GDPR is European data protection law that came into force on Friday, 25th May, 2018. It affects all businesses (both inside and outside of Europe) that capture identifiable information about individuals via their websites and mobile apps when accessed by listeners in the European Economic Area (EEA).
Our role in the relationship between listeners and your organisation is that of a "Data Processor". This means that our responsibilities lie directly with you, our customer, in terms of legal responsibilities for storing listener data. You are directly responsible for the legal implications of GDPR and data privacy by ensuring your use of the tools that we provide to manage the stored data is compliant.
Aiir completed a comprehensive review of our systems and services with an independent legal team to ensure that what we offer allows your business to be fully compliant with the new legislation. It lead to a number of small changes in 2018 to the tools we offer to assist in your ability to reach GDPR compliance and in addition we wish to draw your attention to a few areas of our service which you should carefully review:
As the primary route for users to submit data to your organisation, the following changes were made as part of our review:
- A new expiry feature has been added to each form, where you can define the amount of time a submission can be held before it is automatically deleted.
- The information provided when setting personal data fields has been updated to make it clearer that fields should only be marked as required when absolutely necessary for your intended purpose.
A new area of Aiir, Data Control, is now available via the Admin section. This is the hub for managing listener data. This area is only accessible to Aiir users that are identified as Data Controllers by an organisation owner.
You can access this by going to the main menu, then Admin, and then scrolling to the Data Controller section.
Within Data Control is a section where you can perform Forget Me administration, a requirement of GDPR where you will be required to delete all identifiable information about them you hold on request. These requests can come in two ways:
- When logged in to your website's listener club, in the account management area is a new option for Forget Me. Actioning this will add a request to the Data Control area of the site. You will be required to manually complete the deletion process as there may be unexpected relationship issues with the deletion of data and other activity on your website (for example, competition entries). We have left the control in your hands to ensure that no automatic process creates complications at a later stage.
- Via a contact form, email, phone or any other valid form of communication with your organisation. This will require your nominated Data Controller to go to the Forget Me section and start the process by entering identifying information as supplied by the person requesting to be forgotten.
We recommend linking to the listener-facing ‘Forget Me’ page somewhere easily discoverable and relevant on your site, for example the listener club homepage. This ensures listeners are aware you offer this option and theoretically reduces the time spent on administration of incoming requests via other methods such as email, telephone or post.
In the Direct Marketing section we added an option to send a new email to all subscribed listeners to re-confirm their consent to continue receiving marketing communications.
We advise you to seek legal advice on your specific requirement to complete this task with regard to GDPR.
If you do decide to send an email, example copy is provided under the GDPR tab which you are able to customise. You should be aware that this communication must not be determinable as a marketing message, so ensure any additional content you do add is only in the interest of clear identification of your station or organisation - not advertising.
The listener club signup form does not enforce a consent check, which is compliant as long as your introductory text for signup clearly states that, as part of being a listener club member, you will receive marketing emails (and, ideally, discuss the frequency). This copy is up to you to word and ensure meets the requirements. It is entered in the Listener Club area, under the Settings tab, in the Sign Up Top Content panel.
The following changes were made to Studio Inbox:
- The amount of time we continue to store SMS messages received to your station's short code is now configurable, so you can reflect your own storage requirements.
- We've added an option to configure the visibility of full phone numbers on incoming messages.
- The existing SMS log reports (which are currently accessible from a Studio Inbox workspace) moved to the new Data Control section, accessible only by Data Controller users.
These settings and reports can be accessed by going to the Studio Inbox tab within Data Control.
Our ability to access your listener's data
Unless we have a specific technical reason to access your listener's data held within our databases, it should not be visible to Aiir staff.
Our team no longer have the ability to access listener club databases or the personal data attributes of form data submissions. If you contact us with a support enquiry, and your enquiry requires us to access this data, we will direct you to a form which you can submit which grants our team a temporary permit to have this access. The permit automatically expires.
An exception to this is for our engineering team who have access to our database servers, but access is strictly only available to staff who absolutely require it and is only used for system admin purposes.
During our review Vouchers was noted as a potential area of risk but deemed as being compliant. We hold on to identifiable information as part of legal requirements to store customers details as part of financial transactions, which is a justifiable reason for holding the data on file. It is never merged in to the database for marketing.
As part of our GDPR review, we updated our terms: https://aiir.com/terms-and-privacy/
Our updated policy explains your rights under this new law and became effective 23 May 2018. By continuing to use our website, platform and apps after this date, you agree to these updated terms.