The GDPR regulations define your responsibility to data protection based on whether you're a Data controller or Data processor.
A data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed.
In the context of you using Bookwhen to schedule events and take attendee information - you are the data controller.
As a business, it's your responsibility to inform yourself of the requirements, but Bookwhen will providing some key tools to help you comply before the May 26th deadline:
- A top level checklist of actions and procedures to have in place, including links to free resources to help with learning about the regulations.
- The ability for you to easily run reports on data held against an individual (via the upcoming customer dashboard).
- The ability for you to delete data customer data on their request. Data cannot be held for longer than is necessary, so we'll also give you the ability to automatically delete customer data (e.g. if an attendee has not booked with you for the last 8 months).
- A help article on how to set up your booking form to obtain explicit consent from customers to collect their data.
A data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).
As the business that facilitates your collecting of data, Bookwhen is the data processor.
This means we must take all reasonable action to ensure the security of the data we process for you.
Bookwhen does also act as a Data controller in terms of the data we hold against you as a customer of Bookwhen. We're currently in the process of updating our privacy policies (which you'll be invited to review and consent to in the near future) and we're reviewing internal procedures and protocols to ensure full compliance.