The GDPR FAQs
Here are our GDPR FAQs, where we'll help you get to grips with the nitty gritty of the regulation and answer some ResDiary specific GDPR questions.
Here are our GDPR FAQs, where we'll help you get to grips with the nitty gritty of the regulation and answer some ResDiary specific GDPR questions.
What is it?
GDPR is the acronym for the General Data Protection Regulation being introduced on 25th May 2018. The GDPR will cover any organisation that processes data relating to EU citizens. It will change how organisations treat data that they hold on individuals and, despite some confusion and negative opinions, it can benefit businesses. This is because more personal relationships with customers will be formed, and data will be cleaner and more valuable to your business. Initially, it might look a bit difficult to get off the ground, but don’t be put off it’s something you need to do and it will benefit your business. Take a look at our e-book for a more extensive look at the GDPR.
What legislation do we have today?
In the UK, businesses currently operate under the Data Protection Act 1998, which was established before people had the online presence they do now.
The DPA lists the data protection principles in the following terms:
Why is it changing?
There is now a shift in the amount of data being produced. The GDPR will focus heavily on protecting individuals and their data. In our constantly expanding digital world, the GDPR will strengthen consumer privacy rights and clear up any uncertainty over the consent needed for using your customer’s data.
What happens in light of Brexit?
UK businesses will still have to comply with the GDPR regulation because they interact with EU organisations and use the data of EU citizens. It applies worldwide.
What happens if I don’t comply?
In short, you may be faced with increased financial penalties. At the moment, there is a £500K cap on monetary penalties with regards to data protection. However, if you don’t comply with these new rules, your business could be fined a much higher amount. The charges are different depending on how seriously you neglect the regulation’s points but can be up to 4% of your annual global turnover or €20 million (whichever is greater).
1. Wider definition of personal data
Personal information historically included name, address, contact details, bank information, and so on. With the GDPR, information like online identifiers (e.g. an IP address) will also be classed as personal data. Changes in technology, and ways that organisations collect information mean that a wider definition of personal data is needed.
2. Data subject rights
Data subjects have new rights, and these can be separated into three key areas.
Consent also relates to opting in to marketing information. Opting in to marketing communications from your restaurant must be voluntary, and you can no longer use a pre-ticked opt-in (or an automatic opt-in) as consent for communications.
Please note that consent given does not last forever. Personal information will be retained for the purposes of making a booking and, if diners’ opt in, marketing. In the case of making a booking, it can only be used for a limited time, so you must ensure you have a retention policy in place (more on this below). For the purposes of marketing, you should ensure you refresh opt-ins on a semi-regular basis.
b) Right of Access
Diners (Data subjects) should be able to track any changes to data held and request all information that a restaurant has on them. Data subjects can also request a free electronic copy of their data. The £10 admin fee venues were allowed to charge for this copy, no longer applies. Data subjects can withdraw their consent at any time and have their data erased. Data protection should be an integral part of company policy.
c) Right to be Forgotten
Under the GDPR, an individual will be able to access their personal data, and ask for their data to “be forgotten”. Therefore, data controllers (venues or ResDiary) must erase all of the data subject’s personal data, cease using the data, and stop any third party from using the data (if applicable).
3. Data Controllers v’s Data Processors
Under the GDPR, the responsibilities of data controllers versus processors have changed. Data controllers used to be the only party accountable for any breach. Now, under the GDPR, processors will have more accountability.
Data controller: determines the purposes and means of processing personal data.
Data processor: responsible for processing personal data on behalf of a controller.
It’s important to understand the difference between being a data controller and data processor. In the context of ResDiary, when bookings are made for a restaurant using ResDiary technology on any other digital platforms, via the ResDiary.com portal or the ResDiary Now app, then the restaurant, or partner, is responsible for tracking marketing preferences.
When a restaurant is the owner or controller of data, ResDiary is not responsible for how they use diners’ information. To learn more about how a restaurant may use such personal information, you should review its privacy notice.
4. Retention periods
You will need to:
5. Information Governance and Security
The GDPR should be built into your systems and process from the get-go. This is “Privacy from Design”. Under this, controllers are required to discard personal data that is no longer required.
6. Data Breach Notification
Data controllers must notify a supervisory authority without “undue delay” within 72 hours of learning about a breach. Controllers must notify them what kind of breach it is, the impact of it, and who to contact in their organisation, namely the Data Protection Officer.
This will affect all companies that process data of EU citizens, regardless of whether or not they reside in the EU.
Where is the data physically stored?
Data is stored securely in Microsoft Azure data centres throughout the world.
Will data be held in a Data centre only in Europe?
Data will be held in the data centre nearest to the location of your venues e.g. for EU this will be held in London, AU – New South Wales, China – HK, Asia – Singapore, North America – Illinois
How do you store/process data to ensure you are compliant?
To be compliant, an organisation must only store/process data:
This is what ResDiary currently does.
Who is the data shared with externally?
ResDiary doesn’t share data externally, however, if a customer books through a third party (e.g Time Out), they may have opted in to the third party’s marketing list. This means the data will be stored on their systems too. ResDiary only shares data with external business partners, or third-party initiatives about particular offerings that diners have opted into.
How long is the data kept for?
The GDPR outlines that you need to know how long you’ve kept data for, so we’ve agreed our data retention period will be 18 months. This means we will delete subscribers to marketing after 18 months of inactivity. We will be giving you the tools to create your own retention policy. Please note that your policy may be different from ours or other venues, depending on the type of venue you are.
How can data be amended/supplemented?
You can do this via updates to the diner record on your ResDiary system. Please note that ResDiary offers a role-based permission system, through which you can control the members of your team who can update and track any changes.
When and how is the data deleted?
Data can be deleted upon request either by you or by us. Data can only be deleted by ResDiary if a diner booked on resdiary.com or the ResDiary Now app. If a diner booked via social media/a venue’s widget/website, then the restaurant must delete that customer’s data. A diner can contact ResDiary at firstname.lastname@example.org to delete their record.
Can we remove old/obsolete data – delete an audit trail?
You can delete customer records via Reports -> Customer List in ResDiary. We are looking to provide tools to allow either deletion or anonymisation of old data.
What back-up and security is available for the data held in ResDiary?
We use Microsoft Azure. Thousands of organisations, including global enterprises, use this company.
Who is the point of contact at ResDiary in the event of a data breach?
The point of contact from ResDiary is the Marketing Director, Hari Farzin, who is also our Data Protection Officer. He will invoke the data control procedure with the Chief Technical Officer, Colin Winning, as required. Then we will report the breach to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. We will notify affected venues within 48 hours of becoming aware of the breach.
How would data be deleted in the event of us no longer working with your company?
Data will be deleted 18 months after a venue cancels their contract with ResDiary. This is in case you wish to return to ResDiary.
We will need to have explicit consent for use of personal data held for marketing, will this be a feature enabled for new guests created?
Yes, you will need explicit consent to market to individuals. We have already removed automatic opt-ins from our widgets, which is one aspect of becoming compliant. Other aspects relate to delivering clear and separate opt-ins for ResDiary and restaurants, and providing the appropriate audit trail of consent. This work is in progress and will be delivered over the coming months.
Should we delete data if a guest cancels?
If you download emails from the system and a guest cancels then their data doesn’t need to be removed from your system. If they opted in to marketing communications, then they can still be advertised to.
We’re part of a group of restaurants. What should we do?
If a guest booked for one restaurant you cannot use their details to promote all your sites since they didn’t opt in to communications from all sites. You may only advertise to them if they opted in to marketing communications to that site. The more specific you make your options for diners when opting in to communications, the better. We would advise you to separate your marketing by site. In the coming months, we will be creating tools to help you with this.
Are confirmation emails still okay to send?
Confirmation emails are classified as a service email, and these types of emails are still okay to send under the GDPR. It’s like a confirmation email you receive after making a purchase from your favourite online shop.
Are post-dining feedback emails okay to send?
We also say that we shall “seek your feedback on the services we provide” and “collect data, including without limitation from you, with the purpose of improving the booking service and to provide feedback to the restaurant”.
Like confirmation emails, this is classified as a service email, and these types of emails are still okay to send under the GDPR. As a venue, you will also need to include information on post dining feedback emails in your terms and conditions.
Do I need to delete my marketing database?
We would recommend that you start afresh with your database, but that doesn’t mean deleting it altogether. Start by refreshing your opt ins. A low-risk strategy would be to email those who are engaged with your brand and ask them to update their marketing preferences. You can tell they are engaged if they have opened or clicked through on your emails. The remainder, you would delete. Under no circumstances contact those who previously unsubscribed to ask if they want to opt in again.
ResDiary will be including functionality to track when, how, and what consent was taken in giving customer information. After this, restaurants can contact their database to ask them to refresh opt-ins.
What steps you have taken to ensure your compliance with the regulation?
What contractual clauses you have in place with us to ensure are meeting your obligations under these regulations.
We will be working on a contractual agreement about data.
Who in your organisation can access the data held on our behalf and for what purpose?
Authorised users in our Customer Support and development teams can access diaries and data within diaries when necessary. This is normally only necessary when resolving issues on behalf of our restaurant operator customers.
Under the new GDPR guidelines, if we take a restaurant booking over the phone are we able to ask them if they wish us to opt-in to receive marketing emails and if they are happy for us to retain their information? Our query is what proof do we then have that they have agreed to this when it is just verbally over the phone?
Use the double opt-in for verbal consent to marketing, especially if a number of staff members take bookings over the phone. This would ensure that even if a staff member ticked the marketing box for the diner by accident, then the diner would still have to give electronic consent by confirming via email. Therefore, there would be written consent, which is a better/safer option than simply just verbal consent. In terms of legal implications, consent has to be obtained clearly, and the data controller (your venue) has to demonstrate this. Therefore, a double opt-in really seals the deal in terms of consent.
Where do I go to download the email addresses of customers that have booked who have hard opted in for future emails from my venue? Are we allowed to continue to contact the email addresses we have got from bookings pre the new hard opt in tick boxes?
Before you download any email addresses that you currently have you will need to refresh customers’ marketing preferences. Choose the customers that have interacted (clicked, opened etc) with your emails/marketing in the past year. By refreshing marketing preferences, you’ll have to send an email saying “Please update your marketing preferences” and if customers don’t respond you can take that as a “no I don’t want to refresh my marketing preferences”. Since they haven’t given explicit consent, you will have to remove them from your database.
The reason for this is that pre-ticked opt-ins/checkboxes for marketing are no longer allowed under the GDPR. This was how ResDiary obtained marketing consent previously on all our widgets, on the portal, and on our app. We have now changed this so that diners have to affirmatively tick a checkbox to show they have consented to receive marketing. At the moment we can’t track see which option diners used to opt-in. Therefore, a low-risk strategy is to do as suggested above. Please note, that you should not send the “refresh marketing preferences” email to anyone that’s opted out of marketing from you, this is not in line with the GDPR nor current data protection legislation.
Where can I download a copy of diner data we have stored on Resdiary?
This functionality is currently in the pipeline.
How can I make my database compliant?
1. Re-confirm marketing opt-ins: Release 11.8 will include an email template that you can use to refresh your opt-ins. Once you’ve waited for your diners to do this, you will then need to contact ResDiary to opt everyone out who isn’t compliant.
2. Opt-out your marketing database with ResDiary: We suggest that consumers who do not respond to the re-permissioning of marketing email, or who have asked to unsubscribe, be removed from your marketing list. You can email GDPR@resdiary.com if you would like us to opt-out your marketing database so you can start afresh. ResDiary will execute opt-outs on behalf of clients within ten working days of the email being sent.