Common Questions about GDPR

50% of our inbound requests are currently about GDPR. Here’s a summary of the questions and answers!

There’s a few great resources that have helped us prepare too:

• The nightmare letter — read this!!
• Preparing your business for GDPR
• Twilio and the GDPR
• MailChimp’s GDPR blog
• We need to talk, about GDPR

What Is a Data Request?

Under Article 15 of the GDPR, your customers have the right to request confirmation as to whether or not their personal data are being processed. They can also request this data and information about where the data’s stored.

If you’re running your own splash pages, your customers can contact you and request any data you have about them. As the controller of the data, it’s your responsibility to answer your customer’s questions.

Whether you’re providing your own WiFi or use a third-party, you must be able send the user and data they request and be able to delete them completely. You can read about MIMO’s GDPR tools here.

I’m Capturing Emails Via MailChimp

You’ve included an email form on your site or splash pages. The emails are added directly to your MailChimp account.

Things to do

• Make sure your forms include a consent checkbox.
• Your terms should clearly state you’re using MailChimp as a processor.
• You must sign the MailChimp Data Processing Agreement

If you’ve already captured emails, we recommend you email your entire list and ask them to re-confirm their subscription. What a pain.

Should I Enable Double Opt-In?

It’s not strictly required to enable double opt-in for your emails but we recommend it. Double opt-in means the user gets an email from you to confirm their subscription.

Whilst it’s not compulsory, we recommend it because the new rules require you to prove the user gave their consent to email marketing. This prevents a user from entering a random (or someone else’s) email on the splash pages (or any other form).

Data Requests — The Worst Case

You may have seen the NIGHTMARE LETTER. You should read it — it’s basically the worst-case data request.

Your terms should be able to address most of the requests. And you should be able to fulfill all the other requests. And, check-out our GDPR tools.

Who Is the Controller And Who Is The Processor?

Article 4 defines the controller and processor as follows:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

So… what?

For example, if you sell coffee to consumers and use MIMO Inc. to capture customer emails via splash pages with your logo, email consumers on your behalf and track activity, then regarding such email data, you are the data controller. MIMO is the data processor.

And then article 28(1) states that:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Which means — data controllers, i.e. customers of data processors (you), can only use processors that comply with the GDPR, or risk penalties themselves.

Make sure you’re using a reputable, compliant provider otherwise you will be punished.

What Is Personal Data?

TLDR; anything that can potentially be linked to a user.

From the main GDPR site:

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

How The Data Can Be Processed

The GDPR requires that personal data shall be processed lawfully and fairly.

TLDR; whoever’s collecting the data can’t use it for naughty reasons, nor can they sell it without consent / pre-warning.

The data that’s gathered must be:

• Processed lawfully, fairly and in a transparent manner in relation to individuals;
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Do I Need To Encrypt Everything?

There are only four references to encryption in the 88 pages that constitute the GDPR. The GDPR does not mandate encryption at all. Rather, the propose a risk based approach.

Do as much as you can. Using https everywhere, do not store user passwords in plaintext, encrypt data at rest where possible, don’t store personal data on laptops etc.

There’s a great article about this here. We’ll be creating an official document about our encryption shortly. For the short-term, checkout our article here.

Anonymous vs Encryption

Anonymising data removes any personal information — and cannot be reversed.

Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place.

So, you could replace the name ‘Bob Smith’ with ‘User X’ as long as there’s no mapping between the two.

Pseudonymisation — replaces the personal data with pseudo-data — something almost random.

‘Bob Smith’ would become ‘User X’ but an additional table might contain the mapping.

Encrypting the data simply takes the raw data and encrypts it with some kind of key (and a salt maybe). The data would be useless to anyone unless they had the key.

Example — we store client MAC addresses for troubleshooting purposes. Since we don’t need these for long — we expire the row after 30 days. On top of this, we encrypt the MAC with a unique salt that belongs to the customer. We rotate this salt every 30 days. Even if you got the old data, the salt would have changed.

Do I need to enable the GDPR consent form if I’m not in Europe?

As far as we can tell, no you do not. Even if your users are from the EU. Your boxes must be physically located outside the EU however.

Don’t forget, we’re a WiFi Management company not a lawyer. Get some legal advice.