What's the GDPR all about?
The General Data Protection Regulation (GDPR) is a regulation that empowers the residents of the European Union (EU) by offering better transparency, access, and control of their personal data that is processed by organizations. It means every business is required to be transparent with their audience and collect only the necessary information from them.
This regulation gives ordinary residents of the EU greater control over how and why their data is being collected and how it may be used. Also, the residents have the right to access their own data and even request to delete the information once the need is over.
Businesses are also liable for the safety of their subscribers' information and are subject to penalization for any breaches—not just of the data, but also for any violations of their obligations.
In short, the regulation lists a set of rights for data subjects (people whose data is managed by a business), for which every business must comply.
The three essential roles under GDPR
Under GDPR, the people interacting with Zoho Bookings data generally fall into three categories.
Data Subject: The customers who fill out their personal information to book appointments.
Data Controller: The business (admin) that collects information and offers appointments to customers.
Data Processor: Zoho Bookings processes the collected data on behalf of the controller.
Data Subject Rights and how Zoho Bookings helps you comply
Right to be informed
Right of access by the data subject and right to data portability
Downloadable PDFs of booking summaries are shared with the customers after they make a booking. They can also be sent by configuring email notifications in Zoho Bookings. Our "Customer portal" feature lets registered customers access or modify their personal information whenever they want.
Right to rectification
Guest customers (users who do not log in or sign up) can request the Bookings admin to rectify their information if needed. Customer portal members can update their profile information on their own.
Right to erase and to be forgotten
Data of customers who book appointments without signing up or logging in can be deleted by the admin upon the customer's request. To delete the data of users who book appointments after signing up or logging in, admins can send an email request to Zoho Bookings.
Right to restrict processing and to object to processing
Customers can cancel their appointments to restrict further processing of their data. The data they provide is not processed any further—for example, they won't receive email or sms notifications about their appointments since they have been canceled. Also, the admin can maintain a list of all such users who do not want their data to be processed. This list can be used as a pre-check before notifications are sent to the users.
Best practices regarding data
It is recommended to use the double opt-in method for obtaining consent from your users while collecting data if you rely on consent. There are other lawful bases too—like Legitimate Interest and Performance of Contract—that businesses can rely on. You also need to educate them about why you're collecting their data. Performing an internal audit will help you understand what kind of customer data you already have and what you further need to collect from your users. Mention consent in simple terms, and make sure to obtain separate consent for different purposes. Remember, consent has to be a voluntary affirmative action, so don't use any form of default consent like pre-ticked boxes or filled fields.
Once you collect the necessary data, the way you handle it is crucial. Personal data you collect from your data subjects must be used only for the purposes that you clearly stated when they gave their permission. If you use it for any other inappropriate objectives, you might be penalized for violation of the law.
Periodically review your data to ensure that it's up-to-date. Whenever you make changes to privacy notices, inform your users immediately. Your subjects can restrict the processing of their data when they have any issue with the content you hold or the way you handle it. You must respond to their restriction request and make preparations accordingly.
Data Storage and Access
It's your responsibility to safeguard your users' personal data. In the event of any loss or breach, you might be penalized. Inform your subscribers about where their data is stored, and don't allow any third-party services or unauthorized people to access your stored data at any point in time.
As your engagement is completely mutual in a permission-based approach, you might be required by your applicable laws to allow your users to opt out of your service at any time. Users also have the power to make modifications to their information, so let them access their data and make updates when needed.
Data Erasure and Transfer
You must permit the transfer of their personal data from your system to third-party services when an individual requests it. An individual can also demand the deletion of any personal data that they feel is not being appropriately used by your business. In both the cases of erasure and transfer, you cannot penalize a user who makes this request, and you must promptly respond to their needs by providing immediate arrangements.
It's also important (not mandatory however) to allow users to access their data in a readable format so that they can download their information at any time through password-protected files.
What if you don't comply with the GDPR?
Non-compliance with the GDPR comes with a huge monetary penalty. Sanctions for not complying with the law can be very high—20 Million Euros (€20 million) or 4% of your company's total worldwide annual turnover from the preceding financial year, whichever is higher.
Obviously you can see the importance of complying with the GDPR. Diligently following these data privacy laws also tells your customers you respect the trust they place in you.
Disclaimer: The information presented herein should not be taken as legal advice. We recommend that you seek legal advise on what you need to do to comply with the requirements of GDPR.