Are you GDPR ready? HeyMojo is Getting Ready and What You Need to Know
GDPR — four letters that we’ve all heard a lot lately!
What do they mean? Are you impacted by them? Are your bots compliant?
This post will be the hub that answers all those questions and a channel for HeyMojo to deliver updates to our users regarding everything you need to know.
Let’s dive in.
What is the General Data Protection Regulation (GDPR)?
In case your company is based in the European Union (EU), or you process EU citizens’ personal data, you are under the jurisdiction of GDPR (the European Union’s new General Data Protection Regulation).
This groundbreaking privacy law goes into enforcement on May 25, 2018.
GDPR is a set of laws which regulates the processing of personally identifiable information (PII). The law applies to individuals, companies, and/or organizations who process or handle the PII of citizens of the EU. GDPR will replace the EU Data Protection Directive, and presents some important changes that all HeyMojo users should be aware of.
GDPR requires a freely given, and specific consent from your new and existing subscribers.
If one of your HeyMojo subscribers, or a data privacy auditor requests information on your PII/data processing practices, you’ll need to be ready to show the moment of consent, and explain how the subscriber’s personal data is collected, and what it will be used for.
Your subscribers must be able to easily send you a request to download, change, and even completely remove all their personal data from your HeyMojo account.
HeyMojo is committed to providing a safe, conversational, and engaging experience for everybody who interacts with our Messenger experiences. Complying with GDPR is is not only the best thing to do for all of our businesses; it’s also the right thing to do.
As such, we’re actively working on a set of tools which will help you comply with this important data privacy law.
What if a subscriber asks to download their data?
We’re working on a feature which will enable any bot Admin to download personally identifiable information gathered in conversations with any individual subscriber. Therefore, if any of your subscribers request a copy of their data, you’ll quickly and easily be able to send it to them in a format which will be easy to access, read, and analyze.
We’re also developing some tools which will enable you to see if any of this Information was transferred to any 3rd party services HeyMojo can and will be able to integrate with. This transparency will enable you to not only show your subscribers their data, but will also provide a deeper view into how and when that data was distributed to 3rd parties.
What if a subscriber asks to delete all their data from my system?
We’ve got you covered on this one!
Soon, we’ll be launching tools to help you manually administrate your subscribers’ data. In case you get a request from your HeyMojo subscriber (or an auditor) to delete any particular subscriber’s PII from the system, you’ll be able to manually delete their subscriber record entirely from the HeyMojo account.
Deleted data can include Facebook profile information, any custom fields, tags, email addresses, phone numbers, and even their LiveChat discussions with your Facebook page Messenger.
Keep in mind that full Messenger chat history will still be stored by Facebook in your “Page Inbox”, and in the subscriber’s Messenger. Our tools will only cover HeyMojo (not the Facebook page itself), so you’ll need to take any further action in Page Inbox or in the subscriber’s Messenger on your own.
What if I’ve downloaded subscriber data or already sent it to a 3rd party app like a CRM or email service provider?
Do I still need to delete that data?
Another nuance to be aware of — if the subscriber’s data was exported to a 3rd party app (for example, you used Zapier to push the subscribers’ email addresses to your CRM) you’ll also be responsible for deleting their data from the 3rd party app, and notifying your subscriber that you’ve done so.
If you delete Information from HeyMojo at a subscriber’s request, but fail to simultaneously delete their data from 3rd party applications, you may be exposing yourself to the risks associated with non-compliance.
What about people who’ve unsubscribed from my bot?
Is there anything I need to do with their data to stay compliant with GDPR?
Good question!
The law stipulates new best-practices for data retention (i.e. how long you should hold on to PII and related data given certain parameters). To help your business maintain GDPR compliance, we’ll start automatically removing personal data from subscriber profiles 90 days after they unsubscribe from your HeyMojo bot.
After 90 days, the personal data associated with somebody who unsubscribed will no longer be available via HeyMojo to you, or to 3rd party applications.
How do I prove that somebody gave me “consent” to process their personally identifiable information and associated data?
GDPR emphasizes the importance of building a trusting relationship between you and your new subscribers.
One of the most critical elements to building trust with your subscribers is to obtain their consent to process personal data, and to provide them with an explanation about the purposes of using it. Once GDPR goes into enforcement, storing and using somebody’s personally identifiable information and associated data without their consent is illegal.
If you’re under the jurisdiction of GDPR, we recommend reviewing your HeyMojo Flows to make sure they include personal data processing consent. Also, you’ll need to be able to prove you’ve obtained consent from existing subscribers to continue messaging them after May 25th.
HeyMojo will offer a set of tools and information to help you to be compliant with the new regulations, but we cannot offer you a legal advice in your particular case. Please contact your legal team to learn how GDPR affects you, and what you need to do to prepare yourself for this new data protection law.
Is your business GDPR Ready? Here is a checklist that our Friends at HubSpot published. Content of the checklist is mentioned here…
Since every business is different and the GDPR takes a risk-based approach to data protection, companies should work to assess their own data collection and storage practices (including the ways they use HeyMojo’s chatbot marketing tools), seek their own legal advice to ensure that their business practices comply with the GDPR. In determining your next steps, here are some of the questions you should consider.
The Assessment
· What personal data do we collect/store?
· Have we obtained it fairly? Do we have the necessary consents required and were the data subjects informed of the specific purpose for which we’ll use their data? Were we clear and unambiguous about that purpose and were they informed of their right to withdraw consent at any time?
· Are we ensuring we aren’t holding it for any longer than is necessary and keeping it up-to-date?
· Are we keeping it safe and secure using a level of security appropriate to the risk? For example, will encryption or pseudonymisation be required to protect the personal data we hold? Are we limiting access to ensure it is only being used for its intended purpose?
· Are we collecting or processing any special categories of personal data, such as ‘Sensitive Personal Data’, children’s data, biometric or genetic data etc. and if so, are we meeting the standards to collect, process and store it?
· Are we transferring the personal data outside the EU and if so, do we have adequate protections in place?
The GDPR Project Plan
· Have we put a project plan together to ensure compliance by the May 2018 deadline?
· Have we secured buy-in at executive level to ensure we have the required resources and budget on hand to move the project forward?
· Do we require a Data Privacy Impact Assessment?
· Do we need to hire a Data Privacy Officer?
· Are we implementing a policy of ‘Data Protection by Design and Default’ to ensure we’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals?
· Have we considered how we handle employee data in our plan?
The Procedures and Controls
· Are our Security team informed to ensure they’re aware of their obligations under the GDPR and do they have sufficient resources to implement any required changes or new processes?
· Do we have procedures in place to handle requests from data subjects to modify, delete or access their personal data? Do these procedures comply the new rules under the GDPR?
· Do we have security notification procedures in place to ensure we meet our enhanced reporting obligations under the GDPR in case of a data breach in a timely manner?
· Are our staff trained in all areas of EU data privacy to ensure they handle data in a compliant manner?
· Do we review and audit the data we hold on a regular basis?
The Documentation
· Do we have a Privacy Policy in place and if so, do we need to update it to comply with the GDPR?
· Do we have a defined policy on retention periods for all items of personal data, from customer, prospect and vendor data to employee data? Is it compliant with the GDPR?
· Are our internal procedures adequately documented?
· If we’re a data processor, have we updated our contracts with the relevant controllers to ensure they include the mandatory provisions set out in Art. 28 of the GDPR?
· In cases where our third party vendors are processing personal data on our behalf, have we ensured our contracts with them have been updated to include those same processor requirements under the GDPR?
Disclaimer
This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
