You’ve probably heard of the General Data Protection Regulation (GDPR) by now, and might have a few questions about how to prepare for it. Here’s what we know about how it might affect Appointy and our users.
This article is provided as a resource, but does not constitute legal advice. We encourage you to speak to a legal practitioner in your area to learn how the GDPR may affect your organization.
What and Who
The GDPR is a European Union (EU) privacy law that will affect businesses around the world when it becomes enforceable on May 25, 2018. It regulates how any organization treats or uses the personal data of EU citizens, including organizations located outside of the EU.
Personal data is any piece of data that, used alone or with other data, could identify a person.
If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you'll need to comply with the GDPR.
The GDPR will replace an older directive on data privacy, Directive 95/46/EC, and it introduces a few important changes that may affect Appointy users.
About Consent
You need to have a legal basis, like consent, to process an EU citizen's personal data. Under the GDPR, you may use another legal basis for processing personal data, but we expect the majority of Appointy users will rely on consent. This consent must be explicit and verifiable.
Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. All Appointy forms, regardless of opt-in method, collect the email address, Name, and timestamp associated with everyone who books a time.
Explicit consent requires that each contact takes an action to consent, so the consent can't be implied for a data-processing function, you might need to prove that the consent you've acquired is explicit and free. In-fact the the language you use has to state all the ways you could possibly use the personal data you collect.
For an Appointy user, this could mean, for example, that a contact agrees to let you do any or all of the following.
- Transfer their contact information to Appointy
- Store their contact information in your Appointy account
- Provide agreed upon services, and bill to the information that you hold og them, in your Appointy account
- Track Appointment statuses for reporting purposes
About Individual Rights
The GDPR also outlines the rights of individuals around their personal data. EU citizens will have the right to ask for details about the way you use their personal data and can ask you to do certain things with that data.
You should be prepared to support people's requests to have personal data corrected or completed, transferred to another organization, prohibited for certain uses, or removed completely—all in a timely manner.
You should also be able to tell someone how their personal data is being stored, and what you're using it for. If they ask, you'll also have to share the personal data you hold on an individual, or offer a way for them to access it.
What can I do?
As far as your own compliance efforts are concerned, try to collect as less personal data as possible. Only collect and process the information that is necessary for you to provide your services.
Be prepared to update your Terms Of Service and Privacy Policies, which would become applicable to your customers.
If you rely on integrations to process customers' personal data, You should also review the terms associated with any Appointy add-ons or third-party integrations you use.
Another good way to prepare for the GDPR is simply to educate yourself. We want to help our users prepare for the change, but the GDPR's provisions could affect your business outside of how you use Appointy. Here are some additional resources.
What is Appointy doing to prepare?
We've been researching the GDPR and modifying many of our internal practices and policies over the last year, because we are committed to achieving compliance with the GDPR in 2018. For example, we're in the process of updating our Data Processing Agreement and third-party vendor contracts to meet the GDPR's requirements.
We would be updating some of the functions and features in Appointy in the month of March 2018, which would enable our users to fully comply with GDPR, and make consent-taking process much easier and manageable.
We're also assessing the impact of the GDPR on Appointy's tools to see if we can make them more practical for users who are subject to the GDPR.
As further guidance is released and our research progresses, we'll continue to look for ways we can help our users around the world get ready for the GDPR.