In the language of the GDPR, you are the ‘data controller’ of your customer information processed using Giggio; and Giggio acts as your ‘data processor’. GDPR says that certain specific obligations need to be imposed upon data processors by data controllers, and these have to be in a contract between them. That obligation falls on you as a data controller.
- It makes it clear that we will only process the data on your behalf and not for our own purposes;
- It requires us to notify you of any new subcontractors we appoint, in order that you can raise objections to them and cease using Giggio if we can’t overcome them;
- It obliges us to provide you with information to confirm that we are meeting our obligations as a data processor.
Frequently Asked Questions The following is a set of responses to questions we have been asked about the effect of GDPR on Giggio users. It’s not intended to be legal advice but general information – you should check the specifics of your own business’ obligations with your legal adviser.
The Information Commissioner’s Office is the UK’s data protection regulator, and it has produced a useful guide for small businesses and their obligations under GDPR – see here.
Should I delete customer data from calendar applications after an event?
The period you keep it for could be set by you with reference to the life-cycle of customers for your business. If a significant proportion of your customers ‘come back’ at any time up to 18 months after the initial engagement, you’d document your rationale for keeping customer data for 18 months. It’s important to go through that thought-process and document it, in case the ICO asks you to account for it.
It’s worth remembering that ‘dead’ data is a liability, not an asset. There’s little point in keeping data on a customer which isn’t going to come back. But, given the obligations in GDPR around technical security and notifying the regulator and affected customers about breaches, there’s every incentive to delete personal data as soon as you consider the customer is no longer likely to re-book.
If after a period of time, I delete the data, what data can be kept? e.g. the event venue, the fee etc?
How long you keep it for depends on what those purposes are, and any accounting, tax or regulatory requirements. For example, many people retain details of orders they have taken for a period of 6 years in order to evidence their income for tax purposes.
The GDPR emphasises that data should only be retained in so far as it is necessary to power these purposes.
So, if you don’t need to retain aspects of the customer data for the purposes of your tax records (for example, specific requirements of the customer regarding the entertainment to be provided) then you won’t be able to keep it for six years. You’ll only be able to keep it for as long as is needed to power the other purposes you disclose to the customer.
If you want to use a customer’s email address to send them promotional emails, you’ll need to have obtained their consent to do so (unless they are a company or you are able to rely on the ‘soft opt-in’ referred to in the section below). See below, and the ICO guide linked to above, for information about how to get consent that is valid under GDPR.
That consent doesn’t last for ever – you must stop sending a customer the emails if they unsubscribe, and after a period which you consider is reasonable. Some marketers say that 1 year is a reasonable amount of time to keep mailing someone without having heard back from them – after that, it’s probably time to refresh their consent and confirm they want to continue hearing from them.
Contacting existing clients, and clients that have previously booked. Do I need permission to contact them in the future?
There are two ways to validly send promotional or marketing emails to an individual customer. First (and most reliable) is to get their consent when they give you their contact details (e.g. when making an enquiry or a booking). The GDPR sets some standard for what is considered valid consent. There’s a checklist set out in the Guide linked to above.
Worth noting in particular is the requirement to document the fact that a particular individual has consented to receiving promotional emails. Techniques for doing that include a ‘double opt-in’ which generates an email to the individual requiring a reply. Other businesses employ a ‘timestamp’ mechanism which stores a record of the individual’s having clicked to indicate their consent at a particular date and time on a particular form.
The second way is to employ the so-called ‘soft opt-in’. The "soft opt-in" relates to existing customers. It provides that, where email contact details are obtained in the course of ‘sale or negotiations for the sale’ of a product or service, direct marketing emails may be sent to those email addresses in respect of the sender's similar products and services - provided that the potential recipient is given the means of refusing the use of his contact details in this way (opt-out) at the time the details are collected. Note that this does not apply to people who have just made an enquiry – it only applies to email addresses collected in the course of a bookings or negotiations for a booking.
In other words, the soft opt-in allows you to send marketing emails relating to entertainment services to existing or potential customers - but only if you have informed them in advance, during the course of making a booking (or negotiating a booking), that you are proposing to do so and have given them an opportunity to object. The services you promote in the emails must be ‘similar’ to those of the original booking.
The opportunity to opt out will have to be provided when you obtain their email address, and then again in all marketing emails. In practice, this is done by including an "unsubscribe" link or an email address of someone within the your business to whom the recipient can communicate its desire not to receive further emails.
Note that there are currently separate rules for emailing a corporate customer. Currently this does not require consent – but that’s likely to change in the next 18 months with the advent of a separate law know as the "E-Privacy Regulation".
Contacting past enquiries - can I email promotional information to someone that only made an enquiry to use services, but didn’t book?
The ICO’s guidance around the ‘soft opt-in’ discussed above makes it clear that it doesn’t cover people who get in touch with mere queries – there needs to be a booking, or negotiations to make a booking.
So, if you want to add someone to your list who has merely made an enquiry and not progressed further, you’ll need to obtain their express consent (in line with the GDPR requirements).