The General Data Protection Regulation ("GDPR") will be enforced starting May 25, 2018, and RepairShopr is committed to being compliant and providing our clients with the tools they need to also be compliant.
This page is about how RepairShopr is helping you to be compliant with your Customers. If you are looking for information on how we are GDPR compliant with YOU (our users), please visit this page: GDPR - RepairShopr and Your Business
GDPR can be broken down into some primary categories that you should address to be compliant:
- Specific and Unbundled Consent
- Bulk Email Re-Consent
- Data Portability
- Right to Erasure (aka Right to be Forgotten)
- Breach Notification Policy
- Supporting Documentation
Enabling GDPR Functionality
Please note that certain GDPR features must be enabled in order to be seen and used within RepairShopr. To enable, please go to Admin > GDPR Center > and check-mark the box "Enable GDPR Functionality."
Specific and Unbundled Consent
You cannot default any "opt-in" fields for consent to market to "consent". If you want to store someone's information for general processing of their data, you should ask for that. If you also want to market to them, you need to separately (unbundled) ask them to opt-in to that.
To reliably track consent in RepairShopr, we have provided a few new features.
Initial Setup & Creating a Customer
First, you can now head to the GDPR Center in the Administration section and configure your consent messaging. We have provided some sample text so you have an idea of what belongs in this message.
After you have that configured, you might notice the three new fields on the "New Customer" screen, where the old "opt-in" checkboxes were.
If you don't check the first box which says you have their consent to at least store their information for normal business processes, the form won't be valid to continue.
If you do check any of these boxes and continue, a "Consent" record is stored in the database permanently for your future reference. The consent record will store the date and time, the communication method note you provide (ex; "verbally consented"), and a copy of the actual text they agreed to. To be reminded of the exact text you want them to agree to, you can hover over each field and the consent text you put in the prior step will pop up.
Modifying a Consent
You can also modify a consent in the event that a Customer contacts you and says they want to change their mind about a consent. To adjust a consent, head to the Customer Detail screen and look for the new "GDPR" button. (This requires a new permission, only global admins have this by defualt.)
Consent Tracking Section:
The Consent Tracking Section will show opt-in and opt-out history, the source (where from, also the tech that performed the action if applicable), the wording they agreed to, and a time stamp when the customer agreed to it.
IMPORTANT NOTE: When modifying Consent you must select options for all 3 as they will update when you click Update.
Modifying in Bulk
In case you've already been collecting consent outside of RepairShopr, or you are importing Customers that have consented elsewhere, we've provided a bulk consent tool. This tool is in Admin -> GDPR Center. It allows you to mass-update each type of consent for all Customers in the database.
Best Practice: We recommend sending out your GDPR Consent Campaign first, then after it has been sent, head to the bulk consent and opt-out your database. That way, only the customers that provide consent from the email campaign will continue to receive your marketing and those that don't are opt-out correctly.
Self-Service Modifying via the Portal
Your Customers can use the Portal to manage their communication settings. They will have a new link in the upper right-hand corner of the Portal which will take them to a page where they can manage their Privacy Settings - Data and Communication Settings.
Bulk Email Consent Request
We placed a GDPR Consent Template that can be used to seek consent from all of your customers. Head to the Marketr Tab and scroll down to the templates. You will see the GDPR Template in the top row.
There is a new tag that can be used for your customers to quickly give consent in one click!
A person should be able to get a "portable" (machine-readable format) copy of the personal data you're storing about them whenever they desire.
We enable that in the Customer Portal. They can click into the Portal, click "Privacy Settings" in the upper right-hand corner, and click to "request data." You can also easily do this for them by clicking the "Online profile" link from the Customer Detail screen and clicking the "request data" button.
Right to Erasure
A person should be able to request their personal information be erased from your systems. You should know exactly where it's being stored and be able to comply with their request. There are some big exceptions to this rule for what the language calls "future legal defense" and also "where deleting the data would conflict with any other legislation." More on this later.
You should read up on this requirement of GDPR to see if/when you need to actually process an erasure. It seems there are possibly reasons you would want to decline, but in the event you want to process this for them we give you these tools.
First, in the Customer Portal they can click "Erase Me" and it will NOT actually erase them, but it will send you a request via a Ticket so you can choose how to process it.
Second, on the Customer Detail screen, when you click to "GDPR", you get some controls on the page that are dynamic, based on what data is present on this Customer.
If it's just an empty Customer, with no Tickets or Invoices, there will be a button allowing you to delete them and do an actual "Purge" - this is completely irreversible.
If this Customer has any Tickets or Invoices, the button will change to "Soft Delete - Keep financial records due to other record keeping rules." This will "erase" them in many functional ways, but the Ticket/Invoice data will still be in the system and discoverable. They will not be able to receive emails in this state, and will not be present in Customer CSV Exports, so you won't accidentally contact them in the future.
At the bottom of this image:
Breach Notification Policy
You are required to report a breach once discovered within no more than 72 hours except where the notification could result in a risk to rights or freedoms to others. There are requirements to what that notification includes and you can easily write something up based on the legislation text found here.
We don't provide a tool for this, but if RepairShopr is breached you can be sure we will report to you per the GDPR rules. We can't offer specific legal advice here but you may want to have a policy ready that says how you will respond to a breach. We feel it's a little unclear if every small business needs to build all these policies.
If you store personal information in online systems you should maintain a list of them for others to see and understand where their data is. American companies that store data are registering with PrivacyShield.org.
RepairShopr will publish a list of relevant hosts and services online here, you may refer your Customers to this or create your own pages. We are not 100% clear what would make you compliant in this regard.
- U.S. Department of Commerce Privacy Shield Website: https://www.privacyshield.gov/welcome.
- Directive 95/46/EC: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=LEGISSUM:l14012.
- General Data Protection Regulation (GDPR): http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
- The International Association of Privacy Professionals: https://iapp.org.
- United Kingdom Information Commissioner’s Office’s “Preparing for the GDPR”: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.