GDPR Overview
On 25 May 2018, the General Data Protection Regulation (GDPR) took effect. The GDPR is the European Union’s data privacy law which impacts how companies collect and handle personal data about their European customers.
The Surge Social platform has the tools necessary to comply with the GDPR. However, every business is different and some companies might need more preparation than others in order to comply. The business managing the WiFi service is responsible for ensuring that the service abides by all laws of the jurisdictions in which they operate or have customers. Any advice given by Surge Social is not legal advice and we recommend speaking with a lawyer or data protection professional if you have questions about how the GDPR applies to your business.
GDPR Compliance Function
GDPR Compliance Function is an optional toggle as part of the Compliance – Opt-In Form. If it is enabled, it will make the guest login process and data collected GDPR Compliant. GDPR Compliance can be enabled in Location or Campaign settings.
To enable GDPR Compliance in Location settings:
1. Click on Locations tab on the left menu in the Portal
2. Click Settings gear icon
3. Click Edit Location
4. Click toggle switch for GDPR Compliance
5. Click blue Update button
To enable GDPR Compliance in Campaign settings:
1. Click on Campaigns tab on the left menu in the Portal
2. Click on Edit Campaign link
3. Click on Advanced tab
4. Click toggle switch for Opt-In Form and GDPR Compliance (optionally, edit the Opt-In message)
5. Click the blue Save button
GDPR Compliance Process
Once enabled, the GDPR Compliance Function ensures GDPR Compliance by:
- Performing tokenization of the guest data collected during the Login Process
- If the guest does not complete the Login Process, the tokenized data is discarded after 48 hours, during which time it is not accessible by any other systems
- When the guest successfully completes the Login Process, they are presented the Opt-In Form which allows them to conform their consent (Opt-In)
- If the guest confirms consent (Opt-In), the processes to run Automations on their data are activated and performed
- If the Guest does not grant consent (Opt-Out) then pseudonymized representation of the sensitive guest data points (email, phone number) is saved
- The pseudonymized guest data allows the WiFi platform to continue to perform functionality such as “One Click Welcome Back” and generate appropriate reports and data aggregations, but without being able to retrieve the actual guest data, it cannot be used for any personally identifiable means or for further communication
- No Automations or Integrations will be processed on guests who have chosen to Opt-Out
GDPR – Guest Data Dashboard
Guests can request their data records and for their records to be deleted by browsing to https://wifi.surgesocial.com/myprofile/index
A link will be send to the guest’s email address or phone number with access to the guest data dashboard which contains all data points collected associated with that email address or phone number.
Guests can also change the Opt-In state to Opt-Out which will pseudonymize their sensitive data and prevent any systems from accessing it in the future and preventing any Automations from running on it in the future. Guests can also delete their data profiles.