You’ve probably heard about the EU’s new regulation, the General Data Protection Regulation (GDPR). It’s a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organisations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens.
At Res:Harmonics, we are hard at work ensuring that our own practices are GDPR-compliant. But equally important to us is helping you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own.
A big piece of that is ensuring that the Res:Harmonics platform sets you up for GDPR compliance.
We are fully committed to enhancing the Res:Harmonics platform to enable easier compliance with the GDPR by the 25th May 2018.
Product Roadmap
| Requirement | Overview | Road Map Features |
|---|
| Lawful basis of processing | You need to have a legal reason to use Giles' data. That reason could be consent (he opted in) with notice (you told him what he was opting into), performance of a contract (e.g. he's your customer and you want to send him an invoice / booking confirmation / arrival information), or what the GDPR calls “legitimate interest” (e.g. he's a customer, and you want to send him products related to what he currently has).
You need the ability to track that reason (also known as “lawful basis”) for a given contact. | Contact Source The source of every Contact and Company are now tracked in the system so you can track where and when they are added to the system and by whom. RELEASED 24th April Online Enquiry Form The online enquiry form allows potential customers to enter their details and requirements, and create an enquiry in the Sales Delivery Centre, any contact created through the online enquiry form will be logged as coming from such. TESTING expected release 22nd May Marketing Lists The ability to opt your contacts into one or more marketing lists. Contacts can be opted in through the Online Enquiry Form or Online Booking Engine. Marketing lists can be synchronised with MailChimp (www.mailchimp.com) for bulk sending emails to your marketing lists. If a contact unsubscribes from a marketing email on MailChimp, the contact will be unsubscribed from the list in the PMS. IN DEVELOPMENT expected release 22nd May |
| Consent | One type of lawful basis of processing is consent with proper notice.
In order for Giles to grant consent under the GDPR, a few things need to happen:
• He needs to be told what he's opting into. That’s called “notice.”
• He needs to affirmatively opt-in (pre-checked checkboxes aren’t valid). His filling out a form alone cannot implicitly opt her into everything your company sends.
• The consent needs to be granular, meaning it needs to cover the various ways you process and use Giles' personal data (e.g. marketing email or sales calls). You must log audit-able evidence of what Giles consented to, what he was told (notice), and when he consented. | Online Opt-In Consent and Privacy Policy Online Booking and Enquiry Forms will have opt-in consent on at the time of submitting an Enquiry / Creating a booking. This is in addition to the current terms and conditions acceptance. Only if a contact opts in will they be added to the Mailing Lists above. The details of where the contact opted in and when is stored on the mailing list. IN DEVELOPMENT expected release 22nd May Subscription Management Every Contact in the PMS will have a unique Subscription Management link which allows them to view contact data held about them and to opt-in or out of the Marketing Lists in the PMS. Additionally, as mentioned in the MailChimp section, if a contact unsubscribes on MailChimp they will be unsubscribed from the associated Marketing List. IN DEVELOPMENTexpected release 22nd May |
| Withdrawal of consent (or opt out) | Giles needs the ability (as data subject) to see what he’s signed up for, and withdraw his consent (or object to how you’re processing his data) at any time. In other words, withdrawing consent needs to be just as easy as giving it. | Subscription Management As above, the functionality allows contacts to withdraw consent. IN DEVELOPMENT expected release 22nd May |
| Cookies | Giles needs to be given notice that you're using cookies to track him (in language he can understand) and needs to consent to being tracked by cookies.
| Cookie Policy Acceptance The booking engine can optionally display a cookie message and a link to your privacy policy. The user on the website will be able to accept the policy. If you do not display the policy on the booking engine you should display it on your main website. IN DEVELOPMENT expected Release 25th May |
| Deletion | Giles has the right to request that you delete all the personal data you have about him. The GDPR requires the permanent removal of Giles' contact from your database, including email tracking history, call records, form submissions and more.
In many cases, you’ll need to respond to his request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply. | Contact Deletion The existing delete contact from the system will retain the contact's information in the Audit table of the software. A new button will be available on the contact CRM record to "Anonymise Contact". The "Anonymise Contact" is a non-reversible function which allows you to anonymise the contact's record immediately. Copies of emails sent will also be removed from the system The contact record will be anonymised in the front end and will all records of the contact's contact information will be removed in 30 days. The function will only be available if the contact is not involved in an existing or future booking as a Booking Contact or Guest.
IN DEVELOPMENT expected Release 25th May |
| Access / Portability | Just as he can request that you delete his data, Giles can request access to the personal data you have about her. Personal data is anything identifiable, like his name and email address. If he requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).
Giles can also request to see and verify the lawfulness of processing (see above). | Contact Overview Report A new report in the CRM section of the system can be run to download a contact's information in a standard format showing the contact information stored. TESTING expected Release 22nd May |
| Modification | Just as he can request to delete or access his data, Giles can ask your company to modify his personal data if it’s inaccurate or incomplete. If and when he does, you need to be able to accommodate that modification request. | We suggest you set up an email address such as privacy@yourcompany.com where you accept modification requests. On receipt of the requested updates, you can amend the record in the PMS and confirm to the contact with either the Contact Overview Report or giving access to their Subscription Management Link |
| Security Measures | The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymisation and anonymization. | As part of our approach to the GDPR, we’re strengthening our security controls across the board.
In addition to industry standard practices around encryption, our infrastructure teams are also improving our systems for authentication, authorisation, and auditing to better protect our customer's data.
We have released a Data Protection Addendum to customers which outlines the measures taken and out roll in GDPR.
Additionally, our privacy policy has been updated and can be viewed here |
Questions
For any questions relating to the above, please email privacy@resharmonics.com