Preparing for GDPR

Our friends at MIMO have written a really comprehensive blog about preparing your business for the GDPR rulz. We’ve taken the best bits for your consumption today. Read the full blog here.

Six Things You Must Do Before May 25

1. Ensure your WiFi provider has implemented GDPR ‘friendly’ terms.
2. Add your own terms, sub-processors and cookie policies to your site.
3. Add an opt-in checkbox wherever you’re capturing customer data.
4. Add a cookie consent form to your site (and splash pages).
5. Determine if you’re a controller or processor of the data.
6. Email all your existing customers and ask them to reconfirm consent.

Whose Responsibility Is It?

So you’re running a public WiFi Network? Staying compliant isn’t that hard. What you need to do depends on how you’ve setup your splash pages and who operates them. Which one describes you the best:

“I outsource my WiFi completely”

If your WiFi is 100% operated by a third-party, like MIMO, the end-user’s relationship is with the provider. It is therefore their responsibility to include GDPR friendly terms on their site (and splash pages).

Things to do:

• Ensure your provider is compliant — it is now your responsibility to ensure they are.
• If your name, address or logo appears on the splash pages, you’re the data controller (see below).
• If your provider shares the data with you, you must include this in your website terms.
• Find out who your provider shares the data with. It should be in their terms!

Please note: if your provider shares data with you — they must disclose this within the user terms.

“I run my own network without a splash page”

As long are you’re not collecting any personal data OR storing any MAC addresses, you have nothing to do. As a business however, it is your responsibility to keep your WiFi safe (legally).

Things to do:

• Consider using a provider to manage your networks and keep things legal.

“I self-host my own splash pages”

If you’re using your own self-hosted or re-branded splash pages, the user is interacting with your business. You’ll be regarded as the data controller and potentially the data processor — you have some work to do!

Things to do:

• Update your terms (get some legal advice).
• Update or create a privacy policy.
• Add a cookie policy to your site.
• Add a cookie pop-up to your site and splash pages.
• Designate a data controller and processor.
• Create a list of all your suppliers and check they’re GDPR compliant.
• Create a data map — tell people what’s stored, what it’s for.
• Encrypt your data — keep things safe.
• Allow users to request their data.
• Allow users to request a data deletion.
• If you store data outside the EEA, ensure it’s stored with a compliant company.

“I use a third-party but it’s branded to match my business”

If this is the case, you can offload much of the work to the provider. However, since the splash pages may represent your business, you are potentially regarded as the data controller.

With MIMO, we’ve built tools to help you handle data requests and data deletion requests. View our GDPR tools here.

Check list!

• Ensure your provider is actually compliant with the GDPR.
• Ensure the user can opt-in to data processing & marketing messages
• Update your terms.

If you’re capturing emails, make sure you terms explicitly state this. Make sure they explain where these emails are and what they’re used for.

Don’t forget to read the full article here!