GDPR is European data protection law that came into force on Friday, 25th May, 2018. It affects all businesses (both inside and outside of Europe) that capture identifiable information about individuals via their websites and mobile apps when accessed by listeners in the European Economic Area (EEA).
Our role in the relationship between listeners and your organisation is that of a "Data Processor". This means that our responsibilities lie directly with you, our customer, in terms of legal responsibilities for storing listener data. You are directly responsible for the legal implications of GDPR and data privacy by ensuring your use of the tools that we provide to manage the stored data is compliant.
Aiir completed a comprehensive review of our systems and services with an independent legal team to ensure that what we offer allows your business to be fully compliant with the new legislation. It lead to a number of small changes to the tools we offer to assist in your ability to reach GDPR compliance and in addition we wish to draw your attention to a few areas of our service which you should carefully review:
As the primary route for users to submit data to your organisation, the following changes were made as part of our review:
- A new expiry feature has been added to each form, where you can define the amount of time a submission can be held before it is automatically deleted.
- The information provided when setting personal data fields has been updated to make it clearer that fields should only be marked as required when absolutely necessary for your intended purpose.
A new area of Aiir, Data Control, is now available. This is the hub for managing listener data. This area is only accessible to Aiir users that are identified as Data Controllers by the organisation's Super Administrator.
You can access this area from the App Drawer (accessed by clicking the nine squares icon beside the Aiir logo at the top left of most screens). In the grey panel is a new option Data Control.
Within Data Control is a section where you can perform Forget Me administration, a requirement of GDPR where you will be required to delete all identifiable information about them you hold on request. These requests can come in two ways:
- When logged in to your website's listener club, in the account management area is a new option for Forget Me. Actioning this will add a request to the Data Control area of the site. You will be required to manually complete the deletion process as there may be unexpected relationship issues with the deletion of data and other activity on your website (for example, competition entries). We have left the control in your hands to ensure that no automatic process creates complications at a later stage.
- Via a contact form, email, phone or any other valid form of communication with your organisation. This will require your nominated Data Controller to go to the Forget Me section and start the process by entering identifying information as supplied by the person requesting to be forgotten.
We recommend linking to the listener-facing ‘Forget Me’ page somewhere easily discoverable and relevant on your site, for example the listener club homepage. This ensures listeners are aware you offer this option and theoretically reduces the time spent on administration of incoming requests via other methods such as email, telephone or post.
In the Direct Marketing section we have added an option to send a new email to all subscribed listeners to re-confirm their consent to continue receiving marketing communications.
We advise you to seek legal advice on your specific requirement to complete this task with regard to GDPR.
If you do decide to send an email, example copy is provided under the GDPR tab which you are able to customise. You should be aware that this communication must not be determinable as a marketing message, so ensure any additional content you do add is only in the interest of clear identification of your station or organisation - not advertising.
The listener club signup form does not enforce a consent check, which is compliant as long as your introductory text for signup clearly states that, as part of being a listener club member, you will receive marketing emails (and, ideally, discuss the frequency). This copy is up to you to word and ensure meets the requirements. It is entered in the Listener Club area, under the Settings tab, in the Sign Up Top Content panel.
The following changes have been made to Studio Inbox:
- The amount of time we continue to store SMS messages received to your station's short code is now configurable, so you can reflect your own storage requirements.
- We've added an option to configure the visibility of full phone numbers on incoming messages.
- The existing SMS log reports (which are currently accessible from a Studio Inbox workspace) are moving to a new location, accessible only by Data Controller users.
These settings and reports can be accessed by going to the Studio Inbox tab within Data Control.
We will be adding two additional functions to Direct Marketing in the coming months:
- Subscription status reminder: allows you to setup an email that will be sent to all current members at a frequency of your choosing. This email is intended to remind all subscribed members of their subscription status and provide details on how they can unsubscribe or delete their account. You will be required to produce your own copy for this mail out.
- Inactive listener prompt: emails listeners who have not interacted with your site within a defined threshold amount of time and asks if they wish to remaining subscribed. Failure to respond within your defined response window will unsubscribe that user from your database.
Our ability to access your listener's data
Unless we have a specific technical reason to access your listener's data held within our databases, it should not be visible to Aiir staff.
We will soon be removing our staff's ability to access listener club databases and form data capture by default. If you open a support ticket that directly relates to these areas, which requires us to see this data, we will have the option to add a permission request to the thread which, once approved by you, gives us a fixed period of time to view and resolve the issue before relinquishing access again.
During our review Vouchers was noted as a potential area of risk but deemed as being compliant. We hold on to identifiable information as part of legal requirements to store customers details as part of financial transactions, which is a justifiable reason for holding the data on file. It is never merged in to the database for marketing.
As part of our GDPR review, we have updated our terms: https://www.aiir.com/terms-and-privacy/
Our updated policy explains your rights under this new law and became effective 23 May 2018. By continuing to use our website, platform and apps after this date, you agree to these updated terms.