GDPR Compliance Statement
This statement sets out the operating procedures GetmeetingBooked undertakes to ensure GDPR best practice is observed to the greatest extent possible, at all times.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection, storage, and processing of personal information from individuals who live in the European Union (EU).
The Information Commissioner’s Office is the UK regulator dealing with the Data Protection Act 2018 and the General Data Protection Regulation and the Privacy and Electronic Communications (EC Directive) Regulations 2003 across the UK.
The ICO are like the data protection police and we need to make sure we always keep on their good side. Our determination to be 100% GDPR and PECR compliance will do exactly that!
It is important to take GDPR compliance very seriously, since the penalties for non-compliance are punitive and designed to be painful. You definitely don’t want to be on the receiving end of an ICO investigation or enforcement notice!
GetmeetingBooked and GDPR compliance
In addition to appointing a compliance officer to oversee our adherence to the rules, GetmeetingBooked have engaged 3rd party compliance expertise to audit and advise on best practice. This investment enables us to assure clients that GDPR best practices are strictly observed wherever possible, at all times.
GetmeetingBooked’s relationship with you
To put this in the language of GDPR and the ICO:
We are Joint Controllers. Yes – Joint Controllers. Even though, as a service provider, we are essentially working for you, it is important to recognise that we are both responsible for deciding who to target, what data to collect, how the data is processed, what messages we send them and how their data will be collected, processed, and stored. This decision is pretty fundamental to how we operate so if you have any questions let’s talk!
Just to make all our lives easier we have incorporated a comprehensive Data Sharing Agreement within GetmeetingBooked’s standard Terms of Service. This sets out how we work together as Joint Controllers and how we support each other if we ever receive a GDPR request.
IsGetmeetingBooked marketing activity compliant?
Let’s look at this carefully. GetmeetingBooked’s services are designed and offered solely to help businesses promote to other businesses. I.e. B2B marketing only. In which case PECR allows email marketing provided material is relevant and we and allow the recipient to opt-out of future emails. In this respect GetmeetingBooked is naturally compliant. Now for GDPR, GDPR always applies and actually applies to all aspects of collection, storage, and processing of data. GetmeetingBooked has been designed to be compliant and has established technical and operational systems to make sure this is the case. For example, before launching new client activity, GetmeetingBooked conducts an in-depth assessment to establish if the product or service, combined with the proposed targeting, meets the criteria for GDPR and PECR compliant business to business (B2B) marketing. A key part of this assessment is called the Legitimate Interest Assessment (LIA), we have completed a LIA for us and also a standard LIA for each of our clients. We have also created a standard Privacy Policy update for client use as needed, this includes all the relevant clauses you need plus references to GetmeetingBooked to make everything clear to the data subject – just let us know if you need a copy of any of these.
Want to know more about how Legitimate Interest applies?
If GetmeetingBooked determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR or if your approach would breach some other part of the regulations [including PECR] then we cannot support the activity within any regions subject to GDPR.
In the context of our Services, Legitimate Interest is the relevant lawful basis for processing as defined in GDPR. GDPR sets out a number of permissible circumstances (or categories) under which Personally Identifiable Information (PII) can be stored and processed, the most appropriate category in the case of most B2B marketing is Legitimate Interests. This link explains the Legitimate Interests basis for storing and processing PII: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/ To ensure client activity falls into this category, prior to engaging, we will carry out a full Legitimate Interests Assessment (LIA) with each new client. Essentially the LIA is a questionnaire containing a series of questions about your scenario. There are 3 areas that need to be satisfied for Legitimate Interests to be used as a basis for processing PII:
Identify a legitimate interest – The legitimate interest can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. The data processing is generally in your interests – whether it be to increase market share, increase brand awareness, or engage business leaders.
Show that the processing is necessary to achieve it – Can the same result be achieved differently? Core to the GetmeetingBooked service is the efficiency and constant drive to be the most cost-effective sales channel which we believe cannot be replicated using other methods.
Balance it against the individual’s interests, rights and freedoms – Would the individual expect their data to be used in this way? Would an individual who lists publicly their role within a company expect to be contacted about services that may help that company or their department within the company? No data processing may replace or infringe the individuals interests or cause unjustified harm
LIA Failures
If GetmeetingBooked determines that your planned B2B prospecting activity does not meet the criteria for Legitimate Interests within the scope of GDPR or if your approach would breach some other part of the regulations [including PECR] then we cannot support the activity within any regions subject to GDPR.
Rights of Individuals
Privacy Policy – All messages sent will contain a link to a privacy policy that explains to the user exactly what their rights are as well as the type of data that is held about them and by who. GetmeetingBooked will provide a template privacy policy or review your existing one to ensure it meets the required standard. A link to our Privacy Policy which is based upon this template is here: https://getmeetingbooked.com/privacy-policy/ This standard privacy link would typically be contained in the email signature of any outbound messaging, in the case of messaging as part of client campaign activity, the privacy link will be that of our client’s own privacy policy.
Opting Out & Exclusion Lists – All recipients are able to opt out easily to prevent further email communication being received. All replies to prospecting emails are logged and those prospects are added to your campaign exclusion list within 24 hours. GetmeetingBooked allows import of existing exclusion lists in advance of campaign activity. Exclusions can be submitted in the form of individual email addresses or full domains and will prevent communications being issued to those email addresses or domains listed.
Subject Access Requests – All individuals have the right to request a copy of all data you hold on them. To support this data subjects can email any SAR requests to dpo@GetmeetingBooked.com and we will return this data within 72 hours.
Right to be Forgotten – All individuals have the right to have some or all of their data removed (to be ‘forgotten’) at any time.. A conflict does arise in removing or forgetting an email address whilst at the same time keeping this address on an exclusion list to prevent future mailings. Where we have removed data, we will move the email address to a separate exclusion list, encrypted using a one-way hashing algorithm (SHA1), ensuring we are able to prevent any future messages being sent to the customer whilst continuing to honour their right to be forgotten.
PECR and sending of B2B messages
Whilst GDPR controls the storage and processing of personal data in the UK, sending messages is regulated under the Privacy and Electronic communications Regulations (PECR). This is very clear as to the requirements on business communication: “You can email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out and screen any new marketing lists against that.” https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/
Client responsibility
Whilst GetmeetingBooked continues to take extensive measures to ensure best practice with respect to GDPR and PECR across all client activity, clients should take note that responsibility for compliance vests (in different forms) with each party. GetmeetingBooked cannot be abreast of the constantly evolving regulatory frameworks in all countries at all times, as such it is important that you, as the client, have knowledge of your local regulatory climate and ensure your business operates within the relevant regulatory frameworks.
In Summary:
GetmeetingBooked has worked hard to develop a compliant platform providing innovative marketing services and technology for our clients and at all times respecting the rights of the data subjects whose information we collect. Compliance is now part of what we do and ongoing due-diligence is just part of how we operate. Compliance is central to our identity as a business.