Giggio & GDPR
In the language of the GDPR, you are the ‘data controller’ of your customer information processed using Giggio; and Giggio acts as your ‘data processor’. GDPR says that certain specific obligations need to be imposed upon data processors by data controllers, and these have to be in a contract between them. That obligation falls on you as a data controller.
We at Giggio want to make sure that you meet that obligation, and we want to make it easy. That’s why we’ve put together a Data Processing Terms addendum to our Terms of Use. It forms part of the contract between you and us and captures the various requirements of Article 28 in GDPR for contracts between controllers and processors.
For example:
- It makes it clear that we will only process the data on your behalf and not for our own purposes;
- It requires us to notify you of any new subcontractors we appoint, in order that you can raise objections to them and cease using Giggio if we can’t overcome them;
- It obliges us to provide you with information to confirm that we are meeting our obligations as a data processor.
Frequently Asked Questions
The following is a set of responses to questions we have been asked about the effect of GDPR on Giggio users. It’s not intended to be legal advice but general information – you should check the specifics of your own business’ obligations with your legal adviser.
The Information Commissioner’s Office is the UK’s data protection regulator, and it has produced a useful guide for small businesses and their obligations under GDPR – see here.
The ICO also operates an advice line for small businesses – see here for more details.
Should I delete customer data from calendar applications after an event?
Not unless you want to. It can be useful to keep hold of a customer’s personal details in respect of an event. You might want to refer to it if the customer enquires again, so you can see where the event was and what they paid. That’s fine – as long as the period you keep it for is no longer than necessary for those purposes, and you are transparent about it with your customers (for example, you might include reference to it in your Privacy Policy).
The period you keep it for could be set by you with reference to the life-cycle of customers for your business. If a significant proportion of your customers ‘come back’ at any time up to 18 months after the initial engagement, you’d document your rationale for keeping customer data for 18 months. It’s important to go through that thought-process and document it, in case the ICO asks you to account for it.
It’s worth remembering that ‘dead’ data is a liability, not an asset. There’s little point in keeping data on a customer which isn’t going to come back. But, given the obligations in GDPR around technical security and notifying the regulator and affected customers about breaches, there’s every incentive to delete personal data as soon as you consider the customer is no longer likely to re-book.
You should ensure that you contain a reference to you retention period in a Privacy Policy which should be made available for customers to view when they are giving you their information (e.g when making an enquiry or a booking).
If after a period of time, I delete the data, what data can be kept? e.g. the event venue, the fee etc?
Customer data can be kept for as long as you need it to ‘power’ the purposes you use it for, as disclosed to your customer when you collected their information (e.g. in your Privacy Policy which should be available on your webiste).
How long you keep it for depends on what those purposes are, and any accounting, tax or regulatory requirements. For example, many people retain details of orders they have taken for a period of 6 years in order to evidence their income for tax purposes.
The GDPR emphasises that data should only be retained in so far as it is necessary to power these purposes.
So, if you don’t need to retain aspects of the customer data for the purposes of your tax records (for example, specific requirements of the customer regarding the entertainment to be provided) then you won’t be able to keep it for six years. You’ll only be able to keep it for as long as is needed to power the other purposes you disclose to the customer.
If you want to use a customer’s email address to send them promotional emails, you’ll need to have obtained their consent to do so (unless they are a company or you are able to rely on the ‘soft opt-in’ referred to in the section below). See below, and the ICO guide linked to above, for information about how to get consent that is valid under GDPR.
That consent doesn’t last for ever – you must stop sending a customer the emails if they unsubscribe, and after a period which you consider is reasonable. Some marketers say that 1 year is a reasonable amount of time to keep mailing someone without having heard back from them – after that, it’s probably time to refresh their consent and confirm they want to continue hearing from them.
Contacting existing clients, and clients that have previously booked. Do I need permission to contact them in the future?
There are two ways to validly send promotional or marketing emails to an individual customer. First (and most reliable) is to get their consent when they give you their contact details (e.g. when making an enquiry or a booking). The GDPR sets some standard for what is considered valid consent. There’s a checklist set out in the Guide linked to above.
Worth noting in particular is the requirement to document the fact that a particular individual has consented to receiving promotional emails. Techniques for doing that include a ‘double opt-in’ which generates an email to the individual requiring a reply. Other businesses employ a ‘timestamp’ mechanism which stores a record of the individual’s having clicked to indicate their consent at a particular date and time on a particular form.
The second way is to employ the so-called ‘soft opt-in’. The "soft opt-in" relates to existing customers. It provides that, where email contact details are obtained in the course of ‘sale or negotiations for the sale’ of a product or service, direct marketing emails may be sent to those email addresses in respect of the sender's similar products and services - provided that the potential recipient is given the means of refusing the use of his contact details in this way (opt-out) at the time the details are collected. Note that this does not apply to people who have just made an enquiry – it only applies to email addresses collected in the course of a bookings or negotiations for a booking.
In other words, the soft opt-in allows you to send marketing emails relating to entertainment services to existing or potential customers - but only if you have informed them in advance, during the course of making a booking (or negotiating a booking), that you are proposing to do so and have given them an opportunity to object. The services you promote in the emails must be ‘similar’ to those of the original booking.
The opportunity to opt out will have to be provided when you obtain their email address, and then again in all marketing emails. In practice, this is done by including an "unsubscribe" link or an email address of someone within the your business to whom the recipient can communicate its desire not to receive further emails.
Note that there are currently separate rules for emailing a corporate customer. Currently this does not require consent – but that’s likely to change in the next 18 months with the advent of a separate law know as the "E-Privacy Regulation".
Contacting past enquiries - can I email promotional information to someone that only made an enquiry to use services, but didn’t book?
The ICO’s guidance around the ‘soft opt-in’ discussed above makes it clear that it doesn’t cover people who get in touch with mere queries – there needs to be a booking, or negotiations to make a booking.
So, if you want to add someone to your list who has merely made an enquiry and not progressed further, you’ll need to obtain their express consent (in line with the GDPR requirements).