The General Data Protection Regulation (GDPR) is a regulation that gives European citizens more control over their personal data. In a nutshell, it extends protection against data breaches, and imposes uniform rules on how companies handle data.
So, what does GDPR mean for WhosOn customers?
Becoming a data controller
A data controller is a person or organisation that determines what, why, and how data can be collected. When you use WhosOn to collect customer data – whether it’s for a support chat, to update a CRM or for prospect detection purposes – you become a data controller.
On the other end of the spectrum are data subjects. A data subject is an individual who can be identified via the information collected about them. That can include everything from name, to location, to online identifier such as an IP address. In a nutshell, the people you track and chat to via WhosOn are data subjects.
Personal data acquisition
When you use WhosOn, there are several touchpoints at which you could be acquiring the personal data of EU consumers. Under the new GDPR regulations, businesses must obtain valid consent or another lawful basis to use – and store – this data. They must also have the ability to handle subject access requests.
The consent of any personal consumer data must be freely given, specific, informed and unambiguous. For WhosOn customers, that means you’ll have to tweak your processes to ensure GDPR compliance.
Potential data touchpoints
WhosOn can be used to acquire data in five main ways. These are:
You could be using pre-chat survey forms to gather useful information before a chat begins, including key identifying fields such as name and contact details.
WhosOn can be used to capture the data typed into website form fields – even if the user hasn’t clicked the “submit” button to complete.
With WhosOn’s prospect detection features, you could be collecting data on your website visitors including name, location and company.
You might receive important personal information from the consumer during a live chat session, such as their address or telephone number.
You might be storing WhosOn customer data in your CRM or database, or using it to populate web or sales reports.
What you can do to comply
There are three simple, straightforward steps you can take to ensure GDPR compliance when using WhosOn. These are:
As a data controller who stores personal consumer data, you are responsible for keeping this data safe. If you use the cloud, choose a high security data centre within an EU-approved country. Any data you store internally should be protected by appropriate means, including but not limited to passwords, firewalls, and encryption.
How we store your data
By now you know that your chat data needs to be stored in a secure, GDPR compliant way. For our cloud customers, secure hosting is part of your service.
All EU customer data is stored in state of the art, UK-based Rackspace data centres. For our US customers, data is stored in industry-leading GoGrid data centres. WhosOn also operates under the EU-US Privacy Shield, which is a framework for GDPR adherence.
It’s still up to you to get the chat user’s permission to process their data. But with our best in class cloud hosting, storing that chat data legally and securely is one less thing you have to worry about.
Our data retention policies
So, how long do we retain your chat data in our data centres? Here’s a handy breakdown of what personal information we store via WhosOn, and the length we’ll retain it on your behalf:
This is the data related to a single web session, including visit and journey details. It is removed where the last visit date is older than 95 days and it is not the first visit.Visitors’ records
This is the data of return visitors, building a record of their engagement and site activity. It is removed where the last visit date is older than 95 days.Page views
These are records of the individual page views by a visitor during a website session. Page views are removed after 35 days.User log records
This is your internal data related to chat operators, capturing connection and activity records inside the application. It is deleted after 180 days.DNS records
This contains the visitor’s DNS connection information. It is deleted after 60 days.Chats transcripts
This is the record of your chat conversations, containing the full transcript of each chat session. Chat transcripts are stored for 7 years as standard.
These data retention policies are fixed as default for our standard cloud users. For customers using a dedicated managed server, they can be adjusted to meet requirements as part of a custom package.