some records for six years after that for tax purposes. After that period we will automatically anonymise your personal data and delete any records of our communications. We can remove non-essential data at your request. If you haven’t been our customer in the last six years, and you haven’t opted in to marketing, we probably don’t have any of your personal data anyway - but we’re happy to search if you ask.
- Right to data portability: On request we can provide any personal data we store on you in a universal format like a CSV file or Word document. We probably don’t store any more data than you’d imagine. You can export your customer and product data from your booking system into a CSV file whenever you like, to import to any other provider.
- Right to rectification: If you have access to a Booking Online website you can update your personal data from its ‘Account’ tab, or else you can contact us to make amendments. We strive to ensure that any data we store is as accurate as possible.
- Right to restrict processing: If you’re concerned about the accuracy or use of any of the data we store about you, you can ask us to restrict its processing until we have verified its accuracy and our right to use it.
- Automated decision making and profiling: We do not profile our customers or non-customers beyond the information they provide to us directly, and we do not buy data. The only factors we use in our marketing and advertising efforts are your country of operation and your history of purchases with us.
3. How we handle your CUSTOMER data
Short Version: Booking Online staff only access your customer data when needed to help you use the system or to fix bugs. Third parties involved with hosting your website or emails can also access the data.
Long Version: Your customers’ data is held on a database specific to your site, hosted with Rackspace. You create your own usernames and passwords for your site, which we cannot retrieve, and you can control access to your customer data this way. It is your responsibility to protect your username and password. Booking Online staff may also access your customer data, in the following circumstances:
- Developers might access your database when they need to build or maintain your site, or to fix technical bugs.
- Support Staff only view your customer data if you give them permission, to resolve a problem you have reported.
If we create your Fastmail email account, we also have access to its messages by default. We can lock ourselves out, if requested, but will be unable to help diagnose any email issues until you unlock it.
Some third party providers might also have copies of your customer data. For example, you might have live chats with Jivo, accept payments with Paypal or Worldpay, or use any number of other third party systems (including social media, email hosts, website widgets, etc). It is your responsibility to be aware of the other third parties who might have access to your customers’ data.
Once you are no longer our customer we will keep your data (your database and uploaded files) for one year, unless you ask us to delete it earlier. If you want to keep the booking data after you close your website (and you should, for tax and insurance reasons) you should export them from our system and back the file up securely. We will delete any email accounts we host for you within one week.
4. How YOU should handle your customer data
*Short Version: Keeping your customer data safe is your responsibility. You need to keep records of who can access the data, and you need to make it very clear to your customers. Your customers can ask you to remove their data (but you might not have to) or stop marketing to them (which you do).
Long Version: Company owners are responsible for ensuring they are prepared for GDPR regulations – Charities, non-profit, SMEs and sole traders must all prepare for GDPR, not just large companies.
Although your customer data is held on third party servers it still falls to you, the business owner, to keep the data safe. This is because you are obtaining, processing & storing the data for your own purposes. Rackspace, Fastmail, Booking Online and similar are ‘Data Processors’, while you are the ‘Data Controller’.
If you hire extra staff who can also access your system:
You MUST state in your privacy policy that employees are granted access to the system (if this is the case) and therefore, have access to customer data that you hold. You should keep a concise record of the names & details of any member of staff granted access to your system.
YOU MUST ENSURE YOUR DEVICES & SYSTEMS ARE SECURE AND UNDERSTAND WHO HAS ACCESS TO THEM
Right to be forgotten (or ‘Right to erasure’):
The right to be forgotten, or right to erasure, is a new right under GDPR which details an individual’s ability to request to be ‘forgotten’ - to be removed from a company’s database entirely - once the company no longer needs to keep their details.
However, you need to store your customer details for tax and insurance purposes. This conflicts with the ‘right to be forgotten’ because you are legally required to keep the data for at least some period - six years for the UK’s tax office. If a customer asks you to delete their data, but you need to keep it for a non-marketing reason, you can refuse - make sure to explain the reason behind your refusal. If you’re in any doubt you should contact the ICO.
Your Booking Online system has the ability to automatically wipe private data from bookings over a certain age. This will remove all personally-identifying information from the booking, as well as all correspondence, any scheduled emails, and any log entries. This lets you automatically purge sensitive data from the system once you no longer need it. For UK businesses we advise setting this to anonymise bookings older than seven years old, one year longer than required for the tax office. You might want to ask your insurance providers how long they require you to keep data.
You may wish to add a note to your calendar to delete old emails and social media conversations on a regular basis.
Subject Access Requests:
Any customer has the right to view / understand the data you hold about them, and this can be made using a ‘subject access request’.
SARs must be made in writing - email, social media or pen and paper are all fine. You need to be sure that you’re talking to the right person, but you cannot ask them a large amount of questions to make sure they are. For example, you might ask them to email from a known address, or call from a known number.
Once confirmed you can give them any details you hold about them in your system.
5. Writing Your Privacy Policy:
A privacy policy needs to be included on your website to make sure that your customers understand what data you store, where it is kept, who can access it, and how it is used.
It should cover each of the following topics:
- Who is responsible for customer data?
- Who is your company’s ‘data protection officer’?
This is the person who is in charge of ensuring that data is protected properly. For most small businesses this should be the company owner or director. - How can someone contact you?
Give your full company contact details.
- Who is your company’s ‘data protection officer’?
- Why do you process and store customer data?
- You collect it because you need it in order to complete a sale.
- You store it for tax and insurance reasons.
- You might also market to customers who have ‘opted in’ to hear from you.
- You should not process or store personal data for any other reasons.
- How long will you keep the data?
- You probably need to keep it for 4-5 years for tax / insurance purposes.
- After that time it can be deleted, if the customer requests.
- Who has access to the customer data?
- The company owner(s) definitely do.
- Do any members of staff?
- The companies involved in hosting your website and emails.
- Nobody else should have any access.
- Who might customer data be shared with?
- Insurance companies, in case of an accident.
- The tax man, in case of an audit.
- You should not share the data with anyone else.
- How can a customer find out what you store about them?
- They can get in touch with you and you will tell them.
- How can a customer ask you to delete their data?
- They can get in touch with you.
- You might not be able to delete data which is required for tax / insurance.
- How can a customer opt in or out of marketing?
- They can email you or give you a call.
- They can click opt-out links in emails you send to them.
- How does your website use cookies?
- If your site has online bookings or ecommerce features then cookies are used to keep track of those processes.
- If you use social media or analytics scripts (ie Facebook integration or Google Analytics) they will have their own cookie policies.
- Who can they complain to if their data is misused?
- In the UK: The Information Commissioners’ Office (ICO).
- Other countries will have different authorities.
Click here to read a more detailed version of this list on the ICO website.
Your site contains an example Privacy Policy which contains most of the important points you need to cover - you can create it automatically from the ‘Settings > GDPR / Data Protection’ page.
Do not just copy and paste the policy onto your website without reading and understanding it. It contains example data you will need to change.
6. Securing your devices
Securing your data and any devices you use to access the data is an important part of becoming GDPR compliant – In the case of a data breach an auditor would check your security measures FIRST.
Below is a check-list which should be followed to ensure you are doing everything you can to keep your customers data as safe as possible.
Mobile Devices / Computers & Laptops:
- Create strong, random-looking passwords.
- Do not reuse passwords - a password manager like LastPass will help with this.
- Protect with a PIN, fingerprint, password or a combination of these.
- Do not use your birthday, house number, postcode, name, or any other guessable information.
- Only install apps from reputable publishers.
- Regularly clear out old documents, downloads, and caches.
- Do not log into sensitive systems from devices you do not control.
- Set up a ‘Find My Device’ feature so you can remotely wipe your device if you lose it.
- Encrypt your device so it requires a password when booting.
- Set to automatically lock when idle.
- Keep the operating system and applications up-to-date.
Your Booking Online Website / Booking System
- Do not log highly sensitive data like passwords, bank account details, or access codes.
- Do not store any data about children.
- Complete the GDPR checklist under ‘Settings > GDPR / Data Protection’.
Email Accounts, Social Media:
- Use strong, unique passwords.
- Use ‘App Passwords’ when adding email accounts to mobile devices, so you can prevent access if the device is lost.
- Do not send highly sensitive data (eg passwords) over these channels.
- Do not share customer data on your profile.
- Regularly wipe old messages.
- Regularly remove old contacts.
Printed / Written Data
- Shred when no longer needed.
- Store in a locked cabinet.
- Keep organised and regularly shred old documents.
Other People
- Do not tell people your passwords.
- Remove old staff members’ accounts.
- Verify contact identities before sharing customer data.
7. Newsletters and Marketing
Under GDPR regulations you can only send marketing emails or text messages to individuals who have knowingly ‘opted in’. In the majority of cases this will not describe most of your customers.
If you feel like your customers have explictly ‘opted in’, you should be able to answer ‘yes’ to the following questions:
- Did the customer select an option to say they agreed to receive marketing emails or text messages?
- Was the option un-selected by default?
- Could the customer have continued with their order without choosing ‘yes’?
If you are 100% sure that the customer ‘opted in’, you can continue to market to them. You might want to get in touch with Booking Online so we can bulk-add your opt-ins to your website. Otherwise, you should follow the following steps to ensure your compliance with the law.
You can email your existing customer base to ask them if they’d like to opt in to your marketing. We have created a system for you to do this, under the ‘Settings’ tab of your site, then ‘GDPR / Data Protection’.
New visitors who use your Booking Online website to place an order will be given the choice to opt into marketing materials. Your site will store a list of ‘opted in’ customers and will not let you send marketing material to addresses not found on that list.
Once a customer has opted in, you can send marketing materials to them. If they opt out again, you must stop immediately. We advise using the ‘Bulk Email’ and ‘Newsletter’ systems on your Booking Online website, as these will automatically honour the customers’ marketing preferences.
Just because a customer opts out of marketing does not mean you have to delete all their details.
What counts as ‘marketing’?
Any emails sent after the customers’ order has been fulfilled, for the sake of attracting more business, are marketing emails. By default, your Booking Online website will prevent you from bulk-emailing, or scheduled-emailing, any customers who have not opted in and whose booking was more than one week ago.