What is GDPR compliance?
The GDPR compliance function is optional for most of the world, but required as a part of the opt-in form if your location is in the European Union. NOTE: Locations in the United Kingdom need to meet the same privacy requirements under the Data Protection Act 2018.
If enabled, this function will make the campaign GDPR compliant, and the data that is collected as part of the login process may be anonymized if the guest does not consent to its collection.
Data protection changes
These are the changes made to guest data collection when GDPR compliance is enabled:
- Guest data that is collected as part of the login process is immediately tokenized.
- If the guest does not complete the login process, this tokenized data is discarded within 48 hours, during which time it is not accessible by any other systems.
- Guests must explicitly confirm their consent (opt in) to data collection and storage. This allows automations to run for that guest.
- If they do not confirm their consent (they opt out), their sensitive data (email address and phone number) are pseudonymized.
- This pseudonymized guest data allows us to continue to perform functions such as "One Click Welcome Back" and generate appropriate reports and data aggregations, but without being able to retrieve the actual guest data. It cannot be used for any means of personal identification, or for further communication.
- No automations will be triggered by guests who have not confirmed their consent to data collection.
Social profiles collected from guest logins that are GDPR compliant will have a badge stating this.
Is GDPR compliance mandatory?
Anyone operating within the EU or UK, or who process data from EU or UK citizens must use our GDPR compliance feature as of 25 May 2018. Anyone outside those regions does not have to use GDPR compliance or the opt-in form, but it's still recommended as a courtesy for your guests.
Process overview: Spring 2018
The following is a process overview from spring 2018 of how the MyWiFi platform enforces GDPR compliance for Channel Partners:
- All EU Locations have GDPR Toggled ON and ReadOnly [cannot be User disabled].
- Campaigns have an optional, customizable Opt-In Form and GDPR ON/OFF Toggle.
- Upon Guest Login - guest data is treated in GDPR compliant fashion IF Location: GDPR is ON AND/OR Campaign: GDPR is ON.
- We are performing tokenization of all Guest data as the Guest performs the Login Process.
- If the Guest does not complete the Login Process, the tokenized guest data is discarded within 48 hours, after which time it is not accessible by any other systems.
- The First Step of Splash Page / Login Experience is to swipe the "Agree" button. You cannot proceed to Login without Agreeing to the Terms and Conditions.
- When the Guest successfully completes the Login Process they are presented the Opt-In Form which allows them to confirm their consent (Opt-In / Opt-Out).
- Guests are Opted-Out by Default unless they specify explicitly that they choose to Opt-In.
- If the Guest confirms consent (they selected Opt-In), the processes to run Automations [Webhooks, Data Push/Broadcast Integrations] on their data are activated and performed.
- If the Guest does NOT grant consent (they selected Opt-Out), NO Automations [Webhooks, Data Push/Broadcast Integrations] will be performed on their data, ever.
- If the Guest does NOT grant consent (they selected Opt-Out) then we save a pseudonymized representation of their sensitive Guest data points [E-Mail and/or Phone Number] This is a one-way hash and the real e-mail address and/or phone number cannot be retrieved to their original values.
- The pseudonymized Guest data we store allows us to continue to perform functions such as "One Click Welcome Back" and generate appropriate reports and data aggregations, but without being able to retrieve the actual sensitive Guest data, it cannot be used for any personally identifiable means or for any direct communication.
- Guests can enter their E-Mail Address or Phone Number to get a link that gives them access to their Guest Data Dashboard, which contains all data points we have collected that's associated with that Email Address / Phone Number.
- Guests can change their Opt-In state to an Opt-Out from the Guest Data Dashboard [this will upon execution, pseudonymize their sensitive data and prevent anybody or any system from accessing it in the future and preventing any Automations from running from that point forward].
- Guests can delete their data profiles from the Guest Data Dashboard [this will delete all data associated wtih their Data Profile].
- We do NOT store cookies on Guests' browsers.
- Social User Profiles in Platform indicate Guest consent choice [Opt-In / Opt-Out].
- Social User Profiles in Platform indicate GDPR compliance and blur the pseudonymized sensitive data [Email Address / GDPR] for Guests that have Opted-Out.
- Social User Contact List in Platform indicate [Guest consent choice] Opt-In / Opt-Out.
- Social User Contact List Exports in Platform indicate Opt-In / Opt-Out consent choice and contain pseudonymize data if Guest Opted-Out.
All Channel Partners must adhere to the following GDPR Requirements if serving customers based in the European Union (EU):
- Ensure you have implemented custom terms that feature "friendly language" (clear and plain, intelligible).
- Add the "Opt-In" Form to your Campaigns with appropriate language & Enable GDPR.
- Enable GDPR on your Locations that fall within the European Union countries.
- Determine if you’re a controller or processor of data.
- Email guests that you are currently communicating with and confirm their consent.
Under the GDPR, Controllers and Processors are required to implement appropriate technical and organizational measures.
Are you a Controller or Processor?
If your company name, branding, address or logo appears on the splash/login pages, you’re the data controller.
- 'Controller' means the natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- 'Processor' means a natural or legal person, public authority, agency or other bodies which process personal data on behalf of the controller.
What data does the GDPR apply to?
The GDPR generally applies to the collection and processing of 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, such as:
- IP Address
- Phone Number
- Location data
- Online identifier (such as IP or MAC address)
MyWiFi's Data Protection Officer can be reached at firstname.lastname@example.org