WhosOn and
GDPR compliance

The General Data Protection Regulation (GDPR) is a regulation that gives European citizens more control over their personal data. In a nutshell, it extends protection against data breaches, and imposes uniform rules on how companies handle data.

So, what does GDPR mean for WhosOn customers?

Becoming a data controller

A data controller is a person or organisation that determines what, why, and how data can be collected. When you use WhosOn to collect customer data – whether it’s for a support chat, to update a CRM or for prospect detection purposes – you become a data controller.

On the other end of the spectrum are data subjects. A data subject is an individual who can be identified via the information collected about them. That can include everything from name, to location, to online identifier such as an IP address. In a nutshell, the people you track and chat to via WhosOn are data subjects.

Personal data acquisition

When you use WhosOn, there are several touchpoints at which you could be acquiring the personal data of EU consumers. Under the new GDPR regulations, businesses must obtain valid consent or another lawful basis to use – and store – this data. They must also have the ability to handle subject access requests.

The consent of any personal consumer data must be freely given, specific, informed and unambiguous. For WhosOn customers, that means you’ll have to tweak your processes to ensure GDPR compliance.

Potential data touchpoints

WhosOn can be used to acquire data in five main ways. These are:

Pre-chat survey forms

You could be using pre-chat survey forms to gather useful information before a chat begins, including key identifying fields such as name and contact details.

Form field capture

WhosOn can be used to capture the data typed into website form fields – even if the user hasn’t clicked the “submit” button to complete.

Prospect detection

With WhosOn’s prospect detection features, you could be collecting data on your website visitors including name, location and company.

In-chat data exchanges

You might receive important personal information from the consumer during a live chat session, such as their address or telephone number.

Data population

You might be storing WhosOn customer data in your CRM or database, or using it to populate web or sales reports.

What you can do to comply

There are three simple, straightforward steps you can take to ensure GDPR compliance when using WhosOn. These are:

Ensure you have a comprehensive privacy policy set up

Your privacy policy needs to cover key details such as who you are; how, why, and what kind of data you collect; where data is kept; how the consumer can access or remove it; and procedures for processing data. There are lots of helpful resources online to help you get this right.

Ensure that you get agreement to your privacy policy

If you are relying on “consent” you’ll need to get this from the consumer for any personal data that you acquire via WhosOn (and elsewhere). The easiest way to do this on your website is to add a permission checkbox in pre-chat surveys, web forms or in “Terms of Use” displays.

Ensure your data is stored legally

As a data controller who stores personal consumer data, you are responsible for keeping this data safe. If you use the cloud, choose a high security data centre within an EU-approved country. Any data you store internally should be protected by appropriate means, including but not limited to passwords, firewalls, and encryption.

How we store your data

By now you know that your chat data needs to be stored in a secure, GDPR compliant way. For our cloud customers, secure hosting is part of your service.

All EU customer data is stored in state of the art, UK-based Rackspace data centres. For our US customers, data is stored in industry-leading GoGrid data centres. WhosOn also operates under the EU-US Privacy Shield, which is a framework for GDPR adherence.

It’s still up to you to get the chat user’s permission to process their data. But with our best in class cloud hosting, storing that chat data legally and securely is one less thing you have to worry about.

Our data retention policies

So, how long do we retain your chat data in our data centres? Here’s a handy breakdown of what personal information we store via WhosOn, and the length we’ll retain it on your behalf:

Visit data

This is the data related to a single web session, including visit and journey details. It is removed where the last visit date is older than 95 days and it is not the first visit.

Visitors’ records

This is the data of return visitors, building a record of their engagement and site activity. It is removed where the last visit date is older than 95 days.

Page views

These are records of the individual page views by a visitor during a website session. Page views are removed after 35 days.

User log records

This is your internal data related to chat operators, capturing connection and activity records inside the application. It is deleted after 180 days.

DNS records

This contains the visitor’s DNS connection information. It is deleted after 60 days.

Chats transcripts

This is the record of your chat conversations, containing the full transcript of each chat session. Chat transcripts are stored for 7 years as standard.

These data retention policies are fixed as default for our standard cloud users. For customers using a dedicated managed server, they can be adjusted to meet requirements as part of a custom package.

Useful resources

What is GDPR, and what does it mean for the live chat market?

WhosOn and your GDPR options

GDPR — a business blessing in disguise?

[ GDPR white paper ] Five steps to compliance: key considerations for customer service teams

GDPR compliance: a live chat checklist

Updated terms: what it means for you

Need GDPR assistance?

We can help you make sure that your use of WhosOn is fully GDPR compliant. We have security and policy experts in-house, and we’re happy to work with you to ensure that your procedures are watertight. Get in touch to enquire about out GDPR services.