Preparing for GDPR
The May 25th General Data Protection Regulation (GDPR) deadline is looming. If you’re running a retail store, cafe, hotel or other public facing business, here’s some key facts.
You’re Already Collecting Personal Data
If you’re offering WiFi, you’re already collecting personal data - MAC addresses. If you’re not collecting them, your provider will be. You might be collecting other personal data, including email addresses.
Six Things You Must Do Before May 25
- Ensure your WiFi provider has implemented GDPR ‘friendly’ terms.
- Add your own terms, sub-processors and cookie policies to your site.
- Add an opt-in checkbox wherever you’re capturing customer data.
- Add a cookie consent form to your site (and splash pages).
- Determine if you’re a controller or processor of the data.
- Email all your existing customers and ask them to reconfirm consent.
Whose responsibility is it?
So you’re running a public WiFi Network? Staying compliant isn’t that hard. What you need to do depends on how you’ve setup your splash pages and who operates them. Which one describes you the best:
“I outsource my WiFi completely”
If your WiFi is 100% operated by a third-party, like MIMO, the end-user’s relationship is with the provider. It is therefore their responsibility to include GDPR friendly terms on their site (and splash pages).
Things to do:
- Ensure your provider is compliant - it is now your responsibility to ensure they are.
- If your name, address or logo appears on the splash pages, you’re the data controller (see below).
- If your provider shares the data with you, you must include this in your website terms.
- Find out who your provider shares the data with. It should be in their terms!
Please note: if your provider shares data with you - they must disclose this within the user terms.
“I run my own network without a splash page”
As long are you’re not collecting any personal data OR storing any MAC addresses, you have nothing to do. As a business however, it is your responsibility to keep your WiFi safe (legally).
Things to do:
- Consider using a provider to manage your networks and keep things legal.
“I self-host my own splash pages”
If you’re using your own self-hosted or re-branded splash pages, the user is interacting with your business. You’ll be regarded as the data controller and potentially the data processor - you have some work to do!
Things to do:
- Update your terms (get some legal advice).
- Add a cookie pop-up to your site and splash pages.
- Designate a data controller and processor.
- Create a list of all your suppliers and check they’re GDPR compliant.
- Create a data map - tell people what’s stored, what it’s for.
- Encrypt your data - keep things safe.
- Allow users to request their data.
- Allow users to request a data deletion.
- If you store data outside the EEA, ensure it’s stored with a compliant company.
“I use a third-party but it’s branded to match my business”
If this is the case, you can offload much of the work to the provider. However, since the splash pages may represent your business, you are potentially regarded as the data controller.
With MIMO, we’ve built tools to help you handle data requests and data deletion requests. View our GDPR tools here.
- Ensure your provider is actually compliant with the GDPR.
- Ensure the user can opt-in to data processing & marketing messages
- Update your terms.
If you’re capturing emails, make sure you terms explicitly state this. Make sure they explain where these emails are and what they’re used for.
What Is a Data Request?
Under Article 15 of the GDPR, your customers have the right to request confirmation as to whether or not their personal data are being processed. They can also request this data and information about where the data’s stored.
If you’re running your own splash pages, your customers can contact you and request any data you have about them. As the controller of the data, it’s your responsibility to answer your customer’s questions.
Whether you’re providing your own WiFi or use a third-party, you must be able send the user and data they request and be able to delete them completely. You can read about MIMO’s GDPR tools here.
I’m Capturing Emails Via MailChimp
You’ve included an email form on your site or splash pages. The emails are added directly to your MailChimp account.
Things to do
- Make sure your forms include a consent checkbox.
- Your terms should clearly state you’re using MailChimp as a processor.
- You must sign the MailChimp Data Processing Agreement
If you’ve already captured emails, we recommend you email your entire list and ask them to re-confirm their subscription. What a pain.
Should I Enable Double Opt-In?
It’s not strictly required to enable double opt-in for your emails but we recommend it. Double opt-in means the user gets an email from you to confirm their subscription.
Whilst it’s not compulsory, we recommend it because the new rules require you to prove the user gave their consent to email marketing. This prevents a user from entering a random (or someone else’s) email on the splash pages (or any other form).
Data Requests - The Worst Case
You may have seen the NIGHTMARE LETTER. You should read it - it’s basically the worst-case data request.
Your terms should be able to address most of the requests. And you should be able to fulfill all the other requests. And, check-out our GDPR tools.
Who Is the Controller And Who Is The Processor?
Article 4 defines the controller and processor as follows:
'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
For example, if you sell coffee to consumers and use MIMO Inc. to capture customer emails via splash pages with your logo, email consumers on your behalf and track activity, then regarding such email data, you are the data controller. MIMO is the data processor.
And then article 28(1) states that:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Which means - data controllers, i.e. customers of data processors (you), can only use processors that comply with the GDPR, or risk penalties themselves.
Make sure you’re using a reputable, compliant provider otherwise you will be punished.
What Is Personal Data?
TLDR; anything that can potentially be linked to a user.
From the main GDPR site:
The GDPR applies to 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
How The Data Can Be Processed
The GDPR requires that personal data shall be processed lawfully and fairly.
TLDR; whoever’s collecting the data can’t use it for naughty reasons, nor can they sell it without consent / pre-warning.
The data that’s gathered must be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Well, hopefully you’re using an most awesome provider of WiFis. But if you’re not - you’re in the right place! There’s a big pink register button below.
Whilst we’re excellent at providing WiFi services, we’re not lawyers so we must insist you get a second opinion.
Find out whether MIMO could work for your business. You can read more about all the MIMO features here. You can try MIMO for free and it works with all your fave WiFi devices!