Introduction
The GDPR brings in sweeping changes to data privacy requirements for anyone processing personal data about EU (including UK) residents. Encapto 3.0 will introduce a range of technical measures which enable our clients to easily comply with the GDPR as a Data Controller.
Detailed information about the GDPR, outlining the key terms and issues as they affect Encapto clients, is provided in our GDPR White Paper.
An additional Data Privacy guide will be released with the rollout of Encapto 3.0 which will provide step by step information on how Encapto clients can use platform features to meet and exceed their GDPR data privacy responsibilities.
In the mean time, this guide outlines an interim solution for any Encapto client processing personal information in the EU. If you are currently collecting personal data about your end users, including names, addresses, email addresses, phone numbers, then we recommend that you implement the changes suggested in this document immediately.
Providing GDPR Compliant Terms Documents
Perhaps the most important element of Encapto in enabling GDPR compliance is our wholly customisable Terms of Use documents. These can be used to fulfil GDPR requirements to inform end users about who is processing their personal data and of their rights in relation to that processing.
Encapto Terms of Use can be applied to the two key mechanisms within Encapto which enable the collection of personal data: Surveys and Authentication Methods. For general information on creating Terms documents, pelase refer to Encapto’s Managing Terms of Use Guide.
Items to Include in a GDPR Compliant Terms of Use
Terms of Use documents may also have other uses (such as outlining responsibiliteis associated with the use of a WiFi hotspot) but where personal data are collected, they should also include the following:
-
The identity and contact details of the Controller;
-
The contact details of your Data Protection Officer, where applicable;
-
The purposes of the collection – including, if applicable, its combination with other data;
-
The recipients of the personal data, if any;
-
The period for which personal data will be stored;
-
The existence of rights of access, rectification, erasure, restriction of processing, objection, and portability;
-
The legal basis for collection;
-
The right to withdraw consent (if this is the basis of collection); and
-
The right to lodge a complaint with the relevant supervisory authority.
Formatting your Terms of Use for Privacy
The information provided in your Terms of Use should be provided in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’. To achieve this end, we suggest you:
-
Use the text styling features of the Encapto Terms of Use feature to clearly identify key aspects of the information provided;
-
Separate out information related to the data collection itself, data privacy contacts, and the data subjects rights;
-
Use the inline option which forces users to scroll through Terms of Use when applied to a hotspot.
The below sample Terms of Use for Privacy provides an example as to how Terms of use may be structured to ensure the data subject is fully informed about issues surrounding processing of personal data. Note It is only an example and should be adapted to the particular circumstances of your data collection activities.
Gaining Consent with an Encapto Terms document
There are several legal bases on which an Encapto user may collect and process end user personal data. If you are collecting the information because it is necessary to keep a record of a transaction (usually through a payment gateway Authentication Method), then that basis will be that the processing is necessary for the performance of a contract.
Usually, however, personal data collected via Encapto will be used for marketing purposes and in this case, the legal basis for collection will be that you have gained the consent of the data subject.
Encapto will use Terms to Document to gain this consent. The Consent Terms document can be added to any Authentication Method that might be used to collect personal data.
For general information on how to create Terms Documents, see the latest Managing Terms Documents Guide.
Creating a Consent Terms document
The process below describes creating a terms document to gain explicit consent from end users. Note It is only an example and should be adapted to the particular circumstances of your data collection activities.
-
Clearly label and tag the Terms document for retrieval should it be required. The GDPR stipulates that you must be able to show that consent was given for the data processing.
-
Allocate a Consent Terms document to each authentication method that will collect personal data.
To access Terms documents, logon to the Encapto WiFi Cloud Deck account.
-
Click Terms documents under ASSET LIBRARY.
-
Click the +New button to add a new Terms documents document.
-
Give the Terms a Name (for admin purposes – will not appear on the Portal).
-
Search and select an existing tag or press enter to create a new tag to help you locate the Terms documents later (optional).
-
Add Description if required (optional).
-
Create.
-
Navigate to Content tab in the newly created Terms document and click Edit.
-
Enter the consent in few words as this will display on the wifi portal next to a check box for user to check (figure 4 below). i.e. I understand and accept the Privacy Terms and conditions and consent to my information being used as above.
-
Click Save.
Below is the end user view of the consent document on the portal, when they connected to a privacy enabled wifi hotspot.
Enable Privacy in an authentication method and Surveys.
Encapto 3.0 comes with a host of tools that both further streamline the provision of information and gaining of consent, and allow the end user to access, rectify, withdraw consent on, and erase personal data held about themselves.
Encapto 3.0 has both a self-service portal, that when enabled allows end users to securely login and manage their personal data, It also has a Cloud Deck user view enabling our clients to manage personal data on their end-user’s behalf.
Prior to Encapto 3.0, your GDPR Data Protection Officer should be prepared to accept requests from end-users wishing to access and control their data – including that collected via Encapto. Encapto will comply with reasonable GDPR access and rectification requests at no cost to you.
Assign Privacy terms document and Consent document to an auth method.
To Assign Privacy terms document and Consent document, logon to the Encapto WiFi Cloud Deck account.
-
Click Authentication under VISITOR JOURNEYS.
-
Select the specific authentication method to enable privacy.
-
Navigate to Privacy tab.
-
Click Change in the TERMS OF USE FOR PRIVACY section and select the Privacy Terms document from the list and click Assign (created in Section 2.2 above).
-
Click Change in the CONSENT section and select the Consent Terms document from the list and click Assign (created in Section 2.3.1 above).
Below is the end user view of the Privacy terms document and the Consent document on the portal, when they connected to a privacy enabled wifi hotspot.
Privacy Tools for End users.
This will allow end users to view sessions information, anonymise/delete session data. To change privacy tool settings, logon to the Encapto WiFi Cloud Deck account.
-
Navigate to Privacy tab in a specific authentication method (as described in section 3.1).
-
Click Change button in the PRIVACY TOOLS FOR END USERS section.
In the pop-up window. -
View session information.
-
Allows end users to be able to view information that has been collected about their sessions.
-
Allow end users to either delete or anonymise their session information.
-
Allows end users to be able to withdraw consent on how their data is used.
-
-
Automatic annoymisation. This setting enables session data to be automatically anonymised or deleted after a certain amount of time has passed.
-
Enable session data to be automatically anonymized or delete after a certain amount of time has passed.
-
Enter the number to days/weeks to anonymise/delete data after.
-
For assigning Terms of use for privacy, Consent document and Privacy tool for end users in a Survey follow the same steps as authentication method which described above in Section 3.1 and Section 3.2.
Below is the privacy tab in an Encapto survey which is identical to the privacy tab in an Authentication method.
Enable the hotspot Privacy
Once authentication method’s or survey privacy enabled as Section 3 above, the last step will be to enable privacy for the specific hotspot using privacy tags.
Encapto uses privacy tags to enable privacy to a certain hotspot. Privacy enabled authentication method and/or Survey must assigned to the hotspot.
Privacy documents, consent and privacy tools will not be visible to end users without adding privacy tag (enable hotspot privacy) to the hotspot.
How to add privacy tags to a hotspot.
Navigate to the hotspot which needs to enable privacy;
-
Click Edit details.
-
Enter the tag (text) and hit enter to add the new tag. Default tag will be a standard tag.
-
Click the edit icon to edit the new tag. This will open a new window for tag settings.
-
Change the tag type to privacy.
-
Click save.
-
Now you will see the privacy tag in yellow colour.
-
Click save.
Now that you have enabled the privacy in this hotspot, end users will see the privacy options in the portal.
Data Subject User Journey
When the user connects to a privcy enabled hotspot,
-
In Privacy enabled Survey - At the bottom of a survey the user is presented with an option to view and manage their privacy information either by clicking the link, Or entering an email address to receive the link via email.
-
Privacy terms document and Consent.
- View and manage end user’s privacy information.
-
- Privacy enabled Authentication method - At the bottom of a ‘Get online’ pop-up the user is presented with an option to view and manage their privacy information either by clicking the link or entering an email address to receive the link via email.
-
Privacy terms document and Consent.
-
View and manage end user’s privacy information.
-
-
Clicking the privacy information link takes the user to a page where they can request a one time login code and then login to view and manage the data that has been collected about them.
-
Once the user logs in they are presented with a page where they can view and manage the login and social data, survey data, and consent data that has been collected about them.
-
Clicking the manage button on the blue Login and social data widget presents the user with a screen which lists the details of the login and social data that was collected about them. Here, the user has the option to click the Remove my data button to remove the user’s stored login and social data. Clicking the View consent button shows the user the terms they consented to.
-
Clicking the manage button on the purple Survey data widget presents the user with a screen which lists the details of the survey (data enterd by user). Here, the user has the option to click the Remove my data button to remove the user’s stored survey data.
-
Clicking the view button on the survey presents the user with a screen which lists the data entered into the selected survey. Here, the user also has the option to click the Remove my data button to remove the user’s stored survey data.
-
Clicking the manage button on the pink Consent widget presents the user with a screen which lists the details of the consent data that was collected about the user.
-
Clicking the view button on the consent presents the user with a screen that shows the terms that the user consented to. Here, the user can withdraw their constent by clicking the Withdraw consent button.